For more information about routing traffic for remote users, see Routing with the Cato Client (Split Tunnel Policy).
Overview
For remote users connected with the Cato Client, the Split Tunnel policy controls which traffic is routed through the Cato Cloud and which traffic bypasses the tunnel. Use include and exclude rules to define the specific destinations that are routed through the Client tunnel.
When users are behind a Cato site, the Split Tunnel policy only applies if they are connected with the Client and are not in Office Mode. In Office Mode, users are not treated as remote users, and the Split Tunnel policy does not apply to their traffic.
Destination-Based Split Tunnel Routing
The Split Tunnel policy supports these routing options:
- Route all traffic through the Cato Cloud and exclude specific destinations (such as trusted SaaS services)
- Route most traffic directly to the Internet and include only selected destinations for inspection
Destination-based rules support applications, IP ranges, domains, and FQDNs, giving you precise control over which traffic is secured by the Cato Cloud and which traffic bypasses the tunnel.
When you use the domain and FQDN to define traffic for remote users connected with the Client, that is included or excluded from the Cato Cloud:
-
Domain - Use Domain objects to match a domain and all its subdomains (for example,
example.commatchesapp.example.comandlogin.example.com) -
FQDN - Use FQDN objects to target specific hosts (for example, only
app.example.com)
For configurations where you route all the remote user traffic to the Cato Cloud, you can define exceptions to bypass the Cato Cloud tunnel and connect directly to the destination. This lets you maintain security inspection in the Cato Cloud while optimizing access to trusted services.
For example, you may want traffic to a SaaS service such as office.com to bypass the tunnel for performance reasons. DNS queries for the domain are still inspected by the Cato Cloud. After the domain is resolved, the traffic connects directly to the destination.
Split Tunnel exceptions include the following options:
- DNS Exclusions – Define domains that are resolved by a local DNS server instead of through the Cato Cloud, such as internal applications that you want to access directly
- Destination Exclusions – Define applications, domains, FQDNs (EA), or IP ranges that bypass the tunnel, such as applications or services that users will access by bypassing the tunnel
Note: When creating a rule with an exclusion, you must explicitly specify the operating system as Windows
The following procedure outlines how to configure a rule to send all of your traffic to Cato while excluding local DNS traffic and destination using an FQDN.
To customize the traffic that is excluded from the Cato Cloud:
- From the navigation menu, click Access > Split Tunnel Policy.
-
Create a new rule and configure the settings for: General, Users/Groups, Platforms, Source Network, and Countries.
For more information, see Routing with the Cato Client (Split Tunnel Policy).
- In the Configuration section, under Select Connection Mode, select All Ports & Protocols.
- Under Routing Policy, select Route all to Cato.
- In the Define Routing Exceptions section, define the traffic that bypasses the tunnel:
- Under DNS Exclusions, enter one or more domains to be resolved by your local DNS server.
-
Under Destination Exclusions, configure one or more destinations and types that go directly to the destination.
Traffic to these domains will go directly to their destination and not through Cato
- Click Save.
When creating a Split Tunnel rule, you can determine the routing policy so that, by default, traffic is not routed to Cato. Then, define only the specific traffic that is routed to Cato for inspection. For example, when most of your network traffic goes to a third-party solution, but you want to route specific traffic to a remote data center through Cato.
Currently, with Route only selected to Cato, all traffic is resolved using Cato DNS.
Note: When creating a rule to include traffic, you must explicitly specify the operating system as Windows.
The following procedure outlines how to configure a rule to send only specific traffic destinations to the Cato Cloud, and the rest is routed to your third-party solution.
To customize which traffic is routed to Cato:
- From the navigation menu, click Access > Split Tunnel Policy.
-
Create a new rule and configure the settings for: General, Users/Groups, Platforms, Source Network, and Countries.
For more information, see Routing with the Cato Client (Split Tunnel Policy).
- In the Configuration section, under Select Connection Mode, select All Ports & Protocols or Web Only.
- Under Choose Routing Policy, select Route only selected to Cato.
- In the Define Routing Selections section, under Destination Inclusions, add the items that are routed to Cato for additional security checks.
- Click Save.
5 comments
will this be available for mac platform?
Can split tunnel policies be used for users behind physical Cato branches?
Shahbaz khan Good question! Split Tunnel policy is enforced by the Cato Client and is only for remote user traffic. Technically, it would also apply to remote users behind a site that are in Office Mode. Otherwise, the Client does not route traffic for users behind a site.
Yaakov,
To confirm - any split tunnel rule based on domain/fqdn WILL work for both remote clients AND those behind a socket? I thought I had seen some docs that said the solution only worked for remote users? I would be very happy to find I am wrong. :)
Gordon Sandlin - thanks for the question, I added an Overview to help clarify the issue.
Split Tunnel Policy determines how the Client routes traffic. When a user is behind a site (Socket or IPsec), the user is only treated as a remote user if they are NOT in Office Mode. If they are a site-based user, then the PoP routes the traffic, which is controlled by the Network Rule policy.
Hope this is clear.
Please sign in to leave a comment.