LAN Blocking for the Windows Client

Overview of LAN Blocking

The LAN Blocking feature enables the Cato Client to route all traffic to the Cato Cloud, and block the Client from connecting to a LAN host in the remote network. You can configure LAN Blocking for the entire account or for individual SDP users.

When there are overlapping subnets between the SDP user's LAN and with the resources behind a site, then the Client can't access a remote host that has the same IP address as a local host. For example, if a local printer and a server behind a site both have the IP address 192.168.1.4, then the Client can't connect to the server.

When LAN Blocking is enabled, the Client automatically routes all traffic to the Cato Cloud and blocks traffic to any hosts on the LAN for the remote network. However, the device can still receive inbound traffic from hosts on the same LAN. For example, Host ABC is on the same LAN as the device, and it initiates ICMP traffic to the device. The Client will allow the traffic, and then the device will process it. However, the Client routes the return ICMP traffic to the Cato Cloud, and Host ABC doesn't receive a response.

When the Client is in Office Mode and connected to the local network for the site, then LAN Blocking is disabled.

Note

Note: Cato Clients only support IPv4 traffic. In some cases there can be connectivity for unsupported IPv6 traffic, and once LAN Blocking is enabled, the Client will automatically block all IPv6 traffic. So please be aware that enabling this feature can have an impact on the user experience.

Known Limitations

Supported for Windows Client v5.3 and higher
Windows Client v5.6 and higher support LAN Blocking with Split Tunnel exclude traffic (see below)
For other Client OS and versions, Split Tunnel is not supported when LAN Blocking is enabled
- Split Tunnel settings are ignored when LAN Blocking is enabled either for the entire account or for individual SDP users.
  
  For example, if LAN Blocking is disabled for an SDP user, that user can use the Split Tunnel feature even though LAN Blocking is enabled for the account.

LAN Blocking with Split Tunnel Exclude Traffic

You can use Split Tunnel Exclude rules to define IP addresses and ranges that are excluded from the SDP tunnel even though LAN Blocking is enabled. All LAN traffic is routed to the Cato Cloud using the SDP tunnel except for the ranges defined in the Exclude rules.

When LAN Blocking is enabled, the Client ignores Split Tunnel Include rules. The LAN traffic is already routed to the Cato Cloud as part of the LAN Blocking feature. If LAN Blocking is disabled for specific SDP users, then the Split Tunnel Include rules are applied to them.

For more about configuring a Split Tunnel Exclude rule, see Configuring Split Tunnel for SDP Clients.

Configuring LAN Blocking

Use the Split Tunnel screen to enable or disable LAN Blocking for the entire account or for individual SDP users. By default, LAN Blocking is disabled.

Configuring LAN Blocking for the Entire Account

To enable LAN Blocking for the account:

From the navigation section, select Access > Client Access.
Expand the Split Tunnel section.
Select Enable LAN Blocking.
Click Save.

Configuring LAN Blocking for Specific SDP Users

You can override the LAN Blocking settings for an SDP user, this setting only applies to LAN Blocking and has no impact on the Split Tunnel settings for the user.

To configure LAN Blocking for a specific SDP user:

From the navigation menu, click Access > Users and select a user.
From the navigation menu, select User Configuration > Split Tunnel.
In the Split Tunnel screen, select Override account settings.
Configure the LAN Blocking settings for the user:
1. If LAN Blocking is enabled for the account, clear Enable LAN Blocking to disable LAN Blocking for this user.
2. If LAN Blocking is disabled for the account, select Enable LAN Blocking to enable LAN Blocking for this user.
Click Save.

6 comments

Brian Isenstein
- December 05, 2022 22:36
Ok, this is an awesome feature. Just saved us when a client site had implemented a /8 subnet on their guest wifi network.
Dermot - Community Manager Community manager
- December 06, 2022 06:21
Hello Brian!

Thank you very much for your feedback on this feature! I will make sure that my colleagues who worked on this feature are made aware of your comment.

We welcome all feedback on features regardless of whether it is positive or negative. This is the reason why we have just introduced our online community. We hope that the community (aka People PoP) will make it easier for our customers to "talk" to us and other customers about Cato's services.

Kind Regards,

Dermot Doran (Cato Networks Community Manager)
Yaakov Simon
- February 01, 2023 14:56
Added LAN Blocking with Split Tunnel Exclude Traffic which is supported for Windows Client v5.6 and higher
JM
- July 15, 2023 13:07
Will enabling LAN Blocking effectively be like a local firewall blocking all attempts to exploit vulnerabilities/open ports from a malicious actor on the local network, e.g. when on a Starbucks wifi?
Dermot - Community Manager Community manager
- August 04, 2023 12:00
This is not how we would like you to view the feature. LAN blocking does not inspect traffic from devices on the LAN as a firewall would. Hence, it should not be likened to a firewall protecting the host from malicious actors present on the LAN. We will update the KB to make this clearer. Thank you for asking this question!
JM
- November 29, 2023 07:02
But, as the return traffic for requests from the local subnet will be routed out through Cato it does in effect block all all local IPv4 attacks?