The LAN Blocking feature enables the Cato Client to route all traffic to the Cato Cloud, and block the Client from connecting to a LAN host in the remote network. You can configure LAN Blocking for the entire account or for individual SDP users.
When there are overlapping subnets between the SDP user's LAN and with the resources behind a site, then the Client can't access a remote host that has the same IP address as a local host. For example, if a local printer and a server behind a site both have the IP address 192.168.1.4, then the Client can't connect to the server.
When LAN Blocking is enabled, the Client automatically routes all traffic to the Cato Cloud and blocks traffic to any hosts on the LAN for the remote network. However, the device can still receive inbound traffic from hosts on the same LAN. For example, Host ABC is on the same LAN as the device, and it initiates ICMP traffic to the device. The Client will allow the traffic, and then the device will process it. However, the Client routes the return ICMP traffic to the Cato Cloud, and Host ABC doesn't receive a response.
When the Client is in Office Mode and connected to the local network for the site, then LAN Blocking is disabled.
Note: Cato Clients only support IPv4 traffic. In some cases there can be connectivity for unsupported IPv6 traffic, and once LAN Blocking is enabled, the Client will automatically block all IPv6 traffic. So please be aware that enabling this feature can have an impact on the user experience.
Supported for Windows Client v5.3 and higher
- Windows Client v5.6 and higher support LAN Blocking with Split Tunnel exclude traffic (see below)
For other Client OS and versions, Split Tunnel is not supported when LAN Blocking is enabled
Split Tunnel settings are ignored when LAN Blocking is enabled either for the entire account or for individual SDP users.
For example, if LAN Blocking is disabled for an SDP user, that user can use the Split Tunnel feature even though LAN Blocking is enabled for the account.
LAN Blocking with Split Tunnel Exclude Traffic
You can use Split Tunnel Exclude rules to define IP addresses and ranges that are excluded from the SDP tunnel even though LAN Blocking is enabled. All LAN traffic is routed to the Cato Cloud using the SDP tunnel except for the ranges defined in the Exclude rules.
When LAN Blocking is enabled, the Client ignores Split Tunnel Include rules. The LAN traffic is already routed to the Cato Cloud as part of the LAN Blocking feature. If LAN Blocking is disabled for specific SDP users, then the Split Tunnel Include rules are applied to them.
For more about configuring a Split Tunnel Exclude rule, see Configuring Split Tunnel for SDP Clients.
Use the Split Tunnel screen to enable or disable LAN Blocking for the entire account or for individual SDP users. By default, LAN Blocking is disabled.
You can override the LAN Blocking settings for an SDP user, this setting only applies to LAN Blocking and has no impact on the Split Tunnel settings for the user.
To configure LAN Blocking for a specific SDP user:
From the navigation menu, click Access > Users and select a user.
From the navigation menu, select User Configuration > Split Tunnel.
In the Split Tunnel screen, select Override account settings.
Configure the LAN Blocking settings for the user:
If LAN Blocking is enabled for the account, clear Enable LAN Blocking to disable LAN Blocking for this user.
If LAN Blocking is disabled for the account, select Enable LAN Blocking to enable LAN Blocking for this user.