The LAN Blocking feature enables the Cato Client to route all traffic to the Cato Cloud, and block the Client from connecting to a LAN host in the remote network. You can configure LAN Blocking for the entire account or for individual SDP users.
When there are overlapping subnets between the SDP user's LAN and with the resources behind a site, then the Client can't access a remote host that has the same IP address as a local host. For example, if a local printer and a server behind a site both have the IP address 192.168.1.4, then the Client can't connect to the server.
When LAN Blocking is enabled, the Client automatically routes all traffic to the Cato Cloud and ignores any hosts on the LAN for the remote network. When the Client is in Office Mode and connected to the local network for the site, then LAN Blocking is disabled.
Note
Note: Cato Clients only support IPv4 traffic. In some cases there can be connectivity for unsupported IPv6 traffic, and once LAN Blocking is enabled, the Client will automatically block all IPv6 traffic. So please be aware that enabling this feature can have an impact on the user experience.
-
Supported for Windows Client v5.3 and higher
- Windows Client v5.6 and higher support LAN Blocking with Split Tunnel exclude traffic (see below)
-
For other Client OS and versions, Split Tunnel is not supported when LAN Blocking is enabled
-
Split Tunnel settings are ignored when LAN Blocking is enabled either for the entire account or for individual SDP users.
For example, if LAN Blocking is disabled for an SDP user, that user can use the Split Tunnel feature even though LAN Blocking is enabled for the account.
-
LAN Blocking with Split Tunnel Exclude Traffic
You can use Split Tunnel Exclude rules to define IP addresses and ranges that are excluded from the SDP tunnel even though LAN Blocking is enabled. All LAN traffic is routed to the Cato Cloud using the SDP tunnel except for the ranges defined in the Exclude rules.
When LAN Blocking is enabled, the Client ignores Split Tunnel Include rules. The LAN traffic is already routed to the Cato Cloud as part of the LAN Blocking feature. If LAN Blocking is disabled for specific SDP users, then the Split Tunnel Include rules are applied to them.
For more about configuring a Split Tunnel Exclude rule, see Configuring Split Tunnel for SDP Clients.
Use the Split Tunnel screen to enable or disable LAN Blocking for the entire account or for individual SDP users. By default, LAN Blocking is disabled.

Configuring LAN Blocking for Specific SDP Users
You can override the LAN Blocking settings for an SDP user, this setting only applies to LAN Blocking and has no impact on the Split Tunnel settings for the user.
To configure LAN Blocking for a specific SDP user:
-
From the navigation menu, click Access > Users and select a user.
-
From the navigation menu, select User Configuration > Split Tunnel.
-
In the Split Tunnel screen, select Override account settings.
-
Configure the LAN Blocking settings for the user:
-
If LAN Blocking is enabled for the account, clear Enable LAN Blocking to disable LAN Blocking for this user.
-
If LAN Blocking is disabled for the account, select Enable LAN Blocking to enable LAN Blocking for this user.
-
-
Click Save.
Comments
3 comments
Ok, this is an awesome feature. Just saved us when a client site had implemented a /8 subnet on their guest wifi network.
Hello Brian!
Thank you very much for your feedback on this feature! I will make sure that my colleagues who worked on this feature are made aware of your comment.
We welcome all feedback on features regardless of whether it is positive or negative. This is the reason why we have just introduced our online community. We hope that the community (aka People PoP) will make it easier for our customers to "talk" to us and other customers about Cato's services.
Kind Regards,
Dermot Doran (Cato Networks Community Manager)
Added LAN Blocking with Split Tunnel Exclude Traffic which is supported for Windows Client v5.6 and higher
Please sign in to leave a comment.