Cato Networks Knowledge Base

LAN Blocking for the Windows Client

Overview of LAN Blocking

The LAN Blocking feature enables the Cato Client to route all traffic to the Cato Cloud, and block the Client from connecting to a LAN host in the remote network. You can configure LAN Blocking for the entire account or for individual SDP users.

When there are overlapping subnets between the SDP user's LAN and with the resources behind a site, then the Client can't access a remote host that has the same IP address as a local host. For example, if a local printer and a server behind a site both have the IP address 192.168.1.4, then the Client can't connect to the server.

When LAN Blocking is enabled, the Client automatically routes all traffic to the Cato Cloud and ignores any hosts on the LAN for the remote network. When the Client is in Office Mode and connected to the local network for the site, then LAN Blocking is disabled.

Note

Note: Cato Clients only support IPv4 traffic. In some cases there can be connectivity for unsupported IPv6 traffic, and once LAN Blocking is enabled, the Client will automatically block all IPv6 traffic. So please be aware that enabling this feature can have an impact on the user experience.

Known Limitations

  • Supported for Windows Client v5.3 and higher

  • Split Tunnel is not supported when LAN Blocking is enabled

    • Split Tunnel settings are ignored when LAN Blocking is enabled either for the entire account or for individual SDP users.

      For example, if LAN Blocking is disabled for an SDP user, that user can use the Split Tunnel feature even though LAN Blocking is enabled for the account.

Configuring LAN Blocking

Use the Split Tunnel screen to enable or disable LAN Blocking for the entire account or for individual SDP users. By default, LAN Blocking is disabled.

Configuring LAN Blocking for the Entire Account

EA_LAN_Blocking.png

To enable LAN Blocking for the account:

  1. From the navigation section, select Access > Client Access.

  2. Expand the Split Tunnel section.

  3. Select Enable LAN Blocking.

  4. Click Save.

Configuring LAN Blocking for Specific SDP Users

You can override the LAN Blocking settings for an SDP user, this setting only applies to LAN Blocking and has no impact on the Split Tunnel settings for the user.

To configure LAN Blocking for a specific SDP user:

  1. From the navigation menu, click Access > Users and select a user.

  2. From the navigation menu, select User Configuration > Split Tunnel.

  3. In the Split Tunnel screen, select Override account settings.

  4. Configure the LAN Blocking settings for the user:

    1. If LAN Blocking is enabled for the account, clear Enable LAN Blocking to disable LAN Blocking for this user.

    2. If LAN Blocking is disabled for the account, select Enable LAN Blocking to enable LAN Blocking for this user.

  5. Click Save.

Was this article helpful?

0 out of 1 found this helpful

Comments

2 comments

  • Comment author
    Brian Isenstein

    Ok, this is an awesome feature.  Just saved us when a client site had implemented a /8 subnet on their guest wifi network.

    0
  • Comment author
    Community Manager The chief of community conversations. Community manager

    Hello Brian!

    Thank you very much for your feedback on this feature!  I will make sure that my colleagues who worked on this feature are made aware of your comment.

    We welcome all feedback on features regardless of whether it is positive or negative.  This is the reason why we have just introduced our online community.  We hope that the community (aka People PoP) will make it easier for our customers to "talk" to us and other customers about Cato's services.  

    Kind Regards,

    Dermot Doran (Cato Networks Community Manager)

    0

Please sign in to leave a comment.