Cato Networks Knowledge Base

LAN Blocking for the Windows Client

Overview of LAN Blocking

The LAN Blocking feature enables the Cato Client to route all traffic to the Cato Cloud, and block the Client from connecting to a LAN host in the remote network. You can configure LAN Blocking for the entire account or for individual SDP users.

When there are overlapping subnets between the SDP user's LAN and with the resources behind a site, then the Client can't access a remote host that has the same IP address as a local host. For example, if a local printer and a server behind a site both have the IP address 192.168.1.4, then the Client can't connect to the server.

When LAN Blocking is enabled, the Client automatically routes all traffic to the Cato Cloud and ignores any hosts on the LAN for the remote network. When the Client is in Office Mode and connected to the local network for the site, then LAN Blocking is disabled.

Note

Note: Cato Clients only support IPv4 traffic. In some cases there can be connectivity for unsupported IPv6 traffic, and once LAN Blocking is enabled, the Client will automatically block all IPv6 traffic. So please be aware that enabling this feature can have an impact on the user experience.

Known Limitations

  • Supported for Windows Client v5.3 and higher

  • Windows Client v5.6 and higher support LAN Blocking with Split Tunnel exclude traffic (see below)
  • For other Client OS and versions, Split Tunnel is not supported when LAN Blocking is enabled

    • Split Tunnel settings are ignored when LAN Blocking is enabled either for the entire account or for individual SDP users.

      For example, if LAN Blocking is disabled for an SDP user, that user can use the Split Tunnel feature even though LAN Blocking is enabled for the account.

LAN Blocking with Split Tunnel Exclude Traffic

You can use Split Tunnel Exclude rules to define IP addresses and ranges that are excluded from the SDP tunnel even though LAN Blocking is enabled. All LAN traffic is routed to the Cato Cloud using the SDP tunnel except for the ranges defined in the Exclude rules.

When LAN Blocking is enabled, the Client ignores Split Tunnel Include rules. The LAN traffic is already routed to the Cato Cloud as part of the LAN Blocking feature. If LAN Blocking is disabled for specific SDP users, then the Split Tunnel Include rules are applied to them.

For more about configuring a Split Tunnel Exclude rule, see Configuring Split Tunnel for SDP Clients.

Configuring LAN Blocking

Use the Split Tunnel screen to enable or disable LAN Blocking for the entire account or for individual SDP users. By default, LAN Blocking is disabled.

Configuring LAN Blocking for the Entire Account

EA_LAN_Blocking.png

To enable LAN Blocking for the account:

  1. From the navigation section, select Access > Client Access.

  2. Expand the Split Tunnel section.

  3. Select Enable LAN Blocking.

  4. Click Save.

Configuring LAN Blocking for Specific SDP Users

You can override the LAN Blocking settings for an SDP user, this setting only applies to LAN Blocking and has no impact on the Split Tunnel settings for the user.

To configure LAN Blocking for a specific SDP user:

  1. From the navigation menu, click Access > Users and select a user.

  2. From the navigation menu, select User Configuration > Split Tunnel.

  3. In the Split Tunnel screen, select Override account settings.

  4. Configure the LAN Blocking settings for the user:

    1. If LAN Blocking is enabled for the account, clear Enable LAN Blocking to disable LAN Blocking for this user.

    2. If LAN Blocking is disabled for the account, select Enable LAN Blocking to enable LAN Blocking for this user.

  5. Click Save.

Was this article helpful?

0 out of 1 found this helpful

Comments

3 comments

  • Comment author
    Brian Isenstein

    Ok, this is an awesome feature.  Just saved us when a client site had implemented a /8 subnet on their guest wifi network.

    0
  • Comment author
    Community Manager The chief of community conversations. Community manager

    Hello Brian!

    Thank you very much for your feedback on this feature!  I will make sure that my colleagues who worked on this feature are made aware of your comment.

    We welcome all feedback on features regardless of whether it is positive or negative.  This is the reason why we have just introduced our online community.  We hope that the community (aka People PoP) will make it easier for our customers to "talk" to us and other customers about Cato's services.  

    Kind Regards,

    Dermot Doran (Cato Networks Community Manager)

    0
  • Comment author
    Yaakov Simon

    Added LAN Blocking with Split Tunnel Exclude Traffic  which is supported for Windows Client v5.6 and higher

    0

Please sign in to leave a comment.