Bypassing the Cato Cloud

This article discusses how to configure a site to bypass the Cato Cloud and egress traffic directly to the Internet.

Bypassing the Cato Cloud

The Bypass screen lets you define bypass rules for traffic that will directly egress to the Internet instead of being routed to the Cato Cloud. Bypassed traffic is not inspected by the Cato Cloud security stack. The Socket continues to apply Bandwidth Profiles and QoS to bypassed traffic.

By default, the Socket automatically chooses the WAN port for the bypass traffic based on performance metrics. The Socket can select different WAN ports for different flows.

Preferred Socket Port

You can choose to assign a preferred Socket WAN port for a bypass rule that is used to egress the traffic. With this option, the Socket will use the preferred WAN port for the bypass traffic, as long the port has Internet connectivity. If the preferred WAN port loses connectivity, then the Socket selects a different WAN port for the traffic.

The Preferred Socket Port feature is supported from Socket v15.0 and higher.


Note: Bypassing Internet traffic is only supported for Socket and vSocket sites.


To define a bypass rule:

  1. From the navigation menu, click Network > Sites and select the site.

  2. From the navigation menu, click Site Settings > Bypass.

  3. For the Destination or Source rule, click New. The New Interface panel opens.

  4. Configure the settings for the bypass rule:

    • The Name of the new bypass rule

    • The IP range or IP addresses for the rules

    • (Optional) The traffic protocols that are bypassed: TCP, UDP, ICMP or None (all protocols are allowed)

  5. (Optional) In Preferred Socket Port, select the WAN port that egresses traffic directly to the Internet.

  6. Click Save.

To delete a bypass entry:

  1. From the navigation menu, click Network > Sites and select the site.

  2. From the navigation menu, click Site Settings > Bypass.

  3. Click the Delete icon next to the bypass rule you wish to delete. The rule is removed.

  4. Click Save. The rule is deleted.

Was this article helpful?


  • Comment author

    No mention of what impact bypassed traffic may have on overall bandwidth / QoS

  • Comment author
    Nicky Tham

    I need a feature to make a certain subnet in local site locally breakout to internet without advertise the subnet into the SDWAN. Any advice?

  • Comment author
    Yaakov Simon

    JM  Excellent point - yes the Socket applies QoS to bypassed traffic. I updated the article accordingly.


  • Comment author

    Thanks Yaakov, 

    Would it be possible to expand on exactly how QoS is then applied, and how to monitor this?Assumption is nothing will be recorded and shown in CMA as it all happens on the socket - is there any way to see what's going on using the Socket UI?

  • Comment author
    Jonathon Parsons

    We have exactly the same requirement as Nicky Tham.

    RFE being sent.

Add your comment