Backhauling Traffic via an IPsec Site

This article discusses how to configure an IPsec site as a backhauling gateway and create network rules to route traffic to third-party cloud/proxy based security service.


Cato's Internet traffic backhauling lets you use network rules to backhaul the relevant traffic to a third-party cloud/proxy based security service via the IPsec VPN tunnel.

For more about Internet traffic backhauling with Cato, see Configuring Internet Traffic Backhauling.

Diagram of Internet Traffic Backhauling via an IPsec Site

This is an example of Internet traffic backhauling from sites and SDP users to the the primary or secondary gateway IPsec site.


Configuring Internet Backhauling for the Account

This section shows the overview of configuring your account to backhaul Internet traffic to a gateway site.

  1. Define one or more backhauling gateway sites.

  2. Create Internet network rules that backhaul Internet traffic to the gateway sites.

Defining an IPsec Site as a Backhauling Gateway

Define an existing IPsec site as the backhauling gateway site.

For each gateway site, enable the site as a backhauling gateway. The PoP in the Cato Cloud forwards the matching backhauled Internet traffic via the IPsec tunnel to the remote end.


To define a site as a backhauling gateway:

  1. From the navigation menu, select Network > Sites, and select the site.

  2. From the navigation menu, select Site Settings > Backhauling.

  3. Select Use this site as backhauling gateway.

  4. Click Save.

Configuring Network Rules to Backhaul Traffic to an IPsec Site

Create an Internet network rule and configure the routing setting to route the traffic to the backhauling gateway. We recommend that you configure more than one backhauling gateway site, so in case the primary gateway site loses connectivity, the Cato PoP backhauls the traffic to the secondary gateway site (and so on if the secondary gateway site is also unreachable).

When you define a domain for the App/Category of a network rule, only the traffic for that specific domain is backhauled. Other related traffic flows for different domains aren’t backhauled.

For network rules that use the Backhaul via option, you can use a combination of Socket and IPsec backhauling gateway sites in a single rule.


Note: For users and sites located in China, make sure that the network rules for the backhauled traffic don't violate China's Internet regulations.

For more about the settings for network rules, see Configuring Network Rules.

For more information about routing options, you can also watch this.

Was this article helpful?

1 out of 1 found this helpful


Add your comment