How to Configure Split Tunneling on Cato Networks (Zoom & M365 Optimization)?
Overview
Split Tunneling allows you to define specific traffic (Applications, Domains, or IP subnets) that should bypass the Cato VPN tunnel and go directly to the internet via the user's local ISP.
Common Use Cases:
Latency Reduction: Improve performance for Zoom, Teams, and Webex.
Privacy: Allow users to access personal banking or streaming (Netflix/YouTube) without corporate inspection.
Local Access: Enable access to local printers or LAN resources (e.g.,
192.168.1.0/24) while connected to the VPN.
Step 1: Accessing the Split Tunnel Policy
Cato manages split tunneling centrally. Changes here apply to all Clients immediately after policy propagation (usually < 5 minutes).
Log in to the Cato Management Application (CMA).
Navigate to Access > Client Access > Split Tunnel.
(Note: In some legacy views, this might be under "Global Settings" > "Client Access").
You will see a policy editor specifically for deciding what enters the tunnel.
Step 2: Configuring the Rule (Bypass Mode)
You have two strategies: Tunnel All (Default) or Split Tunnel. We will assume you are using "Tunnel All" but want to create exceptions (Bypass).
Click (+) New to create a rule.
Name: e.g., Bypass - Real-Time Collaboration (Zoom/Teams).
Source: Leave as "Any" or select specific User Groups (e.g., "Remote Sales").
Destination / Application:
Click to add applications.
Search for Zoom, Microsoft Teams, Webex, or Office 365.
Tip: Cato maintains these application definitions dynamically, so you don't need to manage IP lists manually.
Action: Select Bypass (or "Off-Cloud").
Tunnel: Traffic goes through Cato (Inspected).
Bypass: Traffic goes direct to Internet (Not Inspected).
Click Apply and Save.
Step 3: Enabling LAN Access (Local Printers)
If users complain they cannot print to their home printer while the VPN is on, you need to enable LAN access.
In the same Client Access menu, look for Client Connectivity or Settings.
Find the "Split Tunneling" or "LAN Access" toggle.
Ensure "Allow Access to Local Area Network" is Enabled.
This automatically bypasses private ranges like
192.168.x.xand10.0.x.x(unless they conflict with your corporate WAN subnets).
Step 4: Validation (Did it work?)
To verify that traffic is actually bypassing Cato:
Connect the Cato Client.
Check Corporate IP:
Open a browser and go to
ipchicken.comorwhatismyip.com.You should see your Cato PoP IP (Corporate IP).
Check Bypassed App IP:
This is trickier for apps, but you can test with a browser-based bypass (e.g., if you bypassed "Netflix.com").
Open
netflix.com.If you have a sophisticated traffic monitor (or check the Cato Events log), you should NOT see access events for Netflix, because the traffic never hit the Cato socket.
Alternative: Use
tracerouteto the bypassed domain. If the first hop is your local router (e.g., 192.168.1.1) instead of the Cato virtual interface (e.g., 10.254.x.x), it is bypassing.
FAQ
1) What is split tunneling in Cato Networks VPN?
Split tunneling allows selected applications, domains, or IP ranges to bypass the Cato VPN tunnel and route directly through the local internet instead of the corporate security stack.
2) Why do organizations use split tunneling with Cato Client?
It reduces latency for real-time apps, preserves user privacy for personal services, and enables access to local LAN resources like printers while remaining connected to the VPN.
3) How do you bypass applications like Zoom or Teams in Cato VPN?
Create a Split Tunnel rule in Cato Client Access, select the application definitions, and set the action to Bypass so traffic routes directly to the internet.
4) How can you verify split tunneling is working correctly?
Check public IP for tunneled traffic, test bypassed domains, review Cato event logs, or use traceroute to confirm traffic exits through the local gateway instead of the Cato interface.
