Bypassing the Cato Cloud Using Predefined Applications: Simplify Secure Egress for Key Traffic

In modern enterprise environments, ensuring optimal performance for productivity applications—such as Zoom or Microsoft Teams—is critical. Manually managing outbound traffic by maintaining evolving IP lists can be cumbersome and error-prone. Cato Networks’ Bypassing the Cato Cloud capability addresses this challenge, and with the recent introduction of Predefined Application Bypass Rules, administrators now have a simpler way to optimize SaaS traffic.

What Is Bypassing the Cato Cloud?

The Bypassing the Cato Cloud feature allows administrators to configure Bypass Rules that let selected Internet-bound traffic egress directly from Socket and vSocket sites, instead of traversing Cato PoPs.

Key behaviors include:

• Traffic defined in a bypass rule does not go through Cato Cloud security inspection or application/category policies.
• Upstream Bandwidth Profiles and QoS configured at the Socket are still enforced.
• Downstream QoS is not applied since the traffic does not traverse a PoP.
• The Socket evaluates WAN performance (latency, jitter, packet loss, congestion) and routes traffic over the best available path.
• Administrators may configure a Preferred Socket WAN Role for predictable traffic steering.

This functionality is available for Socket and vSocket sites only.

Predefined Application Bypass Rules

Cato now provides Predefined Application Bypass Rules, which eliminate the need to manage dynamic IP ranges manually. These rules let administrators select specific business-critical applications directly when creating a bypass rule.

Currently supported applications include:

• Microsoft Exchange
• Google Applications
• Microsoft Defender for Endpoint
• Zoom
• Skype and Microsoft Teams
• SharePoint and OneDrive for Business

Cato continuously updates the IP definitions for these applications in the background. This ensures bypass rules always remain current without requiring administrator intervention.

Advantages of Each Approach

Bypass Rules (Traditional Configuration)

• Allow granular control over traffic using IP addresses, ports, and protocols.
• Suitable for custom or legacy applications not covered by predefined options.
• Require manual updates when IP ranges or services change.

Predefined Application Bypass Rules

• Simplify configuration by allowing administrators to select applications directly.
• Automatically updated by Cato—no need to maintain IP definitions.
• Best suited for widely used SaaS and collaboration platforms.

Both approaches complement each other, providing flexibility for unique traffic scenarios and efficiency for common applications.

Not sure which bypass strategy fits your environment? Fill out the form and our team will contact you to discuss the best approach for your setup.
 

Why This Matters to Administrators

• Simplified Operations: No more manual IP tracking—applications are preconfigured and auto-updated.
• Better User Experience: SaaS and collaboration apps enjoy lower latency and more reliable connectivity.
• Resilient WAN Routing: The Socket intelligently selects the best-performing WAN path or a preferred role.
• Policy Consistency: Even with bypass, bandwidth and QoS rules at the Socket remain in effect.

How to Configure a Predefined Application Bypass Rule

1. In the Cato Management Application, go to Network → Sites and select your site.
2. Under Site Configuration → Bypass, click New.
3. Assign a rule name (e.g., “Bypass – Zoom”).
4. For Destination, choose a supported predefined application (e.g., Zoom, SharePoint, Google Apps).
5. Optionally specify allowed protocols (TCP, UDP, ICMP).
6. (Optional) Select a Preferred Socket WAN Role to define the primary path.
7. Save the configuration—the rule is applied instantly.

Practical Use Cases

• Real-Time Collaboration: Improve call quality by bypassing Zoom and Teams directly to the Internet.
• Productivity Applications: Enhance performance for Microsoft 365 and Google Workspace.
• Endpoint Security: Ensure Microsoft Defender for Endpoint receives timely updates.
• Network Efficiency: Reduce load on the Cato Cloud by offloading SaaS traffic.

Conclusion

Bypassing the Cato Cloud is a powerful capability that provides direct egress for selected Internet traffic from Socket and vSocket sites. With the introduction of Predefined Application Bypass Rules, administrators gain a streamlined way to optimize traffic for commonly used SaaS platforms—without the operational burden of tracking IP ranges.

By combining traditional Bypass Rules and Predefined Application Bypass Rules, enterprises achieve both flexibility and efficiency, ensuring high performance for critical applications while maintaining centralized control.

Want to see how predefined bypass rules can improve your Teams and Zoom performance? Book a free consultation with our experts today.

FAQ

1. What is the difference between a Bypass Rule and a Predefined Application Bypass Rule?

A Bypass Rule is manually configured using IPs, ports, or protocols. A Predefined Application Bypass Rule lets administrators select specific applications from a list maintained by Cato.
 

2. Does bypassed traffic go through Cato’s security inspection?

No. Traffic defined in bypass rules does not pass through PoP-level security services. Only Socket-level QoS and bandwidth profiles apply.
 

3. Can both rule types coexist?

Yes. Administrators can mix traditional Bypass Rules with Predefined Application Bypass Rules as needed.
 

4. Is bypass supported for all sites?

No. Bypassing the Cato Cloud applies only to Socket and vSocket sites.
 

5. What happens if a Preferred Socket WAN Role link goes down?

The Socket automatically reroutes traffic to the best available WAN link using real-time performance metrics.
 

6. Why are Predefined Application Bypass Rules especially useful for collaboration tools?

Applications like Zoom and Teams are latency-sensitive. By routing them directly to the Internet, organizations reduce delay and improve quality for voice and video sessions.