HomeNext Gen IT-InfraMonitoring & ManagementCyber SecurityBCP / DRAutomationDecoded
Next Gen IT-Infra
Cato’s SASE Supports Cybersecurity Skills Development

How Cato’s SASE Supports Cybersecurity Skills Development

🕓 April 8, 2025

How SASE Supports the Security Needs of SMBs

How SASE Supports the Security Needs of SMBs

🕓 February 9, 2025

Attack Surface Reduction with Cato’s SASE

Attack Surface Reduction with Cato’s SASE

🕓 February 10, 2025

SASE for Digital Transformation in UAE

SASE for Digital Transformation in UAE

🕓 February 8, 2025

Monitoring & Management
Understanding Atera’s SLA Management

Understanding Atera’s SLA Management

🕓 February 7, 2025

Cost-Performance Ratio: Finding the Right Balance in IT Management Networks

Cost-Performance Ratio: Finding the Right Balance in IT Management Networks

🕓 June 16, 2025

Customizing Atera with APIs

Customizing Atera with APIs

🕓 March 3, 2025

Power Up Your IT Team’s Strategy with Atera’s Communication Tools

Power Up Your IT Team’s Strategy with Atera’s Communication Tools

🕓 February 8, 2025

Cyber Security
Illustration of the Cato Cloud architecture showing its role in delivering SASE for secure, optimized global connectivity.

Understanding the Cato Cloud and Its Role in SASE

🕓 January 29, 2025

Isometric illustration of professionals managing network performance, bandwidth analytics, and cloud-based optimization around the Cato Networks platform, symbolizing bandwidth control and QoS visibility.

Mastering Bandwidth Control and QoS in Cato Networks

🕓 July 26, 2025

Global network backbone powering Cato SASE solution for secure, high-performance connectivity across regions.

Global Backbone: The Engine Powering Cato’s SASE Solution

🕓 January 30, 2025

Illustration of team analyzing application traffic and usage insights on a large laptop screen using Cato’s dashboard, surrounded by network and cloud icons.

Cato Networks Application Visibility | Monitoring & Control

🕓 July 27, 2025

BCP / DR
Illustration showing diverse business and IT professionals collaborating with cloud, backup, and security icons, representing Vembu use cases for SMBs, MSPs, and IT teams.

Who Uses Vembu? Real-World Use Cases for SMBs, MSPs & IT Teams

🕓 July 12, 2025

Graphic showcasing Vembu’s all-in-one backup and disaster recovery platform with icons for cloud, data protection, and business continuity for IT teams and SMBs.

What Is Vembu? A Deep Dive Into the All in One Backup & Disaster Recovery Platform

🕓 July 6, 2025

Illustration showing Vembu backup and disaster recovery system with cloud storage, server racks, analytics dashboard, and IT professionals managing data.

The Rising Cost of Data Loss: Why Backup Is No Longer Optional?

🕓 August 14, 2025

3D isometric illustration of cloud backup and data recovery infrastructure with laptop, data center stack, and digital business icons — FSD Tech

RPO & RTO: The Heart of Business Continuity

🕓 August 15, 2025

Automation
Cross-Functional Collaboration with ClickUp

Fostering Cross-Functional Collaboration with ClickUp for Multi-Departmental Projects

🕓 February 11, 2025

ClickUp Project Reporting

Revolutionizing Enterprise Reporting with ClickUp’s Advanced Analytics and Dashboards

🕓 June 16, 2025

ClickUp’s Design Collaboration and Asset Management Tools

Empowering Creative Teams with ClickUp’s Design Collaboration and Asset Management Tools

🕓 February 26, 2025

ClickUp Communication and Collaboration Tools

ClickUp Communication and Collaboration Tools: Empowering Remote Teams

🕓 March 12, 2025

Decoded
Multi-Factor Authentication (MFA)

Multi-Factor Authentication (MFA): All You Need to Know

🕓 December 7, 2025

L3 Switch

What Is an L3 Switch? L2 vs L3 & Why You Need Layer 3?

🕓 December 8, 2025

IPSec

IPSec Explained: Protocols, Modes, IKE & VPN Security

🕓 December 3, 2025

Datagram Transport Layer Security (DTLS)

What is Datagram Transport Layer Security (DTLS)? How it works?

🕓 December 4, 2025

    Subscribe to our newsletter!

    About Us

    Follow Us

    Copyright © 2024 | Powered by 

    Cato SASE Architecture

    Inside Cato’s SASE Architecture: A Blueprint for Modern Security

    🕓 January 26, 2025

    Enterprise Data Security and Privacy with ClickUp

    Ensuring Enterprise Data Security and Privacy with ClickUp

    🕓 February 9, 2025

    DDoS protection SASE

    DDoS Protection and Cato’s Defence Mechanisms

    🕓 February 11, 2025

    Table of Contents

    Making Sense of Cato’s New Flexible Traffic Routing – What It Means for Users, Admins, and the Business

    Anas Abdu Rauf
    September 2, 2025
    Comments
    Cato Cloud Architecture Diagram Connecting Branch Offices, Data Centers, And Applications Through A Secure SASE Backbone

    1 | Why This Release Matters

    The promise of Cato Networks has always been “one client, any resource, anywhere.”

    With Windows Client v5.16, Cato extends that promise by letting you decide exactly which bits of traffic should—or should not—flow through the Cato Cloud. Until now you had an all-or-nothing choice: send everything down the tunnel (full tunnel) or carve out exclusions one CIDR block at a time. The new features flip that around: you can keep most traffic local and selectively steer only the flows that truly benefit from Cato’s security stack or global backbone.
     

    For enterprises in the middle of a phased SASE rollout, that extra granularity is gold. It removes the “big-bang” barrier to adoption, reduces troubleshooting friction, and gives security teams confidence that critical controls remain in place even as legacy infrastructures coexist.

     

    2 | Split Tunneling 2.0 – A Refresher

    Split tunneling describes any deployment in which a VPN or ZTNA client carries some traffic to a secure gateway while leaving the rest to travel over the local (or “native”) network path.

    Historically, administrators split traffic for three reasons:

    1. Performance – keep high-bandwidth or latency-sensitive apps (Teams, Zoom, CAD downloads) off the tunnel.
    2. Compatibility – allow access to local printers, peer-to-peer discovery, multicast or ISP-hosted services.
    3. Cost – minimize egress fees at the cloud firewall or backbone.
       

    But traditional split policies were static: if a subnet was excluded once, it stayed excluded no matter where the laptop travelled. That blunt approach breaks down in a hybrid world where the same user moves between a secure office, a home router, a coffee-shop hotspot and, perhaps, an untrusted client site—all in a single day.

    Cato’s new release solves that by introducing four mutually reinforcing capabilities.

     

    3 | Feature Deep Dive

    3.1 Flexible Traffic Routing (Granular Split Tunnel Policy)

    What it does

    • Lets IT craft multiple, ordered rules instead of a single allow/deny list.
    • Each rule can match destination IP, protocol, port, application ID, URL category, or domain.
    • Rules can now incorporate source network context (managed vs. unmanaged – see § 3.4 below).
       

    Daily impact

    • End users reconnect less often and see fewer broken links because the client decides on the fly which traffic deserves the secure path.
    • Admins gain a “mix-and-match” tool: you can keep Office 365 and SAP on Cato to benefit from CASB/DLP while letting bulk software updates pull directly from Akamai or CloudFront.

     

    Example scenarios
     

    Situation

    Old work-around

    New granular rule

    Branch laptops must reach a legacy file server over MPLS, but everything else over the tunnel.

    Static exclusion of 10.10.0.0/16; broke access when the laptop left the branch.

    IF dest = 10.10.0.0/16 AND src network = Managed THEN Exclude Tunnel

    Field engineers need low-latency connection to industrial cameras (UDP/554) only while on factory Wi-Fi.

    Forced full split at interface level; risked sending corporate traffic clear.

    IF protocol = UDP AND port = 554 AND src network = Unmanaged THEN Exclude Tunnel

      

    3.2 Web-Only Tunnel Option

    What it does

    • Creates a pre-defined rule set in which only HTTP/HTTPS (ports 80/443) traffic enters the Cato Cloud.
    • Everything else—SMB, RDP, VoIP, game traffic, OS updates—uses the local gateway.
       

    Why it helps

    • Performance-conscious hybrid sites (e.g., retail outlets with payment terminals) can be secured without backhauling large non-web flows.
    • Regulated industries may demand that file or voice traffic stays on-prem for audit reasons, yet still require web threat protection and CASB for SaaS.
    • Onboarding pilot – IT can flip on the Web-Only switch for Day 1 adoption, proving value with zero user disruption, and tighten the policy later.
       

    End-user experience

    Users generally won’t notice a thing—browser sessions load through Cato’s secure PoP (so phishing and malware filtering apply) while their YouTube video or Windows Update downloads at full speed from the local ISP cache. 

    3.3 DNS Split Tunneling

    The pain it solves

    Classic full-tunnel VPNs break split-horizon DNS designs; employees on the road resolve any corp.local record but lose reachability to the corresponding internal IP, or they hammer the corporate resolvers with every Google query, adding latency.

     

    How Cato fixes it

    • Internal DNS queries (towards a private server IP or a domain suffix list) can now bypass the client tunnel.
    • External DNS (public recursion) remains protected—either by Cato’s Secure Web Gateway or whatever upstream resolver you configure.

     

    Benefits

    • Faster name resolution when at home or on 5G.
    • Less attack surface; private DNS stays within the user’s subnet/VLAN if an internal device acts as resolver.
    • Easier migration from legacy on-prem firewalls that already enforce DNS split horizon.

    Pro tip: Pair this with Cato’s DNS Security feature so that even local recursive queries benefit from threat intelligence via DoH/DoT upstream.

    3.4 Split Tunnel Rules Based on Source Network (Managed vs. Unmanaged)

    What changed

    • The client can now identify whether the PC is connected to a Managed Network (formerly Trusted Network) defined in the Cato portal—typically an office, branch SD-WAN, or home network authenticated by a site certificate.
       
    • Policies can branch on that attribute: “If managed, use policy A; if unmanaged, use policy B.”
      • When plugged into a company LAN → send all traffic to Cato (full tunnel) because you control the LAN firewall.
      • When on public Wi-Fi → send only corporate app traffic via Cato; personal browsing stays local to respect privacy.
      • New subsidiary networks flagged as unmanaged; gradually whitelist their subnets until security posture aligns, then flip to managed.
      • Treat the same MacBook differently in Starbucks versus in HQ—tightens security without constant user prompts.
         

    Real-world use cases

    1. BYOD / contractor laptops
    2. M&A transition
    3. Zero-trust postures 

    3.5 UI Tweak – “Trusted Networks” Renamed to Managed Networks

    The name change seems cosmetic but signals a philosophical shift: trust is no longer binary or automatic; instead, a network is “managed” because you enforce controls there. This language reinforces zero-trust principles and avoids confusion for auditors reviewing policy sets.

     

    4 | How Daily Administration Gets Easier

    1.Policy as code (sort of)
     Granular rules with logical conditions mean fewer manual subnet listings and no hunt for duplicate entries. Policies resemble firewall rule bases most admins already know.
     

    2.Change once, apply everywhere
     Update a single Split Tunnel profile and every Windows Client ≥ v5.16 adopts it on next check-in. No registry edits, no packaging.
     

    3.Reduced help-desk tickets

    • Fewer “can’t print” incidents when local broadcast traffic never enters the tunnel.
    • Less packet-loss troubleshooting; voice/video stays off the encrypted path if that path isn’t QoS-tuned
       

    4. Incremental onboarding
     Move a business unit to web-only first, verify, then expand to full tunnel without reinstalling or re-educating.
     

    5. Audit & reporting clarity
     Cato’s analytics now annotate traffic as Included/Excluded by rule-ID, so you can prove segmentation to compliance teams.

     

    5 | Benefits to End Users

     

    Daily friction point

    Old experience

    New experience

    Slow SaaS logins from hotel Wi-Fi

    All traffic hair-pinned to the nearest PoP hundreds of km away.

    Web-Only policy sends SaaS over Cato’s backbone but streams and updates stay local → snappier browsing.

    Access to local smart printer or NAS

    Printer unreachable → user disables VPN.

    Granular rule excludes 192.168.0.0/24 only when the Wi-Fi SSID matches Home → seamless printing.

    In-office Wi-Fi congestion

    Full tunnel doubles traffic exiting branch.

    Managed-network exemption keeps in-office Microsoft Teams peer-to-peer.

    Battery drain on 5G hotspot

    Encrypted tunnel for every packet.

    Split DNS + TCP only via tunnel → fewer CPU cycles, less mobile data.

     

    In short, users feel faster, more stable connections without noticing the security controls behind the scenes.

     

    6 | Security Posture – Does More Split Mean Less Trust?

    Not if implemented correctly. Cato’s architecture still enforces identity, device posture, and application access controls at the first packet. Split tunneling simply dictates where the inspection happens. Key safeguards remain:

    • Per-app/private IP steer still authenticates the session against ZTNA policy.
    • CASB, IPS, DLP, SWG continue for traffic that traverses the Cato Cloud.
    • SaaS security posture – Even when only web traffic is sent, that captures 90 % of risky content (phishing, malware downloads, credential posts).
    • Endpoint EDR fills any gaps for traffic that stays local, maintaining defense-in-depth.
      • Push Windows Client v5.16 via your RMM or Intune.
      • For macOS and mobile, expect similar features in subsequent releases.
      • In the Cato portal, list branch LAN subnets, HQ Wi-Fi SSIDs, or install a site certificate on routers.
      • Start with Web-Only for a pilot group.
      • Create additional “Include” rules for private resources (e.g., 10.30.0.0/16).
      • Use Cato’s Real-Time Traffic view or nslookup, tracert from endpoints to confirm route paths.
      • Marketing, HR (web-heavy) first; engineering (Git, SSH) next; finally call-centre (voice/video) once QoS baselines proven.

     

    7 | Implementation Guide

    1. Update clients
    2. Define Managed Networks
    3. Author split policies
    4. Validate
    5. Roll out in waves

     

    8 | Extra Tidbits & Best Practices
     

    Tip

    Why / How

    Use URL categories rather than raw IPs** for SaaS—Microsoft ranges change weekly.

    Cato’s cloud database auto-updates.

    Enable DoH for external DNS inside the tunnel** to keep privacy intact.

    Reduces ISP-level spying on SaaS usage.

    Tag rules with version numbers (e.g., WebOnly_v1) to simplify rollback.

    Easier change control audits.

    Leverage Cato’s API to update Managed-Network lists from DHCP scopes.

    Automates M&A site onboarding.

    Monitor “Excluded Traffic” widget weekly**; spikes may reveal shadow-IT or mis-tagged apps.

    Keeps the security surface tight.

     

     

    9 | Conclusion

    The Flexible Traffic Routing update turns Cato Client from a straightforward cloud-VPN into a context-aware traffic director. End users benefit from faster, battery-friendlier connections; administrators gain draggable policy controls; and the business enjoys smoother, phased SASE adoption without compromising security.

    If you’re still running an “all or nothing” VPN (legacy or Cato), now is the moment to pilot Web-Only tunneling and DNS split on a subset of devices. You’ll likely find that support tickets drop, adoption accelerates, and leadership finally gets the “network agility” they’ve been promised for years—no forklift upgrade required.
     

    Curious how Flexible Traffic Routing could reduce tickets in your environment? Book a Free Consultation with our Cato expert Today.
     
     

    Cato Networks Infographic On Flexible Traffic Routing Showing Old VPN Problems, Split Tunneling Features, And Enterprise Use Cases

    FAQ

    1. What Is Flexible Traffic Routing In Cato’s SASE Client?

    Flexible traffic routing allows IT teams to define granular split-tunneling policies. Instead of an all-or-nothing VPN tunnel, admins can decide which applications, ports, protocols, or domains flow through the Cato Cloud, and which stay on the local network.

     

    2. How Is This Different From Traditional Split Tunneling?

    Traditional split tunneling relied on static subnet exclusions, which often broke when users changed networks. Cato’s approach is context-aware: policies adapt based on location (managed vs. unmanaged networks), application type, or protocol, ensuring security and user experience remain consistent.

     

    3. What Benefits Do End Users Get From Flexible Traffic Routing?

    End users enjoy faster SaaS logins, seamless access to local resources like printers, improved battery life on mobile devices, and smoother video calls. They experience fewer disruptions since the client automatically routes traffic through the best path without requiring manual intervention.

     

    4. How Does The Web-Only Tunnel Option Work?

    The web-only tunnel routes only HTTP/HTTPS traffic through the Cato Cloud, while everything else (such as OS updates, file transfers, or VoIP) bypasses it locally. This ensures users still get web protection (SWG, CASB, phishing filtering) while reducing overhead and latency for non-web traffic.

     

    5. Does Flexible Routing Weaken Security?

    No. Security remains intact because identity, device posture, and ZTNA policies still apply at the first packet. SaaS and web traffic continues to benefit from CASB, SWG, and threat detection. Local traffic that bypasses the tunnel can be protected by endpoint EDR or existing LAN firewalls, ensuring defense-in-depth.

     

    6. What Is The Role Of DNS Split Tunneling In This Update?

    DNS split tunneling ensures that private/internal DNS queries bypass the tunnel for faster local resolution, while public DNS queries remain protected by Cato’s SWG and threat intelligence. This reduces latency, improves compatibility with hybrid networks, and maintains security visibility.

     

    7. How Do Managed Vs. Unmanaged Network Policies Help Businesses?

    With managed vs. unmanaged network rules, the same device can follow stricter policies on public Wi-Fi while enjoying optimized access on corporate LAN. For example, contractors or BYOD devices on office networks can run full tunnel policies, while on coffee-shop Wi-Fi only corporate apps route through Cato.

     

    8. How Does This Update Simplify Administration For IT Teams?

    Admins gain centralized, firewall-like policy management. They no longer need to maintain long exclusion lists. Rules are easier to audit, apply globally, and update instantly across clients. Troubleshooting tickets also drop since local services like printers and video calls no longer break.

     

    9. Can Flexible Traffic Routing Support A Phased SASE Rollout?

    Yes. Enterprises can start small by enabling web-only or DNS split for a pilot group, then gradually expand policies to more users and applications. This reduces risk, lowers resistance to adoption, and avoids the need for disruptive “big-bang” migrations.

     

    10. Which Industries Benefit Most From Flexible Routing?

    • Retail: Secure card transactions via web while keeping POS updates local.
    • Healthcare: Route sensitive data through Cato while allowing local imaging traffic.
    • Manufacturing: Prioritize industrial control traffic locally while securing SaaS tools globally.
    • Professional Services: Enable seamless remote work with secure SaaS while respecting personal browsing privacy.
    Making Sense of Cato’s New Flexible Traffic Routing – What It Means for Users, Admins, and the Business

    About The Author

    Anas Abdu Rauf

    Anas is an Expert in Network and Security Infrastructure, With over seven years of industry experience, holding certifications Including CCIE- Enterprise, PCNSE, Cato SASE Expert, and Atera Certified Master. Anas provides his valuable insights and expertise to readers.

    Like This Story?

    Share it with friends!

    Subscribe to our newsletter!

    Atera

    (49)

    Cato Networks

    (120)

    ClickUp

    (70)

    FishOS

    (7)

    Miradore

    (21)

    PointGuard AI

    (9)

    Vembu

    (22)

    Xcitium

    (33)

    ZETA HRMS

    (79)

    Workflow Automation(8)

    Workforce Automation(1)

    AI Project Management(1)

    HR Data Automation(1)

    RMM(1)

    IT Workflow Automation(1)

    IT security(2)

    GCC compliance(4)

    Payroll Integration(2)

    IT support automation(3)

    procurement automation(1)

    lost device management(1)

    IT Management(5)

    IoT Security(2)

    Cato XOps(2)

    IT compliance(4)

    Workflow Management(1)

    Task Automation(1)

    Kubernetes lifecycle management(2)

    OpenStack automation(1)

    AI-powered cloud ops(1)

    SMB Security(8)

    Data Security(1)

    MDR (Managed Detection & Response)(4)

    MSP Automation(3)

    Atera Integrations(2)

    XDR Security(2)

    SMB Cyber Protection(1)

    Ransomware Defense(3)

    HR Tech Solutions(1)

    Zero Trust Network Access(3)

    Zero Trust Security(2)

    Endpoint Management(1)

    SaaS Security(1)

    Payroll Automation(5)

    IT Monitoring(2)

    Xcitium EDR SOC(15)

    Ransomware Protection GCC(1)

    Network Consolidation UAE(1)

    M&A IT Integration(1)

    MSSP for SMBs(1)

    SMB Cybersecurity GCC(1)

    Managed EDR FSD-Tech(1)

    Ransomware Protection(3)

    Antivirus vs EDR(1)

    FSD-Tech MSSP(25)

    Cybersecurity GCC(12)

    Endpoint Security(1)

    Endpoint Protection(1)

    Data Breach Costs(1)

    SMB Cybersecurity(8)

    Zero Dwell Containment(31)

    Managed Security Services(2)

    Xcitium EDR(30)

    Hybrid Backup(1)

    Cloud Backup(1)

    Backup & Recovery(1)

    pointguard ai(4)

    backup myths(1)

    disaster recovery myths(1)

    SMB data protection(9)

    vembu(9)

    Disaster Recovery(4)

    Vembu BDR Suite(19)

    GCCBusiness(1)

    DataProtection(1)

    Secure Access Service Edge(4)

    GCC HR software(20)

    Miradore EMM(15)

    Cato SASE(7)

    Cloud Security(8)

    Talent Development(1)

    AI Compliance(2)

    AI Security(2)

    AI Risk Management(1)

    AI Cybersecurity(12)

    AI Governance(4)

    GCC business security(1)

    GCC network integration(1)

    compliance automation(5)

    education security(1)

    GCC cybersecurity(2)

    Miradore EMM Premium+(5)

    App management UAE(1)

    BYOD security Dubai(8)

    MiddleEast(1)

    HealthcareSecurity(1)

    Team Collaboration(1)

    IT automation(12)

    Zscaler(1)

    SD-WAN(6)

    HR Integration(4)

    Cloud Networking(3)

    device management(9)

    VPN(1)

    RemoteWork(1)

    ZeroTrust(2)

    MPLS(1)

    Project Management(9)

    HR automation(16)

    share your thoughts

    Illustration showing identity-centric Zero Trust security with the Cato Client acting as a continuous identity signal, connecting users, devices, cloud resources, and OT systems through unified policy enforcement.”

    How the Cato Client Becomes the Identity Anchor for Zero Trust Access

    🕓 January 25, 2026

    Context-aware firewall enforcement in Cato SASE illustrating how device platform, country, and origin of connection enhance Zero Trust security beyond basic device context.

    Platforms, Countries, and Origin of Connection: Advanced Device Criteria in Cato Firewall

    🕓 January 24, 2026

    Cato SASE platform visual showing device-aware WAN firewall enforcement with centralized security controls, analytics dashboards, IPS, and Zero Trust policy monitoring across enterprise infrastructure.

    Device-Aware WAN Firewall Policies in Cato SASE

    🕓 January 23, 2026

    Decoded(93)

    Cyber Security(118)

    BCP / DR(22)

    Zeta HRMS(78)

    SASE(21)

    Automation(70)

    Next Gen IT-Infra(118)

    Monitoring & Management(70)

    ITSM(22)

    HRMS(21)

    Automation(24)