Making Sense of Cato’s New Flexible Traffic Routing – What It Means for Users, Admins, and the Business

1 | Why This Release Matters

The promise of Cato Networks has always been “one client, any resource, anywhere.”

With Windows Client v5.16, Cato extends that promise by letting you decide exactly which bits of traffic should—or should not—flow through the Cato Cloud. Until now you had an all-or-nothing choice: send everything down the tunnel (full tunnel) or carve out exclusions one CIDR block at a time. The new features flip that around: you can keep most traffic local and selectively steer only the flows that truly benefit from Cato’s security stack or global backbone.
 

For enterprises in the middle of a phased SASE rollout, that extra granularity is gold. It removes the “big-bang” barrier to adoption, reduces troubleshooting friction, and gives security teams confidence that critical controls remain in place even as legacy infrastructures coexist.

2 | Split Tunneling 2.0 – A Refresher

Split tunneling describes any deployment in which a VPN or ZTNA client carries some traffic to a secure gateway while leaving the rest to travel over the local (or “native”) network path.

Historically, administrators split traffic for three reasons:

1. Performance – keep high-bandwidth or latency-sensitive apps (Teams, Zoom, CAD downloads) off the tunnel.
2. Compatibility – allow access to local printers, peer-to-peer discovery, multicast or ISP-hosted services.
3. Cost – minimize egress fees at the cloud firewall or backbone.
    

But traditional split policies were static: if a subnet was excluded once, it stayed excluded no matter where the laptop travelled. That blunt approach breaks down in a hybrid world where the same user moves between a secure office, a home router, a coffee-shop hotspot and, perhaps, an untrusted client site—all in a single day.

Cato’s new release solves that by introducing four mutually reinforcing capabilities.

3 | Feature Deep Dive

3.1 Flexible Traffic Routing (Granular Split Tunnel Policy)

What it does

• Lets IT craft multiple, ordered rules instead of a single allow/deny list.
• Each rule can match destination IP, protocol, port, application ID, URL category, or domain.
• Rules can now incorporate source network context (managed vs. unmanaged – see § 3.4 below).
   

Daily impact

• End users reconnect less often and see fewer broken links because the client decides on the fly which traffic deserves the secure path.
• Admins gain a “mix-and-match” tool: you can keep Office 365 and SAP on Cato to benefit from CASB/DLP while letting bulk software updates pull directly from Akamai or CloudFront.

Example scenarios
 

3.2 Web-Only Tunnel Option

What it does

• Creates a pre-defined rule set in which only HTTP/HTTPS (ports 80/443) traffic enters the Cato Cloud.
• Everything else—SMB, RDP, VoIP, game traffic, OS updates—uses the local gateway.
   

Why it helps

• Performance-conscious hybrid sites (e.g., retail outlets with payment terminals) can be secured without backhauling large non-web flows.
• Regulated industries may demand that file or voice traffic stays on-prem for audit reasons, yet still require web threat protection and CASB for SaaS.
• Onboarding pilot – IT can flip on the Web-Only switch for Day 1 adoption, proving value with zero user disruption, and tighten the policy later.
   

End-user experience

Users generally won’t notice a thing—browser sessions load through Cato’s secure PoP (so phishing and malware filtering apply) while their YouTube video or Windows Update downloads at full speed from the local ISP cache. 

3.3 DNS Split Tunneling

The pain it solves

Classic full-tunnel VPNs break split-horizon DNS designs; employees on the road resolve any corp.local record but lose reachability to the corresponding internal IP, or they hammer the corporate resolvers with every Google query, adding latency.

How Cato fixes it

• Internal DNS queries (towards a private server IP or a domain suffix list) can now bypass the client tunnel.
• External DNS (public recursion) remains protected—either by Cato’s Secure Web Gateway or whatever upstream resolver you configure.

Benefits

• Faster name resolution when at home or on 5G.
• Less attack surface; private DNS stays within the user’s subnet/VLAN if an internal device acts as resolver.
• Easier migration from legacy on-prem firewalls that already enforce DNS split horizon.

Pro tip: Pair this with Cato’s DNS Security feature so that even local recursive queries benefit from threat intelligence via DoH/DoT upstream.

3.4 Split Tunnel Rules Based on Source Network (Managed vs. Unmanaged)

What changed

• The client can now identify whether the PC is connected to a Managed Network (formerly Trusted Network) defined in the Cato portal—typically an office, branch SD-WAN, or home network authenticated by a site certificate.
   
• Policies can branch on that attribute: “If managed, use policy A; if unmanaged, use policy B.”
  • When plugged into a company LAN → send all traffic to Cato (full tunnel) because you control the LAN firewall.
  • When on public Wi-Fi → send only corporate app traffic via Cato; personal browsing stays local to respect privacy.
  • New subsidiary networks flagged as unmanaged; gradually whitelist their subnets until security posture aligns, then flip to managed.
  • Treat the same MacBook differently in Starbucks versus in HQ—tightens security without constant user prompts.
     

Real-world use cases

1. BYOD / contractor laptops
2. M&A transition
3. Zero-trust postures 

3.5 UI Tweak – “Trusted Networks” Renamed to Managed Networks

The name change seems cosmetic but signals a philosophical shift: trust is no longer binary or automatic; instead, a network is “managed” because you enforce controls there. This language reinforces zero-trust principles and avoids confusion for auditors reviewing policy sets.

4 | How Daily Administration Gets Easier

1.Policy as code (sort of)
 Granular rules with logical conditions mean fewer manual subnet listings and no hunt for duplicate entries. Policies resemble firewall rule bases most admins already know.
 

2.Change once, apply everywhere
 Update a single Split Tunnel profile and every Windows Client ≥ v5.16 adopts it on next check-in. No registry edits, no packaging.
 

3.Reduced help-desk tickets

• Fewer “can’t print” incidents when local broadcast traffic never enters the tunnel.
• Less packet-loss troubleshooting; voice/video stays off the encrypted path if that path isn’t QoS-tuned
   

4. Incremental onboarding
 Move a business unit to web-only first, verify, then expand to full tunnel without reinstalling or re-educating.
 

5. Audit & reporting clarity
 Cato’s analytics now annotate traffic as Included/Excluded by rule-ID, so you can prove segmentation to compliance teams.

5 | Benefits to End Users

In short, users feel faster, more stable connections without noticing the security controls behind the scenes.

6 | Security Posture – Does More Split Mean Less Trust?

Not if implemented correctly. Cato’s architecture still enforces identity, device posture, and application access controls at the first packet. Split tunneling simply dictates where the inspection happens. Key safeguards remain:

• Per-app/private IP steer still authenticates the session against ZTNA policy.
• CASB, IPS, DLP, SWG continue for traffic that traverses the Cato Cloud.
• SaaS security posture – Even when only web traffic is sent, that captures 90 % of risky content (phishing, malware downloads, credential posts).
• Endpoint EDR fills any gaps for traffic that stays local, maintaining defense-in-depth.
  • Push Windows Client v5.16 via your RMM or Intune.
  • For macOS and mobile, expect similar features in subsequent releases.
  • In the Cato portal, list branch LAN subnets, HQ Wi-Fi SSIDs, or install a site certificate on routers.
  • Start with Web-Only for a pilot group.
  • Create additional “Include” rules for private resources (e.g., 10.30.0.0/16).
  • Use Cato’s Real-Time Traffic view or nslookup, tracert from endpoints to confirm route paths.
  • Marketing, HR (web-heavy) first; engineering (Git, SSH) next; finally call-centre (voice/video) once QoS baselines proven.

7 | Implementation Guide

1. Update clients
2. Define Managed Networks
3. Author split policies
4. Validate
5. Roll out in waves

8 | Extra Tidbits & Best Practices
 

9 | Conclusion

The Flexible Traffic Routing update turns Cato Client from a straightforward cloud-VPN into a context-aware traffic director. End users benefit from faster, battery-friendlier connections; administrators gain draggable policy controls; and the business enjoys smoother, phased SASE adoption without compromising security.

If you’re still running an “all or nothing” VPN (legacy or Cato), now is the moment to pilot Web-Only tunneling and DNS split on a subset of devices. You’ll likely find that support tickets drop, adoption accelerates, and leadership finally gets the “network agility” they’ve been promised for years—no forklift upgrade required.
 

Curious how Flexible Traffic Routing could reduce tickets in your environment? Book a Free Consultation with our Cato expert Today.
 
 

FAQ

1. What Is Flexible Traffic Routing In Cato’s SASE Client?

Flexible traffic routing allows IT teams to define granular split-tunneling policies. Instead of an all-or-nothing VPN tunnel, admins can decide which applications, ports, protocols, or domains flow through the Cato Cloud, and which stay on the local network.

2. How Is This Different From Traditional Split Tunneling?

Traditional split tunneling relied on static subnet exclusions, which often broke when users changed networks. Cato’s approach is context-aware: policies adapt based on location (managed vs. unmanaged networks), application type, or protocol, ensuring security and user experience remain consistent.

3. What Benefits Do End Users Get From Flexible Traffic Routing?

End users enjoy faster SaaS logins, seamless access to local resources like printers, improved battery life on mobile devices, and smoother video calls. They experience fewer disruptions since the client automatically routes traffic through the best path without requiring manual intervention.

4. How Does The Web-Only Tunnel Option Work?

The web-only tunnel routes only HTTP/HTTPS traffic through the Cato Cloud, while everything else (such as OS updates, file transfers, or VoIP) bypasses it locally. This ensures users still get web protection (SWG, CASB, phishing filtering) while reducing overhead and latency for non-web traffic.

5. Does Flexible Routing Weaken Security?

No. Security remains intact because identity, device posture, and ZTNA policies still apply at the first packet. SaaS and web traffic continues to benefit from CASB, SWG, and threat detection. Local traffic that bypasses the tunnel can be protected by endpoint EDR or existing LAN firewalls, ensuring defense-in-depth.

6. What Is The Role Of DNS Split Tunneling In This Update?

DNS split tunneling ensures that private/internal DNS queries bypass the tunnel for faster local resolution, while public DNS queries remain protected by Cato’s SWG and threat intelligence. This reduces latency, improves compatibility with hybrid networks, and maintains security visibility.

7. How Do Managed Vs. Unmanaged Network Policies Help Businesses?

With managed vs. unmanaged network rules, the same device can follow stricter policies on public Wi-Fi while enjoying optimized access on corporate LAN. For example, contractors or BYOD devices on office networks can run full tunnel policies, while on coffee-shop Wi-Fi only corporate apps route through Cato.

8. How Does This Update Simplify Administration For IT Teams?

Admins gain centralized, firewall-like policy management. They no longer need to maintain long exclusion lists. Rules are easier to audit, apply globally, and update instantly across clients. Troubleshooting tickets also drop since local services like printers and video calls no longer break.

9. Can Flexible Traffic Routing Support A Phased SASE Rollout?

Yes. Enterprises can start small by enabling web-only or DNS split for a pilot group, then gradually expand policies to more users and applications. This reduces risk, lowers resistance to adoption, and avoids the need for disruptive “big-bang” migrations.

10. Which Industries Benefit Most From Flexible Routing?

• Retail: Secure card transactions via web while keeping POS updates local.
• Healthcare: Route sensitive data through Cato while allowing local imaging traffic.
• Manufacturing: Prioritize industrial control traffic locally while securing SaaS tools globally.
• Professional Services: Enable seamless remote work with secure SaaS while respecting personal browsing privacy.