Joining the ConversationBlock access to local/home network for Cato Client – force all traffic through Cato tunnel
Hi everyone,
we are using the Cato Client (Windows/macOS) for remote users and would like to fully block access to the local/home network when the client is connected.
Goal:
No access to local LAN subnets (e.g. 192.168.0.0/16, 10.0.0.0/8, printers, NAS, routers, IoT, etc.)
No split tunneling or local breakout
All traffic should be forced through the Cato tunnel
We checked the following areas but could not find a clear way to block local LAN access on the endpoint:
Client Connectivity Policy
Network Rules
Internet / WAN / LAN Firewall
Questions:
Is it possible to block local/home network access for Cato Clients purely within Cato (endpoint-based), so that local LAN traffic is not reachable at all?
If yes: which policy / feature is required (e.g. Client Advanced Controls, specific license, feature flag)?
If no: is the recommended approach to enforce this via endpoint controls (e.g. OS firewall / MDM) in combination with Always-On and no split tunneling?
Any guidance or best practice from real-world deployments would be highly appreciated.
Thanks in advance!
