Netskope Global Technical Success (GTS)
IPS - Best Practices and important facts
Netskope Cloud Version - 122
Objective
Provide important information about IPS as well as best configuration practices
Prerequisite
Netskope Standard/Advanced Threat Protection with IPS enabled. If IPS is not currently enabled please get in touch with your CSM or Sales Team. No license is required.
Context
The customer wants to ensure that IPS is correctly configured
Configuration
Important points regarding IPS (Intrusion Prevention System):
- Detailed documentation on enabling IPS can be found in this document: https://docs.netskope.com/en/about-ips-settings/
- To confirm if IPS is enabled in your tenant, navigate to Settings > Threat Protection. There you can see if IPS is currently active.
- Netskope's IPS has two action modes: Block Mode and Alert Only Mode. This can be easily viewed in the SIGNATURE OVERRIDES tab.
- Best practices to keep in mind:
- It's recommended to enable IPS in Alert Only mode for a period of 2-4 weeks. During this time, monitor the alerts generated by the IPS engine to observe user traffic behavior. It's crucial to confirm that these alerts are accurate and not false positives. If a false positive occurs, after careful manual analysis by the Netskope administrator, open a support ticket with Netskope to report this behavior so we can make the necessary internal adjustments. After this period, it is recommended to switch the IPS to Block Mode to ensure protection of users' browsing through the signatures.
- Netskope's IPS doesn't require manual policy configuration, neither in real-time nor in API protection. It operates based on internally controlled signatures and doesn't need additional configuration from users.
- Currently, importing custom signatures by users is not supported. However, through a support ticket, it's possible to request the inclusion of custom signatures if needed.
- Please refer to the following link for valuable information about our current IPS signature coverage: https://threatlibrary.netskopethreatlabs.com/. If in doubt, you can search for specific signatures using the "filter" field to confirm our coverage.
- In addition to not requiring policies for IPS operation, no other configurable Threat Protection profile in Netskope is needed.
- Remember that the option to override signatures should only be used in specific use cases that warrant it. As a best practice, if you encounter any issues with signatures, it's advisable to escalate to the support team first before configuring an override that could change the default behavior of a signature. This allows for validation of possible internal adjustments.
- To conduct IPS tests, it's recommended to have an isolated machine where you can execute actions related to specific signatures you wish to test. A URL that could generate alerts is the EICAR malware test file download site: https://www.eicar.org/download-anti-malware-testfile/
- In case you use any of the below AI tools, please add them to the Allow List configuration: Add the following domains to the IPS Domain Allow List:
openai.com, *.openai.com, cloudfront.com, *.cloudfront.com, gstatic.com, *.gstatic.com, chat.openai.com, *.chat.openai.com, widget.intercom.io
Terms and Conditions
- All documented information undergoes testing and verification to ensure accuracy.
- In the future, it is possible that the application's functionality may be altered by the vendor. If any such changes are brought to our attention, we will promptly update the documentation to reflect them.
Notes
- This article is authored by Netskope Global Technical Success (GTS).
- For any further inquiries related to this article, please contact Netskope GTS by submitting a support case with 'Case Type – How To Questions'.