In case you missed the latest webinar in our Inside Netskope series—where Netskope experts show you how we protect our users, applications, and data using our own cloud-based architecture—a recording and recap of our recent session on Client Troubleshooting can be found below. Feel free to comment and continue the discussion! 

 Watch on-demand 

Q: Is there a solution to force Netskope to switch multiple devices (>100) to a specific POP in case of issues with one POP?

A: It is my understanding that our GSLB will detect those issues and reroute you to a new POP very quickly. 

Q: How to troubleshoot issues with uninstallation process for older Netskope clients? (Netskope client unable to be removed)

A: I recommend renaming the folder. After renaming it, you can uninstall the old client. Here is a great troubleshooting guide!

Q: How would you go about troubleshooting a Microsoft Teams call performance issue to confirm if Netskope proxy is the root cause or its something else?

A: For me, that's when I immediately go into PDEM to find the user, target the app Teams application, and see if I can find out where the performance issues are going.

Again, we don't know what everybody's licensed for, we just know what we use—so we're not trying to upsell anybody, these are just the tools that we utilize day in and day out. 
 

Q: How to read logs and which type of logs to look at?

A: We covered this in detail during the webinar but the NPA debug and NS debug are the two logs you're primarily going to rely on.

Q: How to rectify big file (malware) scanning error? Is there a place for me to check SSL related errors, I can't seem to find it in SkopeIT?

A: With Netskope, there's an alert policy type malware. You also may be able to see within the page events if it's an SSL error.

You should be able to pull some of this out of Netskope. There are two reports in Netskope Advanced Analytics that can help with this: 

1. Advanced Analytics > Folders > Netskope Library > SSL Inspection
2. Advanced Analytics > Folders > Netskope Library > Web Transaction SSL Errors

Q: If you cannot find an object by the DLP Incident ID, what is the best way to find it in Netskope?

A: Searching by object name or the offending person. That's how I would go about looking for a DLP incident.

I've seen issues where sometimes that DLP incident ID might be bundled in something else or is not readily available, but you can always take a look at the object itself.

Q: Could we get a better understanding of what the different advanced debugging options do? It would be great to have some documentation, including examples and suggestions, on when to use different levels. The only guidance I have found is that it should be left at "Info" by default.

A: We covered this one in detail during the webinar, but info is ordinarily everything you need to do some troubleshooting and really only turn it on for the debug, ONLY if asked for from support.

Q: How do I troubleshoot my internet being slow? Speedtest says I have 200mb down when I have 1GB at home.

A: So with the Internet slow speed, my recommendation is to take packet captures screenshot/video and then note what POP you're connected to—which you can also get from a screenshot of your configuration—and then open up a potential ticket with the Netskope Client team. 

One of the tools that I've been leveraging a lot lately when I have a user saying their internet's slow is PDEM, so we're able to target and see what's actually happening with their traffic.

Q: How do you describe the icon that people should look for? Is the configuration the same as manually updating the app?

A: The icon is the little colored Netskope symbol for the client and when you bring up the configuration, you have a choice of manually updating it. Or I believe every fifteen minutes, it checks and pulls down a new configuration for the client config and the steering config.

As far as the application itself goes, at four hours of inactivity, it reaches out to the tenant to check if there's a new version. If there is, it'll pull it down and install it at that point.

Q: How can we get accurate reporting/notifications of clients "tunnel down due to error"?

A: So tunnel down due to error, you can go into the Netskope settings, security cloud platform devices, and take a look at device status in there. If you have Advanced Analytics, we actually have a report that you can run on client statuses and I believe advanced reporting has a trimmed down version of that same Netskope Advanced Analytics report. 

In Advanced Analytics, the report I like is "Device Client Overview", which can be found in our Netskope Library:

Advanced Analytics > Folders > Netskope Library > Device Client Overview 

Q: How can I get a Client enrolled in multiple Netskope tenants?

A: Unfortunately, the Netskope Client cannot be connected to multiple tenants at the same time, with one exception. We have a new feature release in R125 for NPA Partner Access which allows for an organization to share NPA access to outsiders, provided they have a tenant AND the tenant is configured with an IDP.  Please see the release notes for R125.

Q: Can you provide an explanation on any troubleshooting SOP we can follow to fix Netskope Client related issues?

A: If you go to docs.netskope.com, we have some really good resources on how to troubleshoot. What I typically do when troubleshooting SOP is first, check if the Client needs an update and then start taking a look at what it looks like from the the NSDEBUG logs if I really need to get that far down into the weeds—if I'm not seeing what I expect inside the scope of application events. Here is a great troubleshooting guide!

Q: Can we see a way to troubleshoot logs in events/alerts (SkopeIT)? It is sometimes difficult to know where to start troubleshooting events that have been allowed (or sometimes blocked) if the end user is not able to send the technical details of what occurred.

A: We covered this in more detail during the webinar but I always isolate it when I'm doing the scope of searches to the user. The one thing I've noticed is that if the end user can't provide you the details, is to get a screen recording and this will help out immensely when you're working with our support team because they're inevitably going to ask for a recording or a screenshot of the the error message. If the end user can't or sometimes won't send you Client logs, you have the ability to collect those through the actual tenant itself.

Q: What is the best way to read Client logs?

A: I'm a Windows guy so I'm in Notepad plus plus using the search features in there.

I save the Windows logs off in Notepad plus plus. However, you'll get that annoying "this file has changed, do you wanna reload its contents?". Macs are a little bit more forgiving. You can go with advanced debug, open up the log file, and while events are happening, they'll stream through and not alert you. So, I'm sure there's a setting you can flip on in Notepad plus plus—or another log utility—but I choose to save them off. It's also a good way to stop time because you may be encountering an issue at a certain point in time, and then of course, things change especially if it's a machine that has a lot of traffic. So while you have this issue here, stop time, capture it, and then you can do that same thing again if something's changed. Maybe you make a policy change, or client configuration change, and then you stop seeing those alerts. That way, you can do that comparison.

Q: As a new Netskope admin user, what are the most tactile resources to use for solidifying the knowledge and gaining confidence tackling every/any issue that arises?

A: When I first started with it, I definitely had to learn reading those Client logs were crucial in identifying issues and what the Client might be seeing as far as traffic, what it could be interfering with—as far as local applications—and just getting very familiar with what the policies are capable of. 

Docs.netskope.com and our Community articles are great resources! My recommendation also is to not be afraid to break stuff, especially with policies. Make sure that you're putting the most specific policy as possible, only affecting you at the top of the list, and then going through that troubleshooting stance and making those policy changes for the rest of the organization. 

Q: Can you explain the difference between the "outer" pcap log vs a wireshark log? Sometimes Support asks for explicitly wireshark and I'm curious what the difference is.

A: There's three—there's an outer and inner and there's also an NPA, PCAP. So I'm assuming that the Wireshark log that they're referring to is the inner PCAP and the reason behind that is, that's what the browser or the user agents are reaching in and you're seeing on the inside of that network.

The outer would be what the Client is sending to the actual tenant itself. So they're probably talking about an inner log, inner PCAP.

Q: Is there a way we can see in Client logs the cause of a network latency? We have PDEM, however, I want to know if we can also see the cause or sign of a network latency in Client logs because it's important to capture the issue near-real time when it comes to latency issues.

A: I would take a look at that in the nsdebuglog.log and the old .log to determine your round trip times because you're going to be able to take a look at your GSLB endpoints throughout the world, and of course, it's picking the one with the lowest round trip time. 

Q: SkopeIT will log ALL bypassed traffic, including traffic that is bypassing steering?

A: If you go into the steering configuration, there's going to be a setting up at the top and it says "bypass traffic or bypass traffic log." You will actually have to edit the steering configuration to log a bypass traffic so that when you go into page events, you can do a query that's "bypass_traffic eq yes" to see what traffic's being actually bypassed within that. So a majority of the bypass traffic will be logged.

Enabling the logging of bypassed traffic may be found here (step 2). The SkopeIT Page Events query is "bypass_traffic eq yes" and other SkopeIT queries may be found here. 

Q: When will "Alert" action for Browse activity be available?

A: In the webinar, I demo what it would look like for alert on a browse activity, with that custom app that I had earlier. Browse activities may be seen in SkopeIT Application Events using a query of "activity eq 'Browse'"

Q: Can you please explain how to troubleshoot scenarios where websites remain inaccessible and there is no Netskope error message? Please talk about how to read and interpret the Netskope logs for troubleshooting. 

A: I would take that URL, go in the SkopeIT, and do a URL check to see what category it might belong to. Then, you can jump into application events and do a query on URL like and then the name of that URL and see if you're spawning events for alerting.

Sometimes those alerts don't necessarily become readily available and so at that point, you can start digging in and taking a look at the page events for that host. The next course of actions will depend upon what alerts you see. You can also look in the NSDEBUG log to actually dig in and see the host it's going to and what process it's sending and communicating with for that remote destination.

Q: Where can we view the inner/outer packet capture logs? Which logs show the RTT and DC connections?

A: So to view the inner and outer packet capture logs, I would basically go to advanced debugging, reveal logs, and then it would open up the folders in which those log files are gonna belong. Or you can always save the log files off to a ZIP, and then open that ZIP and examine those. As far as the RTT and DC connections, I would actually look in the NS debug log and NS debug old log files.

Q: When you create a custom URL list you do not need to update the configuration like you did when you create a private app?

A: If you bundle the custom URL list into a customer category and apply that as a bypass in the Netskope Client steering configuration, you will need to update the Client. Keep in mind that any changes to the Netskope Client steering configuration, or Client configuration, require that the Client be updated. Changes to anything else in the tenant do not as they affect policy, not the Client itself.

Q: Why would the user get assigned a slow POP by GSLB? Would it be faster if the user manually specified a POP?

A: The selection of a POP is automated through the use of GSLB. This is an exceptional method of allowing the Client to quickly determine the best path and select it without worrying on calculating destination metrics.

Q: Can the Netskope edge servers be affected by the number of clients connected across all Netskope clients?  I.e. speed issues that users are complaining about? Is there somewhere we can see if an Edge server is overcommitted?

A: Absolutely! You can use our Trust Portal. 

Q: So when you define a custom CCI app and use the "universal connector" does it just simply enable all activities as a best guess, or does it actually do some magic to understand whats up?

A: When defining a custom application, which is discovery only using the "universal connector", the activities it detects will depend on how or what has been engineered for the Cloud App. I have seen it where a Cloud App is capable of seeing logins, logouts, and uploads then a month or so later it cannot detect uploads. It is best guess only.

If you do define a custom application, be sure to read the release notes to see if there is an update to the application or a custom connector is developed. If there is an update to the list of hosts or domains for the app, add them to the custom app. If there is a custom connector developed, be sure to delete the custom application.

Here is an example of application updates for R125.

Q: Since Netskope uses GSLB to connect to the nearest POP, what can be done when a Public IP is incorrectly tagged in the GeoIP databases?

A: Please reach out to Support as soon as possible if this occurs. You may also check https://trust.netskope.com for other issues.

View past events in this series!

Some responses above contain roadmap items. These are intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Netskope’s products remains at the sole discretion of Netskope.