Hi Folks,
I am sharing my modest knowledge with the Netskope community. I hope this helps a few of you on understanding the basic Netskope traffic flow and log analysis.
POP Selection
Versions prior to 96.1 :
1. The Netskope Client uses DNS over HTTPS (dns.google) to resolve the Netskope gateway's IP address (gateway-tenant hostname.goskope.com)
2. If DNS over HTTPS is unsuccessful, the client will fail over to the LDNS technique (UDP 53) to resolve the IP address for gateway-tenant hostname.goskope.com.
Version starting with 96.1:
There is no longer a requirement to resolve NS Gateway domains using the Google DNS service (dns.google). The GSLB services deliver a POP list based on the client IP address while performing a REST API request to gateway.gslb.goskope.com.
Note: GSLB option will be only available when the backend tenant flag is activated.
Basic Traffic flow
Let’s take an example of the SaaS Application Box.com!
- Browser issued a DNS request to the SaaS domain Box.com.
- The browser receives the DNS response, Netskope ST Agent driver captures the response and creates a domain to IP Mapping, i.e. Box.com – 74.112.184.73
- The browser starts sending TCP SYN ( 3 Way handshake ) Packet to SaaS server 74.112.186.144.
ST Agent driver captures the TCP SYN Packet and indicates it to Netskope ST Agent services.
- The ST Agent service has established an SSL tunnel with the Netskope gateway. Through this SSL tunnel, the TCP packets are tunneled or steered.
- The Netskope gateway will receive the TCP SYN+ACK response from the SaaS Server and forward it to the ST Agent service using the established tunnel.
- The ST driver will receive the packets from the ST Agent service.
- The system stack will receive the packets from the ST Agent driver, and the browser will display the outcome......
Note: Only the Advanced debugging packet capture option on the NS client can see ST Agent Driver-level PCAP. Wireshark Packet capture on a normal adapter will only show the encrypted packets with the destination IP as Netskope gateway.
Troubleshooting Logs
Log into the endpoint. Right-click the Netskope icon in the System Tray and then click Save Logs.
nsdebuglog
===========
To verify any service-related error or logs
To verify the POP selection logs.
To confirm whether the traffic is directed through Netskope or not.
POP selecting using EDNS
2019/10/17 09:47:59.527 stAgentSvc p1334 t4c4c 4 tunnel.cpp:694 nsTunnel TLS Connecting to gateway-.goskope.com:443 2019/10/17 09:47:59.676 stAgentSvc p1334 t4c4c 4 restapi.cpp:80 restapi SSL resolve EDNS downloaded successfully 2019/10/17 09:47:59.679 stAgentSvc p1334 t4c4c 4 nsDnsResolver.cpp:179 dnsResolver Hostname gateway-.goskope.com resolved by EDNS 2019/10/17 09:47:59.680 stAgentSvc p1334 t4c4c 4 nsssl.cpp:1217 nsssl TLS remote host gateway-.goskope.com resolved to 8.36.116.35, port 443 2019/10/17 09:48:01.728 stAgentSvc p1334 t4c4c 4 tunnel.cpp:729 nsTunnel TLS SSL connected to the server: gateway-.goskope.com:443 successfully
POP selecting using LDNS
2019/10/14 11:40:49.864 stAgentSvc p1244 t2980 2 nsHTTPClient.cpp:372 downloader curl_easy_perform failed, code 28, error Timeout was reached 2019/10/14 11:40:49.866 stAgentSvc p1244 t2980 2 restapi.cpp:75 restapi Failed to download SSL resolve EDNS, Error: -2 2019/10/14 11:40:49.871 stAgentSvc p1244 t2980 2 nsDnsResolver.cpp:204 dnsResolver Failed to resolve gateway-.goskope.com by EDNS 2019/10/14 11:40:49.874 stAgentSvc p1244 t2980 4 nsDnsResolver.cpp:47 dnsResolver Hostname gateway-.goskope.com resolved by LDNS 2019/10/14 11:40:49.875 stAgentSvc p1244 t2980 4 nsssl.cpp:1217 nsssl DTLS remote host gateway-.goskope.com resolved to 8.36.116.35, port 443
eg: Traffic steered through Netskope
2019/10/18 20:28:21.148 stAgentSvc pfbc t296c 4 tunnel.cpp:618 nsTunnel TLS TsessId 1] Tunneling flow from addr:
10.173.13.40:53256, process: chrome.exe to host: www. box .com, addr: 107.152.27.197:443
eg: Traffic bypassed from Netskope
2018/10/10 13:17:58.272225 stAgentSvc pf280 t4807 4 bypassAppMgr.cpp:371 BypassAppMgr bypassing flow to
exception host: zoom.us, process: zoom.us
nsbypass.json
============
List of certificate pinned Applications on steered configuration.
nsexception.json
================
The list of IP and domain-based exceptions configured on the Steering configuration
Windows Tenant Config location : “%PROGRAMDATA%/netskopestagent”
MAC Tenant Config location : /Library/Application/Support/Netskope/STAgent
Windows user Config location : %APPDATA%/netskopestagent
MAC user Config location : <Home Directory>/Library/Application Support/Netskope/STAgent
Thank you 🙂