How to enable “Periodic Validation on Device Classification” for NG-SWG

  • 7 February 2023
  • 2 replies
  • 239 views

Badge +12

Summary

With release R99 Netskope introduced a new feature “Periodic Validation on Device Classification” which is very important to enforce Zero Trust principles. Before that release, Device Classification of the client was only accomplished, when client service was started. With the new feature a validation interval can be configured for more frequent device posture checks.

Requirements:

  • NS Client version R99 or later is required.
  • Please contact your Customer Success Manager, Netskope Support or your Account Team to get this feature enabled. 
  • Today this feature is disabled by default!

 

Tenant Configuration

Device Classification Profile

The “Device Classification Profile” is a policy about a single or multiple checks, whether a device is compliant or not. This part of the configuration has not changed and will not be covered in detail in this post. Here is the link to public documentation.

For testing on Windows a simple profile can be created to check if “notepad.exe” is running (managed) or not (unmanaged).

 

Client Configurations

If the feature is enabled in the Netskope tenant,  a new UI option in the client configuration menu under “Settings - Security Cloud Platform - Devices - Client Configurations”. Under the first tab “Traffic Steering” there is a new checkbox “Periodic Validation on Device Classification”. When enabled the administrator can configure a validation interval between 5-120 minutes.



 

For testing the lowest value of 5 minutes is recommended. If the interval is set below 30 minutes a warning message about device performance is displayed.

Real-time Policy

For testing a simple block policy for the category “Cloud Storage” is used with the source attribute “Device Classifications = Unmanaged”:

 

 

How to test this feature

First verify that the client configuration is up-to-date: Right click on the NSClient icon - Configuration. The new feature will also change the client configuration and therefore the client configuration should be updated.

 

With R99 there is also a new flag for “nsdiag.exe”. The flag “--check-dc” triggers the client to evaluate the device classification policy instantly. With that trick you do not have to wait until the re-evaluation is triggered by the validation interval. “nsdiag.exe” is located for 

  • Windows in “C:Program Files (x86)NetskopeSTAgent”
  • MacOS in "/Library/Application Support/Netskope/STAgent”
  • Linux in “/opt/netskope/stagent”

 

In addition I recommend monitoring the nsdebuglog.log for device classification status changes. Here are sample commands for the different platforms.

  • Windows Powershell
    • get-content c:userspublic etskope sdebuglog.log -tail 5 -wait | select-string "managed"
  • MacOS
    • tail -f /Library/Logs/Netskope/nsdebuglog.log | grep managed
  • Linux
    • tail -f /opt/netskope/stagent/log/nsdebuglog.log | grep managed

 

The device status is also instantly reflected in the UI under “Settings - Security Cloud Platform - Devices” in the details page of a device.

 

 

Demo Workflow for Windows:

 

  • Notepad.exe is not running
  • Device is “unmanaged”
  • Access to Cloud Storage services is blocked
  • Start Notepad.exe
  • Run “> nsdiag.exe --check-dc” or wait for the periodic validation
  • Device status will change to “managed”
  • Access to Cloud Storage services is immediately allowed

 


2 replies

Userlevel 2
Badge +13

We're looking to leverage this to deny NPA for unmanaged devices (similar to a host checker policy for a VPN). We have roughly 200+ private apps for the organization. How can we implement this without manually selected all of these private apps OR ensure the newly created private apps are added to this policy. 

Badge +12

Hi @AlfaBane , device classification is not bound to an app itself, but to a policy. Not sure how you have structured your NPA policy, but I assume you do not have for every app a dedicated policy.

Reply