Solved

Netskope IPSec/GRE Tunnel Deployment and Validation Guidance

  • 7 April 2023
  • 1 reply
  • 249 views

Badge +7

Netskope Secure Web Gateway provides next generation secure web gateway (NG SWG) capabilities to prevent malware, detect advanced threats, filter websites by category, protect data, enable remote browser isolation, and control apps and cloud services for any user, location, or device. Netskope offers multiple traffic steering options to steer traffic to the Netskope Cloud:

  • Netskope Client
  • IPSec
  • GRE
  • Explicit Proxy
  • Proxy Chaining

For customers that want to leverage IPSec tunnels to steer traffic to the Netskope Cloud, Netskope strongly recommends the following: 

  1. Configure IPSec tunnels from the supported router/firewall to two different Netskope POPs (primary and backup). If the customer has multiple routers/firewalls then each should be configured with primary and backup Netskope POPs. 
  2. Configure tunnel monitoring by referring to the router/firewall configuration manual.
  3. Configure failover to backup tunnels to ensure minimal interruption in the event of primary tunnel failure. 
  4. Follow other best practices as documented in Netskope knowledge portal for IPSec
  5. Periodically validate backup tunnels are configured and working as expected. Depending on how many source devices are used for originating tunnels, there may be multiple scenarios to consider for validating backup tunnels. 
    1. Primary and Backup Tunnels from the same router/firewall - Validate backup tunnel by routing traffic through it and confirm connectivity.  
    2. A set of primary and backup tunnels configured on more than one router/firewall - Validate traffic by routing traffic through backup tunnels configured on backup router/firewall and confirm connectivity.

For customers that want to leverage GRE tunnels to steer traffic to the Netskope Cloud, Netskope strongly recommends the following: 

  1. Configure GRE tunnels from the supported router/firewall to two different Netskope POPs (primary and backup) per source peer (IP). With GRE, either the primary or backup tunnel per source peer is active at a time. 
  2. Configure tunnel monitoring by referring to the router/firewall configuration manual.
  3. Configure failover to backup tunnels to ensure minimal interruption in the event of primary tunnel failure. 
  4. Follow other best practices as documented in Netskope knowledge portal for GRE
  5. Periodically validate backup tunnels are configured and working as expected. This validation may require a change window to ensure minimal interruption. Depending on how many source devices and source peers (egress IPs) are used for originating tunnels, there may be multiple scenarios to consider for validating backup tunnels. 
    1. Primary and Backup Tunnels from the same router/firewall per source peer - Validate backup tunnel by bringing the primary tunnel down and validating connectivity.   
    2. A set of primary and backup tunnels configured per source peer on more than one router/firewall (primary and backup)
      1. Validate traffic by bringing down the primary tunnel on the primary router/firewall and confirm connectivity using the backup tunnel. 
      2. Validate traffic by bringing down the primary and backup tunnels on the primary router/firewall and confirm connectivity using the primary tunnel configured on the backup router/firewall. 
      3. Validate traffic by bringing down the primary and backup tunnels on the primary router/firewall, primary tunnel on the backup router/firewall, and confirm connectivity using the primary tunnel configured on the backup router/firewall.
icon

Best answer by MM_NS 25 July 2023, 15:41

View original

1 reply

Userlevel 3
Badge +13

Deploying tunnels along with Netskope Client? Here is another related article that can help with the deployment of tunnels.

 

https://community.netskope.com/t5/Next-Gen-Secure-Web-Gateway-SWG/Netskope-Client-and-Network-Tunnels-co-existence-How-to-leverage/td-p/3291

Reply