Sites with self-signed certificates - apply exceptions -not global

  • 5 April 2023
  • 6 replies

Userlevel 4
Badge +11

Good afternoon, thank you for your time and good vibes.

I have the following situation:

We know that by default at Global level, Netskope, is blocking sites with self signed certificates.
In certain cases there are sites we say "known" somewhat controlled, where there are VPN access portals, sites or systems with self-signed certificates, etc..

Now the idea is not to apply it globally, but by means of exceptions, so as not to allow all sites with self-signed certificates, but only some based on need and demand.

Then I tried to apply a web policy, with action Bypass and it did not work, it still shows the blocking of sites with self signed certificate, as I did not intend to allow it globally, I added a policy, of SSL decrypt, to not make decrypt to a custom web category, that contains these sites, to omit or bypass the blocking. Well this worked, but with this I feel that we lose visibility and inspection to these sites, therefore, please clarify what is the position, recommendation, procedure, from Netskope to apply this type of exceptions, for sites with self-signed certificates, without the need to adjust globally, the bypass that would apply to all, but to be in a controlled and specific way.

I remain attentive

Thank you

Best regards


Best answer by rclavero 12 April 2023, 10:19

View original

6 replies

Badge +10


this legacy Real time policy action called "Bypass" was designed to bypass regular traffic BUT don't log the traffic. So in general terms it helps with chatty or noisy protocols. 

The SSL error handling isn't included in this action because it triggers a different mechanism. 

Regarding the lack of visibility when there are no SSL decryption policies in place is expected and this also applies to exception policies. 

There's a posible workaround I didn't test it ,some partners have used as an exception, consisting of create a cert pinned application exception. The local process are all the browser processes and the domain is matching ONLY the domain using the self-signed certificate. The action should be bypass + tunnel this way it can potentially ignore the ssl error handling process. 

As a last result you can turn on the general acceptance of self-signed certificates and protect the users with real tim policies. 

Userlevel 4
Badge +11

Hello @rclavero , thank you for your reply.


So what is the best way, practical and best practice to make exceptions of this type: with a cert pinned app or by creating a no decrypt ssl policy as I did ? According to Netskope, what is the best practice ?



I look forward to your comments


Best regards

Badge +10

Hi MetgatzNK,

the best practice is to create a don't SSL decrypt rule to handle this kind of situations. If you use a url list to create a custom category, then you can log the traffic even if you cannot decrypt it and see the content. 

Please enable the logging option for the bypassed traffic under Steering Configuration (Security Cloud Platform).


Badge +10

Please ignore the last statement because it applies to steering exceptions, not to SSL decryption policies.

Userlevel 4
Badge +11

Hello @rclavero , good afternoon, thank you for your reply.


I already commented that I do not want to apply it globally for all self-signed, which by default blocks it.


When I create a ssl decrypt exception for known self signed sites, I managed to configure the exception for blocking self signed certificates, with a url category and the use of ssl decrypt, with non decrypto action.


So, in conclusion, what is the best way, the best practices, to set exceptions for sites with self-signed certificates ? What is the correct way to apply these exceptions by Netskope.


I remain attentive


Best regards

Badge +10

Hi, the best practice if you don't want to accept globally self-signed certificates is the procedure you followed.