SWG basic questions

  • 23 September 2022
  • 2 replies

Badge +1

Hi everyone, happy Friday/weekend!


I just have a couple of things that I wanted to ask and get answers. I've searched the documentation and have found no information regarding my question, though I might have used incorrect keywords

1. If I am steering all web traffic to Netskope, what happens to web traffic that did not hit any policy ? Does Netskope have implicit deny?

2. If I have Realtime Threat Protection policy below,

  • Source: Any
  • Destination: Any Categorized web traffic 
  • Activities and Constraints: Upload and Download
  • Profile and Action: Default Malware scan where all severities are just alerting with no Remediation Profile

what happens when a categorized site did not hit any severity? will it load the site or not?

I know these are basic questions and I appreciate you all for taking time in providing answers.

Thanks and have a great weekend!


2 replies

Badge +12

Hi @karltek,

Disclaimer: I'm new to netskope and these are my observations.

Q1 > Without SWG policies, traffic would be allowed with no action [just monitored]. NPA on other hand needs explicit allow. 


Q2 > For threat profile if any of the severities [low/med/high] are not macheted, default action is to not do anything. This can be changed to alert if desired.


Alert: Inspects the session and performs deep analytics but no action is taken. It will generate an alert under the Alert tab. The alert action allows the traffic.


ref > https://docs.netskope.com/en/inline-policies.html




Userlevel 5
Badge +16
  1. Siva's reponse is spot-on but I'll add a bit more context for the SWG traffic.   There is a hidden implied rule at the end of the policy that is an effective "Accept".  Looking at your traffic logs, you can identify these hits in events where the Policy Name is the null value.  Additionally, when traffic hits this rule, several other fields tend to log with null values also.  You can get around this by creating an explicit rule (you'll have to do All Categories, because it won't let you create a rule without any constraints) that replicates the action of the implied rule (accept).
  2. Here, I'll ask for a bit more clarification before lining up with the prior response.   You state that you are malware scanning the upload/download, but you then ask about the site's severity.  Are you referring to the CCI rating of the site rather than the scan of the file being transferred?