Skip to main content
Question

Creating Subnet for NPA Access

  • January 10, 2025
  • 4 replies
  • 163 views
secproceo
Netskope Partner

Team,

 

Good morning, and Happy Friday!

 

I had a meeting with my server admins and network engineers. I was told they must access hundreds of servers through RDP and network gear, such as routers, switches, and administration consoles. In addition, smaller subnets /24s may be created. My plan is to make administration of NPA easier, I was going to add a /16 or /8 subnet range in my NPA configuration that includes all the above devices. I wanted to know if anyone had any issues or limitations with NPA using large subnets. The extensive subnet ranges will only be used for two groups. All other teams will have one-to-one NPA configuration.

 

Thanks again for your time and input.

    This topic has been closed for replies.

    4 replies

    elawaetz
    Forum|alt.badge.img+4
    • elawaetz
    • Explorer III
    • January 10, 2025

    If I understand you correctly, then you’ll create something like:

    App definitions:

    • RDP-SSH-APP 10.0.0.0/16 ports 22, 3389
    • Business-APP1 10.0.0.1/32 ports XX

    Policies: 

    • RDP-SSH-APP group Admins action Allow
    • Business-APP1 group BusApp1 action Allow

    The key here in my experience is not to have overlapping host+port definitions in App definitions, so XX=22 or XX=3389 above might cause issues in policy processing in NPA.

    From a ZTNA perspective you can argue, that building a 10.0.0.0/8 policy is hardly ZTNA, even if ports are locked down to administration tools, but I would expect it to work. We have played with /16 definitions without any issues.

    secproceo
    Netskope Partner
    • secproceo
    • Author
    • Netskope Partner
    • January 10, 2025

    Thanks for the reply. You are correct. The employees who support our infrastructure need access to the entire subnet for troubleshooting and building hundreds of servers and network devices.

    I planned to create the below configuration.

    APP1

    RDP-SSH-APP 10.0.0.0/8 - Admins action allowed - This will cover all server and network admins. I have 10 admins that will have access to this private app. 

    Ports - 22,3389 and any other ports that are needed. 

     

    APP2

    Business-APP (This will be configured separately) 

    This will be done as true ZTNA. The apps will be entered individually with IPs and hostnames. 

    Your thoughts?

     

     

    elawaetz
    Forum|alt.badge.img+4
    • elawaetz
    • Explorer III
    • January 13, 2025

    As long as you don’t have overlaps in TCP/UDP ports between RDP-SSH-APP and the Business-APPs, then I suspect it will work.

    From a policy perspective, it seems a bit lazy from your Admins, to just ask for 10.0.0.0/8 access.
    IMHO, this too should be narrowed down to the server and network administration subnets.
    This could be done with a script using API calls or a small Terraform file that maintains this, and if you build them as multiple apps and tag them all you can apply a bulk policy, such that no policy updates are required when you add/delete segments from that list.

    secproceo
    Netskope Partner
    • secproceo
    • Author
    • Netskope Partner
    • January 13, 2025

    Thanks for the update; excellent point.

    I will verify if the subnets are divided between servers and network administration. I think the same team members access both. This is due to having backup personnel. 

     

     

    Badges Winner

    Show all badges

    Not finding what you're looking for?

    Don't be shy and let us know about your challenge.

    Ask your question here!
    Terms & ConditionsCookie settingsAccessibility statement