If private app is configured with FQDNs of website properly, then traffic should be intercepted & tunneled via NPA and egress IP will be your datacenter public IP range.

Here in this case, the traffic looks to be steered via SWG tunnel of NS client, hence Netskope egress IP range(163.128.X.X) is used.

Kindly raise a support case with private app details and collect the NS client log bundle with inner pcap & outer pcap during replication.

Thanks for the update. I will raise a ticket. 

I want to confirm if everything is configured properly, the NPA tunnel traffic should show the local gateway IP, not the (163.128.x.x). Is that correct? 

Yes, if website traffic is steered via NPA, then egress IP should not be part of 163.128.X.X

I got it. Do I also need to add the website to a steering bypass so it does not steer traffic through SWG? I was always told NPA takes precedence over SWG. 

NPA traffic takes precedence over SWG traffic so no need to add steering bypass.

Interesting. That is what I thought as well. However, the website configured in NPA continued to give me the 163.128.x.x. address until I added the URL to the steering bypass. I now get the local gateway egress IP. This is exactly what I needed. 

This is resolved, however, is there a reason I had to bypass the site in the steering bypass? 

Thanks. 

This is now resolved. I was able to get the NPA configuration working. Thanks again for your time.