Skip to main content
  • EN

AD_4nXdmT72oS07lYAtz5P-5-x0K_AJd7WUqkO8kjXha3oH3IreQq-FqW6ZH76fw4Dp8RXfvg20xtOEdod428ZcKDmq6n2IjwR7OkaFuWqZPLi4ftHkf2VTL0-R_2oSqjJHDnnvDeXmSGU_1NwnuwWK3XgyZVBv7?key=7SQpwa5Vv4lC7X7zw-ALwg

Netskope Global Technical Success (GTS)

Best Practices - Managing Access to Traffic Destined for High-Risk Countries

 

Netskope Cloud Version - 120

 

Objective

This document provides guidance on managing access to traffic destined for High-Risk countries using Netskope.

 

Prerequisite

Netskope CASB Inline/SWG license is required

 

Context

Certain organizations are required to block traffic to web servers hosted in countries classified as 'High-Risk.' These classifications can be determined by the organization's internal policies or mandated by regulations such as:

  • EAR (Export Administration Regulations)
  • OFAC (Office of Foreign Assets Control)
  • ITAR (International Traffic in Arms Regulations)

In this article, we'll share some best practices for using Netskope to control access to traffic destined for ITAR-restricted countries, helping you balance security and compliance.

 

Details

Three are different approaches a customer can consider for managing access to traffic destined for High-Risk countries.

 

Approach 1 - Block all traffic destined for High-Risk countries
Attached Use Case - The customer wants to block all traffic destined for High-Risk countries

Configuration - Create a Realtime Protection Policy

Path: Netskope Tenant UI >>> Policies >>> Real-time Protection >>> New Policy >>> Web Access

  • Select the targeted Web Categories
  • Select the targeted Destination countries

Note: One recommended approach is to include all URL categories, both predefined and custom.

 

Sample Policy 1

AD_4nXd3Qqn0IqFEdADlk9POiCRSJ253dkBoCYqg54wRAnVmGRswWzRtJu7oaUggTKbBdh0bde6QohiXmyUUidFpWFwbRYPRSJ3bBUHVMllgU5Eim4V5Qqf9JJzta1jmI-Dz69xw2rGt3NKfyvEbvyom2JpynppN?key=7SQpwa5Vv4lC7X7zw-ALwg

 

___________________________________________________________________________________________________

 

Approach 2 - Apply activity restrictions to all traffic destined for High-Risk countries
Attached Use Case - The Customer does not want to restrict end-users from browsing traffic destined for High-Risk countries, but they do want to restrict certain activities.

Configuration - Create a Realtime Protection Policy

Path: Netskope Tenant UI >>> Policies >>> Real-time Protection >>> New Policy  >>> Web Access

  • Select the targeted Web Categories
  • Select the targeted Destination countries

Note: In the policy snapshot below, activities such as Download and Upload are blocked. Customers can select activities based on their specific business requirements.

 

Sample Policy 2

AD_4nXeLO-yJuw8YcySdsMJ6-eFixpTCQH2g2je_RWylHZnLvshyeSROWKPGGa7r9Z-grhetJDbI2xIpTsTa8hihv3mmRyqaJML8pN9Qd26EtpCr5NxHD_usZIKIZRxQtkPXrF5aDN_b62e0D6OcmeVyGx47pTA?key=7SQpwa5Vv4lC7X7zw-ALwg

___________________________________________________________________________________________________

 

Approach 3 - Allowed Access to selected web destinations in High-Risk countries.
Attached Use Case - A web destination hosted in a High-Risk country may require access due to a specific business use-case, despite the country's high-risk status.

Configuration - Create a Realtime Protection Policy

Path: Netskope Tenant UI >>> Policies >>> Real-time Protection >>> New Policy >>> Web Access

  • To achieve this use-case we need to have 2 Real-time Protection Policies
  • 1st Policy - Refer Sample Policy 3
  • 2nd Policy - Refer Sample Policy 1
  1. Create a custom-web category for the web destination hosted in a High-Risk country
  2. For example, I have created a custom category specifically for the website https://moi.gov.af/en

 

Sample Policy 3

AD_4nXdHcg0gIs6tYgqr8HL7Ykzq5xicYG0r0wrYcR-04ay3kOUvdEshybDLPXhEQc10KRAAS-v6VXiyFYGgMPbmJgHHEtVmMvT6nB2yfCGtlTGq18seP_7WVGs3Ynws4jMf3QAjf3cEETF7-MNZfKOwgXeJ5J0?key=7SQpwa5Vv4lC7X7zw-ALwg

Policy Order

1st Policy - Refer Sample Policy 3

2nd Policy - Refer Sample Policy 1

 

Author Notes

  • Different customers have unique business use cases.
  • For instance, a customer in Africa may identify different High-Risk countries compared to a customer in the APAC region.
  • Before implementing a real-time policy to manage traffic to High-Risk countries, it is advisable to review the list of targeted countries carefully to ensure informed decision-making.
  • I highly recommend to review ‘Q/A Guide: Managing Access to Traffic Destined for High-Risk CountriesLink’ as well

 

Terms and Conditions

  • All documented information undergoes testing and verification to ensure accuracy.
  • In the future, should any changes to Netskope best practices come to our attention, we will promptly update the documentation to reflect them.

 

Notes

  • This article is authored by Netskope Global Technical Success (GTS).
  • For any further inquiries related to this article, please contact Netskope GTS by submitting a support case with 'Case Type – How To Questions'.

 

What to Read Next?

Q/A Guide: Managing Access to Traffic Destined for High-Risk Countries

 Link
All about - ‘WhatsApp’ Link
Netskope & Gen AI Link
Terms & ConditionsCookie settings