Netskope Global Technical Success (GTS)
Best Practices - Managing Access to Traffic Destined for High-Risk Countries
Netskope Cloud Version - 120
Objective
This document provides guidance on managing access to traffic destined for High-Risk countries using Netskope.
Prerequisite
Netskope CASB Inline/SWG license is required
Context
Certain organizations are required to block traffic to web servers hosted in countries classified as 'High-Risk.' These classifications can be determined by the organization's internal policies or mandated by regulations such as:
- EAR (Export Administration Regulations)
- OFAC (Office of Foreign Assets Control)
- ITAR (International Traffic in Arms Regulations)
In this article, we'll share some best practices for using Netskope to control access to traffic destined for ITAR-restricted countries, helping you balance security and compliance.
Details
Three are different approaches a customer can consider for managing access to traffic destined for High-Risk countries.
Approach 1 - Block all traffic destined for High-Risk countries
Attached Use Case - The customer wants to block all traffic destined for High-Risk countries
Configuration - Create a Realtime Protection Policy
Path: Netskope Tenant UI >>> Policies >>> Real-time Protection >>> New Policy >>> Web Access
- Select the targeted Web Categories
- Select the targeted Destination countries
Note: One recommended approach is to include all URL categories, both predefined and custom.
Sample Policy 1
___________________________________________________________________________________________________
Approach 2 - Apply activity restrictions to all traffic destined for High-Risk countries
Attached Use Case - The Customer does not want to restrict end-users from browsing traffic destined for High-Risk countries, but they do want to restrict certain activities.
Configuration - Create a Realtime Protection Policy
Path: Netskope Tenant UI >>> Policies >>> Real-time Protection >>> New Policy >>> Web Access
- Select the targeted Web Categories
- Select the targeted Destination countries
Note: In the policy snapshot below, activities such as Download and Upload are blocked. Customers can select activities based on their specific business requirements.
Sample Policy 2
___________________________________________________________________________________________________
Approach 3 - Allowed Access to selected web destinations in High-Risk countries.
Attached Use Case - A web destination hosted in a High-Risk country may require access due to a specific business use-case, despite the country's high-risk status.
Configuration - Create a Realtime Protection Policy
Path: Netskope Tenant UI >>> Policies >>> Real-time Protection >>> New Policy >>> Web Access
- To achieve this use-case we need to have 2 Real-time Protection Policies
- 1st Policy - Refer Sample Policy 3
- 2nd Policy - Refer Sample Policy 1
- Create a custom-web category for the web destination hosted in a High-Risk country
- For example, I have created a custom category specifically for the website https://moi.gov.af/en
Sample Policy 3
Policy Order
1st Policy - Refer Sample Policy 3
2nd Policy - Refer Sample Policy 1
Author Notes
- Different customers have unique business use cases.
- For instance, a customer in Africa may identify different High-Risk countries compared to a customer in the APAC region.
- Before implementing a real-time policy to manage traffic to High-Risk countries, it is advisable to review the list of targeted countries carefully to ensure informed decision-making.
- I highly recommend to review ‘Q/A Guide: Managing Access to Traffic Destined for High-Risk Countries - Link’ as well
Terms and Conditions
- All documented information undergoes testing and verification to ensure accuracy.
- In the future, should any changes to Netskope best practices come to our attention, we will promptly update the documentation to reflect them.
Notes
- This article is authored by Netskope Global Technical Success (GTS).
- For any further inquiries related to this article, please contact Netskope GTS by submitting a support case with 'Case Type – How To Questions'.
What to Read Next? | |
---|---|
Q/A Guide: Managing Access to Traffic Destined for High-Risk Countries | Link |
All about - ‘WhatsApp’ | Link |
Netskope & Gen AI | Link |