Netskope Global Technical Success (GTS)
Best Practices - Managing RealTime Policy Structure
Netskope Cloud Version - 124
Objective
How to manage Netskope real-time policies using best practices.
Prerequisite
SWG or Next Gen SWG License
Context
This knowledge base (KB) offers a comprehensive guide on how to effectively manage Netskope real-time policies, incorporating Netskope best practices. It provides valuable insights and recommendations to ensure optimal policy configuration, improved security posture, and efficient management within the Netskope environment.
Author Notes
- This document is intended for individuals with an intermediate level of knowledge of Netskope.
- Each customer has unique use cases and requirements. Please consider this knowledge base (KB) as a reference when managing the real-time policy structure. I’m confident you will find valuable insights from your reading.
- There are multiple ways to manage a real-time policy structure, but the one I’ve outlined in this knowledge base (KB) is, to my understanding, the best approach. I have tested this methodology with several customers and consistently found it to deliver satisfactory results.
- This methodology is based on Netskope's Realtime policy structure best practices, making it especially useful for customers who manage a large number of policies."
- This version improves clarity, flow, and consistency while keeping the meaning intact.
Note - It is recommended that all new policies be tested with test users first.
Details
- To ensure minimal risk and streamlined management of your Realtime Policy structure, it's essential to configure the policies according to best practices. Properly structuring your policy groups can reduce operational risks and make ongoing management more efficient for your organization.
Image 1
- By default, each Netskope Tenant comes with three policy groups:
- Header Policies
- Default Policies
- Footer Policies
- However, to improve your policy management and reduce potential risks, I recommend expanding the structure by creating additional policy groups with the following format:
| Policy Group Number | Policy Group Name | Policy Number | Policy Name | Action | Profile | Description | Ref. |
| 1 | Header | ||||||
| 2 | Threat | 2.1 | nThreat] DOH - Global Block | Block |
| Block DNS over HTTPS | Link - Click |
| 2.2 | oThreat] Patient Zero - Global Block | Block | Threat Protection Profile | Zero day threat policy License - Advance Threat Protection | Link - | ||
| 2.3 | gThreat] Malware Protection Policy - Global Block | Block | Threat Protection Profile | Threat Protection Malware protection policy License - Standard Threat Protection | Link - Click | ||
| 2.4 | gThreat] Security Risk - Global Block | Block |
| Block Security Risk Destinations | Link - Click | ||
| 2.5 | kThreat] ITAR - Global Block | Block |
| Block Countries - International Traffic in Arms Regulations | Link - | ||
| 3 | RBI | 3.1 | aRBI] RBI Policy | Isolate |
| License - RBI | Link - Click |
| 4 | Global Allowlist | 4.1 | bCloud] IT Team Exceptional Access | Alert | IT team has always access to the tools which are not allowed to the end-users | ||
| 4.2 | =Cloud] Executive User | Alert | Executive users need open access to Internet | ||||
| 4.3 | lWeb] Custom Allowlist - Global Allow | Alert |
| Allow domains via Custom Web Categories | |||
| 5 | Global Blocklist | 5.1 | tWeb] Online Ads - Global Block | Block | Block Online Ads | Link - Click | |
| 5.2 | sWeb] Restricted Destinations - Global Block | Block | Block Web categories such as Gambling, Marujuana, Alcohol, Pornography and etc. | ||||
| 5.3 | nWeb] Custom Blacklist - Global Block | Block | Block domains via Custom Web Categories | ||||
| 6 | Webmail | Kindly review the section ‘Detailed overview Policy Group number 6 - Webmail’ | |||||
| 7 | Cloud Storage | Add all policies attached to Cloud Storage | |||||
| 8 | Collaboration | Add all policies attached to Collaboration | |||||
| 9 | Generative AI | Add all policies attached to Generative AI | |||||
| 10 | Social Media | Add all policies attached to Social Media | |||||
| 11 | Streaming Media | Add all policies attached to Streaming Media | |||||
| 12 | Business Apps | Add all policies attached to Business Sanctioned Apps | |||||
| 13 | Online File Converters | 13.1 | 0Web] Sanctioned - Online File Converters - Global Allow | Alert | Assuming that there is a Business approved online file converter | Link - Click Follow Approach 2 | |
| 13.2 | 0Web] Online File Converters - Global Allow | Block | Block all other Online File Converters | ||||
| 14 | Web - General | Add Policies attached to Web Categories | |||||
| 15 | Firewall Policies | Add Policies attached to Cloud Firewall License - Cloud Firewall | |||||
| 16 | NPA - Netskope Private Access | Add Policies attached to NPA License - NPA | |||||
| 17 | Default | ||||||
| 18 | Footer |
- Detailed Overview Policy Group number 6 - Webmail
- Consider a customer named Netskope, whose sanctioned webmail application is Google Gmail. They will allow their end-users to access the Netskope instance of Google Gmail, but they also want to enable access to personal Google Gmail accounts. However, they need to restrict activities that could lead to data exfiltration.
- What kind of real-time policies should they implement to achieve this use case? Let’s explore
| Policy Group Number | Policy Group Name | Policy Number | Policy Name | Action | Profile | Description | Ref. |
| 6 | Webmail | 6.1 | Block Or User Alert | DLP |
An end-user is sending or uploading data that violates the DLP policy. | Image 3 | |
| 6.2 | >Cloud] Google Gmail Netskope Instance - Constraint Policy | Block Or User Alert | An end-user is sending an email from the Google Gmail Netskope instance to an email address that belongs to *@gmail.com
| Image 4 | |||
| 6.3 | tCloud_Ins] Google Gmail Netskope Instance | Allow Or Alert | Create an access policy that allows end-users to use the Google Gmail Netskope instance | Image 5 | |||
| 6.4 | Block Or User Alert | Activities - ‘Create, Edit, Attach, Send, Upload, Download’ are blocked | Image 6 | ||||
| 6.5 | Allow Or Alert | CCI Tag Policy Mark Google Gmail as Sanctioned Application in Netskope | Image 7 | ||||
| 6.6 | Web] Unsanctioned Webmail Applications | Block | CCI Tag Policy Block all Unsanctioned Webmail Applications | Image 8 |
- Snapshot - Policy Group number 6 - Webmail
Image 2
____________________________________________________________________
Image 3
____________________________________________________________________
Image 4
____________________________________________________________________
Image 5
____________________________________________________________________
Image 6
____________________________________________________________________
Image 7
____________________________________________________________________
Image 8
____________________________________________________________________
- You can create policy groups based on your business needs, which will help with policy management. However, it is not recommended to create a policy group for every pre-defined web category.
- Categories such as Webmail, Cloud Storage, Collaboration, Gen AI, and Social Media are more likely to be tied to one or more business use cases, so attaching policies to specific policy groups in these cases makes more sense.
Important
- Be very cautious when making changes or modifications to real-time policies in the production environment. It is recommended to add a new real-time policy with a few test users and monitor the results before applying it broadly.
Terms and Conditions
- All documented information undergoes testing and verification to ensure accuracy.
- In the future, it is possible that the application's functionality may be altered by the vendor. If any such changes are brought to our attention, we will promptly update the documentation to reflect them.
Notes
- This article is authored by Netskope Global Technical Success (GTS).
- For any further inquiries related to this article, please contact Netskope GTS by submitting a support case with 'Case Type – How To Questions'.