Skip to main content

AD_4nXezmCfH7Appz9iFsJCxvUzIq1CiOTAzYU3ryH9qxaQRn6QoyCdwXITvtndAtlRmtUbnnCSSNUqZKgLDd_-MXmYteZbddptLsNXYqa1kO1wBef3UGhUZZj1-ncAJliW2mxjeuaKyNa5GFNM_YovDZ9pgIUNSHAe9ZcUldnZP6FbwfLbG9NXJI6k?key=KIAusZXAe7pqEwEZIi_wAA

Netskope Global Technical Success (GTS)

Best Practices To Manage Guest Traffic Using Netskope

 

Netskope Cloud Version - 122

 

Objective

Handle guest users traffic transparently

 

Prerequisite 

Netskope SWG license is required

 

Context

In this context, we suggest to steer Guest traffic to Netskope Cloud Proxy through an IPSec/GRE tunnel! IPSEC/GRE steering is used when Netskope Client cannot be installed on the clients (see related KB here). 

One valid scenario is to control and filter the Guest users’ traffic, such as Guest Wifi networks, for this use-case only Guest Wifi networks have to be pushed into the IPSEC/GRE tunnel.

⚠️In this use-case if the Decryption policies are not well configured, users can face one of the most typical SSL errors: The untrusted certificate!
This happens when the client’s OS or the applications don’t trust the Netskope’s CA, below two examples of ssl errors:

Image 1

AD_4nXeXPDfaohJNS2XgOTAA98pf_Wo5gekz0mUAqIjdYz2XNoabSHZ9uXeHRVuRr6LWT67X1PMr1kOecF1-lRbNvfArjyA3O7MF2iEyqN8UF-lI9PArRs_3A1E4GTMyYMEPcVBFvb9qja-KdjqXvlddTH2jdXZvu_6i11h2UJig?key=KIAusZXAe7pqEwEZIi_wAA

 

Image 2

AD_4nXduBCI7MW2q5-Doaxqgghg_3PNVr3PwYJt4BoVu6lgHj3MFsKzLbo0EGcnckWsYyKMKxUcELSJwPSLchMzGKOK8-oibCYItcRsnjkx3pkP_GJRgEhr-X434CSzHEXLbIAYQAyCL6B9WhhICzABQZDP9sfROsP0sqol1YXkrqw?key=KIAusZXAe7pqEwEZIi_wAA

 

To avoid these SSL errors we’ll disable the decryption (Web content inspection) for the Guest Traffic and we’ll control it (with some limitations) by performing the URL Lookup of the SNI (Server Name Indication) on the SSL transactions.

AD_4nXdkkzBrS52hrvO68bVb3RbazzCInBPbn8MiRiyV8bJ8AXjxFlWo3F4hxBhBRvnOgO50E-8q3785HgVgZjvlhcxDLysKDg5UNRA3AB-D9L6bih2vT972kn1mfc71TwPMqgRlTa5tog871AS1JfiOLEFBjekXWmpsuNtr_jDu?key=KIAusZXAe7pqEwEZIi_wAA

 

Limitations

As said above the web content inspection disable introduce some limitations, in detail:

  • Unable to determine the Application Activity >>> We’ll have to work on Browse activity only
  • Unable to inspect downloaded files (including Malware files and Business sensitive files)
  • Unable to inspect uploaded files (including Malware files and Business sensitive files)
  • Unable to inspect posted string or comments etc.
  • Unable to customize the User Alert page with company logo or custom notice (Users will receive a generic error as shown later on the Test section)

 

Configuration

Step #1. Define a Network location on the “Netskope Tenant UI >>> Policies >>> Profiles >>> Network Location” menu to identify all Guest Networks

Image 3

AD_4nXfIWJy1vl5Sec8fLCVkps9ay2R3WKdEzHyUJ7K-u5HIF9usCTWLexLCG21BoYtAWbOEB0wIuatVoqM4E-4XfQJBmSkNc_zLTBVy0AwNJW75VDKEF5Z-R8H5o02e8M03LC7RFUnah3vuKEAz_Ks0R4uDIF5Z1shmAURuvNhdYA?key=KIAusZXAe7pqEwEZIi_wAA

Insert one or more Guest Networks in the CIDR format like below

Image 4

AD_4nXcJATAiTDxbYVJFDe5zxeW2T-2J_5t3cg7f0GidLYrsoaFqG01WGcwA7tiCZmh7vopPgSwTMiqoVaZJ7yfB5qabsiQlhpTq7yGIj0kM00beyM5IGq0Mc9YbxP_nfk6S8awEe1EeeZiWBE1wv1jyS_lTw8rvCFTyIgtBFJbG6w?key=KIAusZXAe7pqEwEZIi_wAA

Assign a name to the Network location like below and then Apply changes

Image 5

AD_4nXcF9uqHa0iJeZZcnVIBGqi0Dg-pgnus0JbVlAyeYPO_X3hGuzpuOKCnTioQsXZmBgeS1NF8b2ukuf9V7_Z8DT2ha4d9tXhU4b3HgMl-a_rJ82anw1dqpW6L0Hbi34NAKDCERBtGH46U-lD1J63Lv-x2DWpsYIfk__nl8GsNLg?key=KIAusZXAe7pqEwEZIi_wAA

 

Step #2. Define a SSL Decryption policy with the Do Not Decrypt (DND) action on the “Netskope Tenant UI >>> Policies >>> SSL Decryption” menu with the “Source IP” as Source criteria like below to disable the inspection for the Guest traffic, this will be useful to avoid introducing SSL errors for Guest clients that don’t trust the Netskope CA

Image 6

AD_4nXfgzZzK0y2prTrjwvS-Wa1M2jpnpv1p4P2SsLs7cm5V4sdFzwAy0VzTJ6nSXl7v3vRHNrajmd27TQEDsKAMD-QK7fderoTZFkbchupmykhcq8qf0-iVKCUvLHEjkZiwz3VW4LjEzTIoxC6BIPlfNbrFbHaC81qDc1rVV9dh?key=KIAusZXAe7pqEwEZIi_wAA

 

Step #3. Define a Real-Time Protection Policy on the “Netskope Tenant UI >>> Policies >>> Real-time Protection” menu with the “Source IP” as source criteria and the categories that you’d like to Allow or Block

Image 7

AD_4nXefT8_x0BR-GwSjLSwbRsSpANfCvtMpRAStAmuR2996qlo8a6SknUeD3mr0suIjw2v6Uu7srHe8Y2B9_mQ5ZGRumieMxOoMn1_tYnaJRg3wueRRZ60R_rvIyZT_nKCzPwKy1hnGhKwyR7hOPKFXQtPADa7HGhe6zK7Rk_6w_Q?key=KIAusZXAe7pqEwEZIi_wAA

 

Step #4. If you have the SAML Forward proxy enabled, disable the authentication (authentication bypass) from the “Netskope Tenant UI >>> Settings >>> Security Cloud Platform >>> Forward Proxy >>> SAML” menu as shown below -

Image 8

AD_4nXeWgB1rbDfgNpGCsr9UTKLKS9UlKWvZqS6oAv8yWA-CfV59OX6pTmIfwUSu8PY662n046wNXuoPH5B5BPnSc_sHHxhLqaZJzO8qB7s3yMugqveElHrpdYCcvV97C1laIOSTCws1Aulu9ZNzK25Tu1Q?key=KIAusZXAe7pqEwEZIi_wAA

 

Image 9

AD_4nXebLf4ipiPeOkIGVJorudvvhzECwdl9E2fCX5ffHDXM5yoq8VNp2DAnvaSszfNnE5KcF9uD3RFaCyZy7FuncmlVio5_bU-fy5s9v4R_vk4Zv27-qpNWRop9PB2c1cK3NgekRPMiqVRN_9izt8KKr9c?key=KIAusZXAe7pqEwEZIi_wAA

 

⚠️ RECOMMENDATIONS: Since there is not complete visibility on the web content (see Limitations section above) we recommend the below:

  • Leave the “Activity” criteria empty in order to match all “Browse” activities (No Activity visibility due to inspection disabled)
  • Block all “Security Risk” categories and other normal blocked categories like “Adult”, “Drugs”, “Weapons” etc.
  • Avoid to grant access on “File repositories”, ”File converters”, “File/Software Download Sites” and “Chat, IM & other communication” categories to prevent any Data Loss incident
  • Allow only trusted categories which cannot introduce any Data Loss or Threat risk 

 

Test

When a website is blocked the user will see a page like this one below! without the decryption enable we can’t redirect the user to the classic blocking page

AD_4nXf0a5lH_E6E5ca7nc_im0_F2r6pyeIojjr6KD3Rp5YqrwS-ew5deiBuSiRRJ3EWIbJYZXwt-LDM-rbOTMe5JcTgYZ9ycCLYevUyvKWzXhupVL4ecybZ7ft4mQn8tZk3gmzyKeTmLDkGKUD9HD0iyPJ9F6wJZoVZbwTvX3cGzw?key=KIAusZXAe7pqEwEZIi_wAA

 

Terms and Condition

  • All documented information undergoes testing and verification to ensure accuracy.
  • In the future, it is possible that the application's functionality may be altered by the vendor. If any such changes are brought to our attention, we will promptly update the documentation to reflect them.

 

Notes

  • This article is authored by Netskope Global Technical Success (GTS).
  • For any further inquiries related to this article, please contact Netskope GTS by submitting a support case with 'Case Type – How To Questions'.