Netskope Global Technical Success (GTS)
Best Practices To Manage Guest Traffic Using Netskope
Netskope Cloud Version - 122
Objective
Handle guest users traffic transparently
Prerequisite
Netskope SWG license is required
Context
In this context, we suggest to steer Guest traffic to Netskope Cloud Proxy through an IPSec/GRE tunnel! IPSEC/GRE steering is used when Netskope Client cannot be installed on the clients (see related KB here).
One valid scenario is to control and filter the Guest users’ traffic, such as Guest Wifi networks, for this use-case only Guest Wifi networks have to be pushed into the IPSEC/GRE tunnel.
In this use-case if the Decryption policies are not well configured, users can face one of the most typical SSL errors: The untrusted certificate!
This happens when the client’s OS or the applications don’t trust the Netskope’s CA, below two examples of ssl errors:
Image 1
Image 2
To avoid these SSL errors we’ll disable the decryption (Web content inspection) for the Guest Traffic and we’ll control it (with some limitations) by performing the URL Lookup of the SNI (Server Name Indication) on the SSL transactions.
Limitations
As said above the web content inspection disable introduce some limitations, in detail:
- Unable to determine the Application Activity >>> We’ll have to work on Browse activity only
- Unable to inspect downloaded files (including Malware files and Business sensitive files)
- Unable to inspect uploaded files (including Malware files and Business sensitive files)
- Unable to inspect posted string or comments etc.
- Unable to customize the User Alert page with company logo or custom notice (Users will receive a generic error as shown later on the Test section)
Configuration
Step #1. Define a Network location on the “Netskope Tenant UI >>> Policies >>> Profiles >>> Network Location” menu to identify all Guest Networks
Image 3
Insert one or more Guest Networks in the CIDR format like below
Image 4
Assign a name to the Network location like below and then Apply changes
Image 5
Step #2. Define a SSL Decryption policy with the Do Not Decrypt (DND) action on the “Netskope Tenant UI >>> Policies >>> SSL Decryption” menu with the “Source IP” as Source criteria like below to disable the inspection for the Guest traffic, this will be useful to avoid introducing SSL errors for Guest clients that don’t trust the Netskope CA
Image 6
Step #3. Define a Real-Time Protection Policy on the “Netskope Tenant UI >>> Policies >>> Real-time Protection” menu with the “Source IP” as source criteria and the categories that you’d like to Allow or Block
Image 7
Step #4. If you have the SAML Forward proxy enabled, disable the authentication (authentication bypass) from the “Netskope Tenant UI >>> Settings >>> Security Cloud Platform >>> Forward Proxy >>> SAML” menu as shown below -
Image 8
Image 9
RECOMMENDATIONS: Since there is not complete visibility on the web content (see Limitations section above) we recommend the below:
- Leave the “Activity” criteria empty in order to match all “Browse” activities (No Activity visibility due to inspection disabled)
- Block all “Security Risk” categories and other normal blocked categories like “Adult”, “Drugs”, “Weapons” etc.
- Avoid to grant access on “File repositories”, ”File converters”, “File/Software Download Sites” and “Chat, IM & other communication” categories to prevent any Data Loss incident
- Allow only trusted categories which cannot introduce any Data Loss or Threat risk
Test
When a website is blocked the user will see a page like this one below! without the decryption enable we can’t redirect the user to the classic blocking page
Terms and Condition
- All documented information undergoes testing and verification to ensure accuracy.
- In the future, it is possible that the application's functionality may be altered by the vendor. If any such changes are brought to our attention, we will promptly update the documentation to reflect them.
Notes
- This article is authored by Netskope Global Technical Success (GTS).
- For any further inquiries related to this article, please contact Netskope GTS by submitting a support case with 'Case Type – How To Questions'.