Skip to main content
  • EN

AD_4nXcsnXr_tgh1j3G56iEj4yKba0swwFCUhPUbGHBmZvujXx5Vk7Gc3iclxWSxXjsL3L6xnCL_y4BoxzoufpcQ_3Dv-ri9bhwNiB8E5AQTrHxWJxSq7f1qSn2k5EsmIdnp5734no46?key=bfEFVHLM8MGJAS25FCHR2Q

Netskope Global Technical Success (GTS)

Netskope Best Practices – SSL Decryption of Web Category: Finance/Accounting

 

Netskope Cloud Version - 128

 

Objective

To discuss Netskope best practices for SSL decryption as it relates to destinations categorized under Web Category: Finance/Accounting. 

 

Context

Several customers have requested to perform SSL decryption on traffic destined for websites categorized under the Web Category: Finance/Accounting. This document aims to outline Netskope best practices for handling SSL decryption of destinations mapped to this category.

 

Prerequisite

Netskope SWG or Next-Gen SWG license

 

Do You Know?

  • As of August 4, 2025, Netskope provides a predefined web category for Finance/Accounting.
  • By default, this category is bypassed from Netskope Client Steering configurations.

Path: Netskope Tenant UI >>> Settings >>> Security Cloud Platform >>> Steering configuration - - - Select the steering configuration >>> Exceptions

AD_4nXc2pyfrLuSXsfYSn7L5K83nrfL_-Btk2FwoQgP9dJ90-YX8kuUE_Ut-XqnxV_K0pKrZ6ahXdVry1eg9C33-zXfzKqYGRkklwLH3Qmio5xxME9OOl-PlpEoiaZVBEmVMnqKN-h3o?key=bfEFVHLM8MGJAS25FCHR2Q

 

Note - It is important to note that while the Netskope Client routes traffic to any destination categorized under Finance/Accounting to the Netskope Data Center, no real-time policies will be enforced on this traffic. Netskope will perform NAT and forward the traffic directly to its intended destination. This allows Netskope engines to log traffic details and helps administrators understand how much traffic is received for destinations that are part of the bypass.

 

Details

  • Netskope has added Finance/Accounting traffic to the bypass list because decrypting such financial data can violate compliance regulations, privacy laws, or introduce significant security and trust risks.
  • Regulations like PCI-DSS, GLBA, and GDPR may prohibit or restrict intercepting encrypted data related to banking, credit card processing, or personally identifiable information (PII). Decrypting such traffic could:
    a. Violate financial data protection laws
    b. Expose sensitive data (bank accounts, credit card numbers, SSNs)

 

  • Many banking and finance sites use mutual TLS (mTLS) or certificate pinning to prevent tampering. SSL decryption breaks the certificate chain and often causes:
    a. Application errors or crashes
    b. Inability to access services

 

Note - Netskope recommends that customers review the entries in the Steering exceptions that may exist by default and take appropriate action according to their organization’s policy. If the organization’s policy permits decrypting Finance/Accounting traffic, the bypass can be removed, SSL decryption will be automatically enabled.

 

Notes-to-Remember

  • Each country has its own cybersecurity laws. For example, decrypting Finance/Accounting traffic may be prohibited in Country A but allowed in Country B. Therefore, it’s important to be certain before deciding how to handle Finance/Accounting traffic.
  • If your country permits decrypting Finance/Accounting traffic, ensure that end-users are informed that traffic to such destinations will be decrypted. Additionally, advise them to avoid using their corporate devices for personal financial activities.
  • If a business application falls under the Finance/Accounting category and SSL decryption is required only for this application, then this can be achieved by creating a custom web category. Please follow the steps below for details: Traffic Steering for Domains within Exempted Categories
  • For customers planning to remove Finance/Accounting from the steering exceptions, it is recommended to first create a new steering configuration for a test group of 50–100 users. Monitor and validate the impact over a period of a few weeks. If no issues are reported during this period, the exception can then be safely removed from the steering configuration for the wider user base.

 

Note -

  1. Netskope only stores metadata of user transactions, such as user email, destination URL, activities performed by the end-user & etc. No actual data is stored in ROM.
  2. Netskope adheres to industry standards to ensure that no sensitive data is stored.

 

Terms and Conditions

  • All documented information undergoes testing and verification to ensure accuracy.
  • In the future, it is possible that the application's functionality may be altered by the vendor. If any such changes are brought to our attention, we will promptly update the documentation to reflect them.

 

Notes

  • This article is authored by Netskope Global Technical Success (GTS).
  • For any further inquiries related to this article, please contact Netskope GTS by submitting a support case with 'Case Type – How To Questions'.


 

Be the first to reply!

Badges Winner

Show all badges

Not finding what you're looking for?

Don't be shy and let us know about your challenge.

Ask your question here!
Terms & ConditionsCookie settings