Netskope Global Technical Success (GTS)
How to add a Source IP in Netskope Client Steering bypass
Netskope Cloud Version - 118
Objective
This document outlines the steps to bypass traffic from a source IP from Netskope Client steering
Prerequisite
Netskope CASB Inline/SWG license is required
Context
There are scenarios where customer requirements dictate that traffic from specific LAN/IP addresses should not route over Netskope. This document provides a step-by-step guide on how to achieve this requirement.
Do You Know?
- What is Traffic Steering?
Traffic steering refers to the process of directing your network traffic to Netskope for inspection and policy enforcement. There are several methods for forwarding traffic to Netskope, including Tunnels (such as GRE or IPSec), Netskope Client, Explicit Proxy, and Proxy Chaining. Among these methods, Netskope Client is recommended for end-user traffic.
- What is a Steering Exception?
When utilizing Netskope Client as a traffic steering method, it's important to note the existence of a setting called "Steering Exception." This setting allows certain traffic to bypass forwarding to Netskope for policy enforcement. The Steering Exception setting is further categorized into:
a. Application
b. Source Location
c. Destination Location
d. Domain
e. Category
f. Certificate Pinned Application
g. DNS
h. Counties
Each steering category has its own parameters. For instance, under the category "Domain," "Source Location," "Destination Location," "Certificate Pinned Application," and "DNS," all traffic will be directly routed to the destination without being steered to Netskope. Transaction logs will be stored locally on the end-user machine and cannot be routed to the Netskope Tenant.
Conversely, under the categories "Category" and "Countries," traffic will be directed to the Netskope Data Center, but policy enforcement will not be applied. Transaction logs will be stored locally on the end-user machine as well as on the Netskope Tenant.
Configuration
- For the purpose of this document, let's consider that customer wants traffic from the below IP address to route directly to internet -
192.168.1.231
Step 1 : Create a Network Location
Path: Netskope Tenant UI >» Policies >>> Profiles - - - Network Location >>> New Network Location >>> Single Object/Multiple Objects.
Single Objects - For manual entries
Multiple Objects - For CSV upload
Step 2 : Create a Network Location
To add a single object, provide an IP address, IP address range, or CIDR net-mask.
Step 3: Add the configured network location to the steering configuration exception.
Path: Netskope Tenant UI >>> Settings >>> Security Cloud Platform >>> Traffic Steering >>> Select Steering Profile >>> Exceptions >>> New Exception >>> Source Locations
- Click the Add button to save the configuration.
Terms and Conditions
- All documented information undergoes testing and verification to ensure accuracy.
- In the future, it is possible that the application's functionality may be altered by the vendor. If any such changes are brought to our attention, we will promptly update the documentation to reflect them.
Notes
- This article is authored by Netskope Global Technical Success (GTS).
- For any further inquiries related to this article, please contact Netskope GTS by submitting a support case with 'Case Type – How To Questions'.