Netskope Global Technical Success (GTS)

How to bypass a Destination IP from Netskope Client Steering

Netskope Cloud Version - 118

Objective

This document outlines the steps to bypass a destination IP from Netskope Client steering

Prerequisite

Netskope CASB Inline/SWG license is required

Context

There are scenarios where customer requirements dictate that traffic intended for specific IP addresses should not route over Netskope. This document provides a step-by-step guide on how to achieve this requirement.

Do You Know?

• What is Traffic Steering?

Traffic steering refers to the process of directing your network traffic to Netskope for inspection and policy enforcement. There are several methods for forwarding traffic to Netskope, including Tunnels (such as GRE or IPSec), Netskope Client, Explicit Proxy, and Proxy Chaining. Among these methods, Netskope Client is recommended for end-user traffic.

• What is a Steering Exception?

When utilizing Netskope Client as a traffic steering method, it's important to note the existence of a setting called "Steering Exception." This setting allows certain traffic to bypass forwarding to Netskope for policy enforcement. The Steering Exception setting is further categorized into:

a. Application

b. Source Location

c. Destination Location

d. Domain

e. Category

f. Certificate Pinned Application

g. DNS

h. Counties

Each steering category has its own parameters. For instance, under the category "Domain," "Source Location," "Destination Location," "Certificate Pinned Application," and "DNS," all traffic will be directly routed to the destination without being steered to Netskope. Transaction logs will be stored locally on the end-user machine and cannot be routed to the Netskope Tenant.

Conversely, under the categories "Category" and "Countries," traffic will be directed to the Netskope Data Center, but policy enforcement will not be applied. Transaction logs will be stored locally on the end-user machine as well as on the Netskope Tenant.

Configuration

• For the purpose of this document, lets consider that customer requirement is to route traffic for the below IP addresses directly to the destination -

141.193.213.21

141.193.213.20

Step 1 : Create a Network Location

Path: Netskope Tenant UI >» Policies >>> Profiles - - - Network Location >>> New Network Location >>> Single Object/Multiple Objects.

Single Objects - For manual entries

Multiple Objects - For CSV upload

Step 2 : Create a Network Location

To add a single object, provide an IP address, IP address range, or CIDR net-mask. 

Step 3: Add the configured network location to the steering configuration exception.

Path: Netskope Tenant UI >>> Settings >>> Security Cloud Platform >>> Traffic Steering >>> Select Steering Profile >>> Exceptions >>> New Exception >>> Destination Locations

• Choose Destination Locations and add the Netskope Location we created above - netskope.com IP address
• Select Bypass option to bypass all the traffic for the destination location. 
• Select Treat like local IP address to consider this traffic local so it never sends the traffic within the  tunnel, like a private IP address in RFC 1918.
• Click the Add button to save the configuration.

Verification

• Generate traffic destined to IP addresses 141.193.213.20 and 141.193.213.21
• Netskope Client logs

Filename - nsdebuglog.log

2024/09/06 17:12:05.770235 stAgentNE p82087 t7207 info ExceptionMgr.cpp:854 ExceptiontMgr IP address : 141.193.213.21 is in IP address exception list

2024/09/06 17:12:05.770282 stAgentNE p82087 t7207 info bypassAppMgr.cpp:780 BypassAppMgr Bypassing connection to exception Dest IP: 141.193.213.21:80, host: 141.193.213.21, process: google chrome helper

Note - These Transaction logs will be stored locally on the end-user machine and cannot be routed to the Netskope Tenant.

Author Comments

• If the end goal is to bypass SSL decryption then It's recommended to implement an No-SSL Decryption policy rather than including the destination IP in the steering exceptions. Visibility is crucial, and utilizing steering exceptions would result in complete loss of it. With a No-SSL Decryption policy, we can ensure that transactions are effectively recorded.
• If a website is not functioning properly when traffic is steered over Netskope, please contact the Netskope Customer Service team for assistance. It's important to avoid making any changes to steering exceptions and SSL decryption without recommendations from the Netskope Customer Service team.

Terms and Conditions

• All documented information undergoes testing and verification to ensure accuracy.
• In the future, it is possible that the application's functionality may be altered by the vendor. If any such changes are brought to our attention, we will promptly update the documentation to reflect them.

Notes

• This article is authored by Netskope Global Technical Success (GTS).
• For any further inquiries related to this article, please contact Netskope GTS by submitting a support case with 'Case Type – How To Questions'.