Netskope Global Technical Success (GTS)

KB - How to bypass a URL/Domain from Netskope Client Steering?

Netskope Cloud Version - 120

Objective

How to add a URL in Netskope Client Steering bypass?

Prerequisite

Netskope CASB Inline/SWG license is required

Context

Customers directing traffic through Netskope via the Netskope client may encounter situations where they need to bypass a URL or domain from the Netskope client. This document will outline the necessary steps to fulfil this requirement effectively.

Do you know?

• What is Traffic Steering?

Traffic steering refers to the process of directing your network traffic to Netskope for inspection and policy enforcement. There are several methods for forwarding traffic to Netskope, including Tunnels (such as GRE or IPSec), Netskope Client, Explicit Proxy, and Proxy Chaining. Among these methods, Netskope Client is recommended for end-user traffic.

• What is a Steering Exception?

When utilizing Netskope Client as a traffic steering method, it's important to note the existence of a setting called "Steering Exception." This setting allows certain traffic to bypass forwarding to Netskope for policy enforcement. The Steering Exception setting is further categorized into:

a. Application

b. Source Location

c. Destination Location

d. Domain

e. Category

f. Certificate Pinned Application

g. DNS

h. Countries

Each steering category has its own parameters. For instance, under the category "Domain," "Source Location," "Destination Location," "Certificate Pinned Application," and "DNS," all traffic will be directly routed to the destination without being steered to Netskope. Transaction logs will be stored locally on the end-user machine and cannot be routed to the Netskope Tenant.

Conversely, under the categories "Category" and "Countries," traffic will be directed to the Netskope Data Center, but policy enforcement will not be applied. Transaction logs will be stored locally on the end-user machine as well as on the Netskope Tenant.

Configuration

For recreating the lab environment, we are taking -

Category - News & Media

Domain - www.bbc.com

Let's achieve the use-case via Domain Based Steering Exception

• Step 1 - Go the Steering Exception Configuration

Path: Netskope Tenant UI >>> Settings >>> Security Cloud Platform >>> Traffic Steering >>> Select Steering Profile >>> Exceptions

Note - 

1. It is recommended to include "NOTES" for tracking purposes. In the provided example, an internal ticket number was added for efficient tracking.
2. When managing a list of 50+ domains "NOTES" will help to track the purpose of adding steering exceptio

• Step 2 - Access www.bbc.com

Let's achieve the use-case via Category Based Steering Exception

• Step 1 - Create a custom URL list

Path: Netskope Tenant UI >>> Policies >>> Profiles - - - Web >>> URL List >>> New URL List

• Step 2 - Create a custom category

Path: Netskope Tenant UI >>> Policies >>> Profiles - - - Web >>> Custom Categories >>> New Custom Categories

• Step 3 - Update the Steering Exception Configuration

Path: Netskope Tenant UI >>> Settings >>> Security Cloud Platform >>> Traffic Steering >>> Select Steering Profile >>> Exceptions

• Step 4 - Access www.bbc.com

Verification

Netskope client logs -

• Domain Based Steering Exception

2024/04/09 09:58:17.714914 stAgentNE p88442 t3895 info bypassAppMgr.cpp:1399 BypassAppMgr bypassing flow to exception host: www.bbc.com, process: safari, Dest IP: 199.232.20.81, Dest Port: 443

• Category Based Steering Exception

2024/04/09 09:51:42.074875 stAgentNE p88442 t18979 info tunnel.cpp:878 nsTunnel TLS 8sessId 501] Tunneling flow from addr: 1.0.0.1:50286, process: safari to host: www.bbc.com, addr: 199.232.20.81:443 to nsProxy

Note: ‘nsProxy’ means that traffic for the domain being steered to Netskope PoP/DC

Author Comments

• If the end goal is to bypass SSL decryption then It's recommended to implement an No-SSL Decryption policy rather than including the domain/category in the steering exceptions. Visibility is crucial, and utilizing steering exceptions would result in complete loss of it. With a No-SSL Decryption policy, we can ensure that transactions are effectively recorded.
• If a website is not functioning properly when traffic is steered over Netskope, please contact the Netskope Customer Service team for assistance. It's important to avoid making any changes to steering exceptions and SSL decryption without recommendations from the Netskope Customer Service team.

Terms and Conditions

• All documented information undergoes testing and verification to ensure accuracy.
• In the future, it is possible that the default settings may be altered. If any such changes are brought to our attention, we will promptly update the documentation to reflect them.

Notes

• This article is authored by Netskope Global Technical Success (GTS).
• For any further inquiries related to this article, please contact Netskope GTS by submitting a support case with 'Case Type – How To Questions'.