Skip to main content
  • EN

6Jli9JimF4aPjJL6vdjhMZYbPsEZTwWzWq45lJ2hogE1yG2rKWloBpX-3h4lftCaARKtlEWE99pVEEPIWRxLUnMonQNQbj5OzhWAz2UCJ8zmMYxMXniQQibbBRLHajEFBit62LoI9cr2gqs5kYVuXwo

Netskope Global Technical Success (GTS)

Traffic Steering for Domains within Exempted Categories

 

Netskope Cloud Version - 123

Objective

Steering Traffic for a Domain within an Exempted Category

 

Prerequisite

Netskope CASB Inline/SWG license is required

 

Context

By default, certain categories are exempted from traffic steering, such as Finance/Accounting, Streaming & Downloadable Audio, Streaming & Downloadable Video, Internet Telephony, and others. The customer wishes to steer traffic for a domain categorized under Finance/Accounting. They specifically request that traffic directed to this domain be routed through Netskope, while maintaining the default steering bypass for all other traffic within the Finance/Accounting category.

 

Do you know?

  • What is Traffic Steering?

Traffic steering refers to the process of directing your network traffic to Netskope for inspection and policy enforcement. There are several methods for forwarding traffic to Netskope, including Tunnels (such as GRE or IPSec), Netskope Client, Explicit Proxy, and Proxy Chaining. Among these methods, Netskope Client is recommended for end-user traffic.

 

  • What is a Steering Exception?

When utilizing Netskope Client as a traffic steering method, it's important to note the existence of a setting called "Steering Exception." This setting allows certain traffic to bypass forwarding to Netskope for policy enforcement. The Steering Exception setting is further categorized into:

a. Application

b. Source Location

c. Destination Location

d. Domain

e. Category

f. Certificate Pinned Application

g. DNS

h. Counties

 

Each steering category has its own parameters. For instance, under the category "Domain," "Source Location," "Destination Location," "Certificate Pinned Application," and "DNS," all traffic will be directly routed to the destination without being steered to Netskope. Transaction logs will be stored locally on the end-user machine and cannot be routed to the Netskope Tenant.

Conversely, under the categories "Category" and "Countries," traffic will be directed to the Netskope Data Center, but policy enforcement will not be applied. Transaction logs will be stored locally on the end-user machine as well as on the Netskope Tenant.

 

Configuration

For recreating the lab environment, we are taking -

Category - Finance/Accounting

Domain - icicibank.com

blIK2WIe0WOraVFz5vhbHw_v3BBKRJ3MdbXthQnH65j7SEI3JbE9rpjsa9M1zpWPSdcHsp9MOCfPcTQaJFAfWIUDPxvBXbrMEU7bNBL5p3IyL2DI6X9iTp7ONELV2DYmv1NOFX_kQavXvyCrHw07K3M

Y2HY5A__WYGuYVF9iJcdyphMMrZiDjmKglo-JvYdW4sdwqytJxNXNfbNN5cIRS7n2zg1GESbYQ4XFlvgH6gO6iZLGgOeuKoXuAvahw4hLNP6BYekTAc2E33Pt65fblfOnkoWf77Xng-XnWWx-Eq3Yeo

 

Let's discuss the configuration changes required to achieve the use-case.

  • Step 1 - Create a custom URL list

Path: Netskope Tenant UI >>> Policies >>> Profiles >>> URL List >>> New URL List

ZLmpsteqFuz14EkN9zDn3UuOJVhCM5PkJT6ATlh-gOlnlgLB9xGLx30cJHnEqf6qvWclfpgqYqFMhdRI6LMC_rS8_g7F6aL7L2K1G21kdl9TJvy5oLhl0g8mVIij0jeBGwyFkd6b68rRcWUaXkmZ6QY

 

  • Step 2 - Create a custom category

Path: Netskope Tenant UI >>> Policies >>> Profiles >>> Custom Categories >>> New Custom Categories

yX2So76iCWwp-Llg4sr6OffQnCE6fXZak6PecvpbtQRyNoO3Jwj9wpX5KmlI0L_weq1aLNbbQzzdTgMPmpBnb5L48Yhrl8QxpoyTMENVftGE-M6Qe50n-FhSCaHJoP7OvIoO7t27Ugt9T_-XjKJ7ARQ

 

  • Step 3 - Update the Steering Exception Configuration

Path: Netskope Tenant UI >>> Settings >>> Security Cloud Platform >>> Traffic Steering >>> Select Steering Profile >>> Exceptions

  1. Remove predefined category - Finance/Accounting
  2. Add the new custom category

aKDO6kiKIPRzX2Cdd7BXni1ps9wR1oFW5mKdJnXz7WmLzl54yl7iALad0o5NjK5nu1jEmHLC8NDTDAVE9WW7_DIuYoDPYF-BiEkYa7-p48N5Vkc9hFwwcDCcuhnuXW0HfkHtpRP-0QvQNVfFORL5ssA

 

Verification

aJ2bc-dwqi4wXTDsfGIZshbCSkz7h4SPsq4spUTHWC6WJGBeZYnz8ca2yMHSiKN6gXOxUkSOoPIMkHnRdp4sxoPePBLt2dolZ7ylm0JVRVd4pfK5kN7l9ztihdLE9EXXwEa7YRqpoz3VDf7pGGplBzA

 

Author Comments

  • It's recommended to implement an No-SSL Decryption policy rather than including the domain/category in the steering exceptions. Visibility is crucial, and utilizing steering exceptions would result in complete loss of it. With a No-SSL Decryption policy, we can ensure that transactions are effectively recorded.
  • The customer can choose to remove categories such as Finance/Accounting from the Steering exceptions and then create an No-SSL Decryption policy.
  • If a website is not functioning properly when traffic is steered over Netskope, please contact the Netskope Customer Service team for assistance. It's important to avoid making any changes to steering exceptions and SSL decryption without recommendations from the Netskope Customer Service team.

 

Terms and Conditions

  • All documented information undergoes testing and verification to ensure accuracy.
  • In the future, it is possible that the default settings may be altered. If any such changes are brought to our attention, we will promptly update the documentation to reflect them.

 

Notes

  • This article is authored by Netskope Global Technical Success (GTS).
  • For any further inquiries related to this article, please contact Netskope GTS by submitting a support case with 'Case Type – How To Questions'.
Be the first to reply!
Terms & ConditionsCookie settings