Ask the community

Netskope API integration with Aruba EdgeConnect SD-WAN

Gary-Jenkins
Netskope
Netskope

Netskope API integration with Aruba EdgeConnect SD-WAN

Overview

This integration enables you to automatically configure tunnels from Aruba EdgeConnect SD-WAN routers to Netskope’s security service edge (SSE). Aruba’s SD-WAN will build tunnels to the closest primary and secondary Netskope POP with the ease that you would expect from Aruba SD-WAN Orchestration. 

SSE defines the set of security services that help deliver on the security vision of SASE. These security services include firewall-as-a-service (FWaaS), secure web gateway (SWG), cloud access security broker (CASB), zero trust network access (ZTNA) and related security functions such as remote browser isolation (RBI), data loss prevention (DLP) and cloud & SaaS security posture management (CSPM/SSPM).

Requirements

  • Netskope tenant with API tunnels enabled
  • Aruba SDWAN Orchestrator running >9.3

Setup steps

Netskope

  1. Pre-requirements
  2. Generate API token

 

Aruba

  1. Tunnel Setup
  2. Traffic Steering / Business Intent Overlays

 

Verify

Netskope setup

Pre-requirements

As of writing this document, you will need to contact your sales team to have the automatic tunnels API enabled. 

Generate API token

In your Netskope tenant go to Settings > Tools > REST API v2 > New Token

 

GaryJenkins_0-1686440026363.png

 

Add permission scopes to the token. You may not need both IPSec and GRE depending on your deployment. 

Give your token a name, and expiration period. 

Use the following scopes

  1. /api/v2/steering/ipsec/pops
    /api/v2/steering/ipsec/tunnels

    And/or
  2. /api/v2/steering/gre/pops
    /api/v2/steering/gre/tunnels

 

Save and copy your token. 

GaryJenkins_1-1686440026343.png

 

 

Aruba setup

Aruba Tunnel Setup 

Log into your Aruba Orchestrator and go to Configuration > Cloud Services > Netskope

 

GaryJenkins_2-1686440026447.png

 

Select Subscription

GaryJenkins_3-1686440026348.png

 

 

Add the following information

Partner Username: <Locally used name to identify this token>

API Token: <Netskope APIv2 Token>

Domain: <Netskope Tenant URL>

Polling: <Default>

 

Save

GaryJenkins_4-1686440026445.png

 

 

Add Netskope Association to the sites that you would like to use tunnels to Netskope with. 

GaryJenkins_5-1686440026324.png

 

 

Select the site and Add.

GaryJenkins_6-1686440026428.png

 

 

Or add all of them by selecting the top of the tree. 

GaryJenkins_7-1686440026574.png

 

The red ones below are being set up and they all turned green after a few seconds. 

GaryJenkins_8-1686440026463.png

 

Traffic Steering / Business Intent Overlays

Now that the tunnels are configured, edit the Business Intent Overlays to send traffic through them. 

Select Configuration > Overlays & Security > Business Intent Overlays

GaryJenkins_9-1686440026541.png

 

Select which traffic type you want to go into the tunnel. In my example, I am selecting CriticalApps

GaryJenkins_10-1686440026422.png

 

From the Available Policies, move the Netskope Cloud icon to the Preferred Policy Orders top spot. 

GaryJenkins_11-1686440026426.png

 

It should look like this.

GaryJenkins_12-1686440026431.png

 

 

Save and Apply for the policy to take effect. 

GaryJenkins_13-1686440026429.png

 



Verify

Status should change to Connected after applying the API token. 

GaryJenkins_14-1686440026424.png

 

 

You can see the status of the tunnels by selecting tunnels. In this view you can see the primary and secondary tunnel status and where they were built to. 

GaryJenkins_15-1686440026448.png

 

 

3 Replies 3
ark007
Partner
Partner

@Gary-Jenkins - Great article. Is this for converging Aruba SD-WAN with Netskope SSE for delivering SASE architecture? Also a suggestion, if you could give some detailed background regarding this integration and what it delivers at the end would be great.

 

Thanks

 

Thanks

Thanks for the feedback, I will add it this week. To answer your question, Yes, this is part of a SASE architecture. Say you have 1,000 Aruba Edge Connect routers deployed and you wanted to add Netskope NGSWG/CASB. This workflow will allow you to automatically add the IPSec tunnels from your routers to Netskope without having to figure out closest NS pop and without dealing with configuring all of the IPSec tunnels. 

Great, this is interesting. Thanks for explaining Gary.

 

Thanks

Subscribe
Labels

In order to view this content, you will need to sign in to your account. Simply click the "Sign In" button below

Sign In