Skip to main content

Hi Folks,

 

I am sharing my modest knowledge with the Netskope community. I hope this helps a few of you on understanding the basic Netskope traffic flow and log analysis.

 

POP Selection

 

Versions prior to 96.1 :

 

1. The Netskope Client uses DNS over HTTPS (dns.google) to resolve the Netskope gateway's IP address (gateway-tenant hostname.goskope.com)

2. If DNS over HTTPS is unsuccessful, the client will fail over to the LDNS technique (UDP 53) to resolve the IP address for gateway-tenant hostname.goskope.com.

 

Version starting with 96.1:

 

There is no longer a requirement to resolve NS Gateway domains using the Google DNS service (dns.google). The GSLB services deliver a POP list based on the client IP address while performing a REST API request to gateway.gslb.goskope.com. 

 

Note: GSLB option will be only available when the backend tenant flag is activated.

 

Basic Traffic flow

 

Let’s take an example of the SaaS Application Box.com!

 

  1. Browser issued a DNS request to the SaaS domain Box.com.
  2. The browser receives the DNS response, Netskope ST Agent driver captures the response and creates a domain to IP Mapping, i.e.  Box.com – 74.112.184.73
  3. The browser starts sending TCP SYN ( 3 Way handshake ) Packet to SaaS server 74.112.186.144.
  4. ST Agent driver captures the TCP SYN Packet and indicates it to Netskope ST Agent services.

  5. The ST Agent service has established an SSL tunnel with the Netskope gateway. Through this SSL tunnel, the TCP packets are tunneled or steered.
  6.  The Netskope gateway will receive the TCP SYN+ACK response from the SaaS Server and forward it to the ST Agent service using the established tunnel.
  7.  The ST driver will receive the packets from the ST Agent service.
  8.  The system stack will receive the packets from the ST Agent driver, and the browser will display the outcome......

 

Note: Only the Advanced debugging packet capture option on the NS client can see ST Agent Driver-level PCAP. Wireshark Packet capture on a normal adapter will only show the encrypted packets with the destination IP  as Netskope gateway.

 

Troubleshooting Logs

 

Log into the endpoint. Right-click the Netskope icon in the System Tray and then click Save Logs.

 

nsdebuglog

===========

To verify any service-related error or logs 

To verify the POP selection logs.

To confirm whether the traffic is directed through Netskope or not.

 

POP selecting using EDNS

 

2019/10/17 09:47:59.527 stAgentSvc p1334 t4c4c 4 tunnel.cpp:694 nsTunnel TLS Connecting to gateway-.goskope.com:443 2019/10/17 09:47:59.676 stAgentSvc p1334 t4c4c 4 restapi.cpp:80 restapi SSL resolve EDNS downloaded successfully 2019/10/17 09:47:59.679 stAgentSvc p1334 t4c4c 4 nsDnsResolver.cpp:179 dnsResolver Hostname gateway-.goskope.com resolved by EDNS 2019/10/17 09:47:59.680 stAgentSvc p1334 t4c4c 4 nsssl.cpp:1217 nsssl TLS remote host gateway-.goskope.com resolved to 8.36.116.35, port 443 2019/10/17 09:48:01.728 stAgentSvc p1334 t4c4c 4 tunnel.cpp:729 nsTunnel TLS SSL connected to the server: gateway-.goskope.com:443 successfully

 

POP selecting using LDNS 

 

2019/10/14 11:40:49.864 stAgentSvc p1244 t2980 2 nsHTTPClient.cpp:372 downloader curl_easy_perform failed, code 28, error Timeout was reached 2019/10/14 11:40:49.866 stAgentSvc p1244 t2980 2 restapi.cpp:75 restapi Failed to download SSL resolve EDNS, Error: -2 2019/10/14 11:40:49.871 stAgentSvc p1244 t2980 2 nsDnsResolver.cpp:204 dnsResolver Failed to resolve gateway-.goskope.com by EDNS 2019/10/14 11:40:49.874 stAgentSvc p1244 t2980 4 nsDnsResolver.cpp:47 dnsResolver Hostname gateway-.goskope.com resolved by LDNS 2019/10/14 11:40:49.875 stAgentSvc p1244 t2980 4 nsssl.cpp:1217 nsssl DTLS remote host gateway-.goskope.com resolved to 8.36.116.35, port 443

 

eg: Traffic steered through Netskope

 

2019/10/18 20:28:21.148 stAgentSvc pfbc t296c 4 tunnel.cpp:618 nsTunnel TLS TsessId 1] Tunneling flow from addr:
10.173.13.40:53256, process: chrome.exe to host: www. box .com, addr: 107.152.27.197:443

 

eg: Traffic bypassed from Netskope

 

2018/10/10 13:17:58.272225 stAgentSvc pf280 t4807 4 bypassAppMgr.cpp:371 BypassAppMgr bypassing flow to
exception host: zoom.us, process: zoom.us

 

 

nsbypass.json
============

List of certificate pinned Applications on steered configuration.

 

nsexception.json

================

The list of IP and domain-based exceptions configured on the Steering configuration

 

Windows Tenant Config location : “%PROGRAMDATA%/netskopestagent
MAC Tenant Config location : /Library/Application/Support/Netskope/STAgent


Windows user Config location : %APPDATA%/netskopestagent
MAC user Config location : <Home Directory>/Library/Application Support/Netskope/STAgent

 

Thank you 🙂 

 

Thanks for sharing @Zulkifal 


Reply