Netskope Community
-
Forums
ProductsCommunity Resources
-
Learn
Education, Training, Certification, and Thought LeadershipCommunity Resources
-
Groups
Community GroupsCommunity Resources
-
Events
Community Resources
- Support
- Netskope Community
- Products
- Next Gen SWG
- Re: Steering Configuration - Tunnel Mode
Steering Configuration - Tunnel Mode
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-27-2021
07:57 AM
- last edited on
10-28-2021
02:01 PM
by
kh_jenn
Since the upgrade to version 85, I started to notice it doesn't look as if cert pinned application exceptions recognize or apply tunnel exclusions any more. I'm opening a case with Support but I wanted to reach out here to see if anyone else experienced anything similar first. There is a exception for python.exe and if i use the tunnel settings it'll bypass any connections made to those domains but attempt to intercept everything else.
For Example:
Python.exe > Tunnel Mode: pypi.org and Pythonhosted.org
Solved! Go to Solution.
- Labels:
-
steer traffic
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-27-2021 02:03 PM
I believe Enhanced Cert Pinning (aka Enhanced SSL Pinned Application List feature) means that before making the decision to bypass the traffic from the specified app, the client additionally checks the domain of the traffic from the app. If the domain belongs to the same app (as per defined exception) then the bypass is allowed - otherwise it is not.
I guess this prevents a mischievous user renaming an app/process on their managed endpoint to match the app defined for bypass, and then sending traffic to some random destination.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-28-2021 10:27 AM
Ok, so I have more information now. So we didn't have Enhanced Cert pinning turned on so we didn't have the option to edit custom domains that is highlighted and we still had the configuration that allowed us to do the whitelisting of domain names within the tunnel mode of advanced options. As shown in the screenshot attached. The one caveat I didn't account for is once it's enabled you have to double back and modify all of your other custom built cert pinned applications. Thank you @ross and @InfoSecRich for your inputs.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-27-2021 09:31 AM
I'm hearing this might be related to a feature called "Enhanced Cert Pinning". Does anyone have any knowledge or documentation on this feature?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-27-2021 02:03 PM
I believe Enhanced Cert Pinning (aka Enhanced SSL Pinned Application List feature) means that before making the decision to bypass the traffic from the specified app, the client additionally checks the domain of the traffic from the app. If the domain belongs to the same app (as per defined exception) then the bypass is allowed - otherwise it is not.
I guess this prevents a mischievous user renaming an app/process on their managed endpoint to match the app defined for bypass, and then sending traffic to some random destination.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-28-2021 05:35 AM
Hello, Have you tried the "*" for the domain and then monitoring the logs?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-28-2021 10:27 AM
Ok, so I have more information now. So we didn't have Enhanced Cert pinning turned on so we didn't have the option to edit custom domains that is highlighted and we still had the configuration that allowed us to do the whitelisting of domain names within the tunnel mode of advanced options. As shown in the screenshot attached. The one caveat I didn't account for is once it's enabled you have to double back and modify all of your other custom built cert pinned applications. Thank you @ross and @InfoSecRich for your inputs.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-17-2021 02:47 PM
Please work with Support/TSM to understand the required scope of change to safely enable this feature. TSMs also have more information on this feature included in the Traffic Steering/Bypass section of the VRP.
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
- Request for Community Support: NPLAN-112: Apply steering configs based on priority in multi user ma in Next Gen Secure Web Gateway (SWG)
- A "QUIC" Primer to How Netskope Handles the Quick UDP Internet Connections Protocol in Next Gen Secure Web Gateway (SWG)
- Netskope Private Access: "Life of a Packet" in Private Access for ZTNA
- Enabling private app discovery is not allowing VPN to connect in Private Access for ZTNA
- How to make Fiddler web debugger work with Netskope? in Next Gen Secure Web Gateway (SWG)
-
SWG
22 -
NG-SWG
17 -
DLP
11 -
NSClient
9 -
Next Gen SWG
7 -
NGSWG
6 -
netskope client
5 -
Netskope Endpoint Client
4 -
GRE
4 -
SSL bypass
4 -
Client
4 -
sso
4 -
android
4 -
policy
3 -
IDP
3 -
Decrypt SSL
3 -
Threat Protection
3 -
DLP Violation
3 -
cloud firewall
3 -
forward proxy
3 -
URL List
3 -
Google Idp
3 -
Support Mobiles
3 -
SCIM
3 -
skopeit
3 -
Linux
2 -
User Notification
2 -
Certificate SSL
2 -
traffic
2 -
ssl
2 -
malware
2 -
ipsec
2 -
cfw
2 -
users
2 -
IPSec Tunnels
2 -
Email DLP
2 -
Real-time Policy
2 -
steer traffic
2 -
Netskope Agent
2 -
categories
2 -
Provisionning
2 -
Admin
2 -
Azure
2 -
Apps
2 -
Windows OS updates
2 -
IOS
2 -
inline
2 -
Cloud
2 -
okta
2 -
Groups
2 -
communication between domain and application
1 -
alerts
1 -
Traffic Steer on Galaxy S8
1 -
Explicit Proxy
1 -
Local Groups
1 -
Private App
1 -
Instances APP Enterprise
1 -
no decryption
1 -
SASE
1 -
Cloud & Threat Challenges
1 -
questions
1 -
Chromebook
1 -
SWG Login
1 -
Remote Browser Isolation
1 -
punycode
1 -
Advanced Analytics
1 -
Rest API
1 -
Block Page
1 -
intel CPU
1 -
Automation
1 -
discord
1 -
interception
1 -
block
1 -
Authentication
1 -
RBAC
1 -
slowness issue
1 -
Dropbox
1 -
SSL-TLS
1 -
ngrok
1 -
Epic
1 -
browser
1 -
MIP
1 -
Education
1 -
export
1 -
certificate
1 -
Certificate Pinned
1 -
TLS
1 -
UPD errors and nsClientFLow
1 -
SSL Decrypt Bypass
1 -
steering
1 -
Netskope
1 -
import
1 -
activities
1 -
Desktop Dropbox
1 -
Log
1 -
GOSKOPE
1 -
openai
1 -
security posture check
1 -
User Group
1 -
Netskope Threat Labs
1 -
entry
1 -
Download
1 -
Firewalls Local
1 -
chatgpt
1 -
best practice
1 -
CCI
1 -
configuration
1 -
ChromeOS
1 -
Upload
1 -
Directory Importer
1 -
PAC file
1 -
web debugging fiddler proxy
1 -
EDM
1 -
flow
1 -
explicit proxy over IPSec
1 -
Reverse Proxy
1 -
cloud exchange
1 -
Custom Rule
1 -
logs
1 -
Fail Close
1 -
sensitivity
1 -
fundamentals
1 -
Office 365
1 -
domain
1 -
CASB
1 -
Guidelines
1 -
log data
1 -
endpoint
1 -
url categorization
1 -
CTEP
1 -
AVD
1 -
Access
1 -
file size
1 -
vpn
1 -
steering exception
1 -
install
1 -
CCL
1 -
extension
1 -
url filtering
1 -
Default OfficeSuite policy
1 -
DaaS
1 -
MFA
1 -
incremental update
1 -
API
1 -
Next Fen SWG
1 -
multi-user mode
1 -
Upgrade
1 -
Changes
1 -
OfficeSuite
1 -
Virtual Desktop
1 -
native definition
1 -
MacOS
1 -
Reports
1 -
Config
1 -
No Decrypt
1 -
App
1 -
Threat
1 -
Widgets
1 -
Config Update
1 -
Default Policy
1 -
Azure AD
1 -
APP instance
1 -
client update
1 -
data
1 -
WebSecurity
1 -
Report
1 -
Enterprise Application
1 -
PAC
1 -
Sync
1 -
Instances Corp
1
In order to view this content, you will need to sign in to your account. Simply click the "Sign In" button below
Sign In