Use NPA with logical condition

  • 3 April 2023
  • 3 replies
  • 19 views

Badge +9

Use NPA with logical condition Good afternoon everyone.

Can anyone tell me if there is any way to put a logical condition, example:
Is there a way to configure netskope to be a “second choice” connection type.

Example:

The user is in the company, on the internal network, I want the traffic not to go out through the NPA, but through our internal network.

Or, user is on VPN, I want traffic to go out through VPN instead of NPA.

 

Is it possible for him to identify this? Or will the priority always be the NPA?


3 replies

Badge +4

Hi, 

 

This is accomplished thanks to dynamic steering (https://docs.netskope.com/en/enabling-dynamic-steering.html#UUID-0b5b24f7-89f5-c959-2689-59309c90e77c_section-idm4640370856604832915309833464)

You can, for instance define a DNS entry only resolvable from corp/vpn connectivity, and if this is resolved, then you can define which apps to steer or not steer in ZTNA.

 

Robin

Userlevel 4
Badge +12

Just be careful with on/off-prem configurations. On-prem steering exemptions happen at the proxy level, not client-side at this time. This has the potential for impact if you are running cloud services that use IP address as a means for access control. 

For example, we have numerous applications that require coming from an office IP to work. If on-prem is enabled then those applications are still sent to the Netskope proxy (albeit exempted) but will come from a Netskope IP.

Badge +7

Hi Bruna,

the most immediate solution is to have the NPA gateway (*.npa.goskope.com) blocked by the corporate firewall.

 

Nicola

 

Reply