cancel
Showing results for 
Search instead for 
Did you mean: 

CIDR Overlap for NPA

Siva
New Contributor III

Hello,

 

Reading through  private-access-best-practices article on docs.netskope.com, it mentions not to overlap CIDR ranges for NPA. I wonder how we can satisfy this recommendation for the following, very common scenario.

 

Lets say we got three outlook web servers. all serve on port 443, so private app [Outlook] is created with the individual three IPs with TCP port 443 and assigned to all/general users in the organization. All good here.

 

Now for the Admins of the Org, they would need to RDP to these outlook webservers for support/admin purposes. I would think, we need a second private app with same three IPs with TCP port 3389 and assign to IT Admins. Two separate apps for zero trust model.

 

 

So the second private creates a overlap, any pointers on how to configure this scenario adhering to best practices?

 

 

 

1 ACCEPTED SOLUTION
sshiflett
Netskope
Netskope

Siva,

 

Thank you for the question.   In general, the guidance to avoid overlap typically refers to avoid assigning overlapping CIDR blocks for the same users to different Publishers.  This avoids sending traffic to different Publishers and potentially breaking traffic flows.   For your specific use case, you can create two separate apps with with the required access for each role. You can then create individual Real-time Policies assigned to the different users or groups.  Without going too deep into the weeds, the individual application definitions, entitlements, and steering decisions for NPA are based on a combination of application definitions and the Real-time protection policies assigned to respective users.  


Sam Shiflett
Netskope Sales Engineer - North Florida

View solution in original post

2 REPLIES 2
sshiflett
Netskope
Netskope

Siva,

 

Thank you for the question.   In general, the guidance to avoid overlap typically refers to avoid assigning overlapping CIDR blocks for the same users to different Publishers.  This avoids sending traffic to different Publishers and potentially breaking traffic flows.   For your specific use case, you can create two separate apps with with the required access for each role. You can then create individual Real-time Policies assigned to the different users or groups.  Without going too deep into the weeds, the individual application definitions, entitlements, and steering decisions for NPA are based on a combination of application definitions and the Real-time protection policies assigned to respective users.  


Sam Shiflett
Netskope Sales Engineer - North Florida
Siva
New Contributor III

Thank you.