Solved

Is Netskope intercepting my browser traffic?

  • 26 April 2021
  • 5 replies
  • 134 views

Badge +13

Question: How can I tell if my traffic is being intercepted by Netskope from a browser?

icon

Best answer by btokuyoshi 1 May 2021, 00:48

View original

5 replies

Badge +8
There are a few ways that I use to quickly check to see if my traffic is traversing Netskope:  
 
I will check to see what certificate I am receiving from a TLS encrypted site.  If the certificate issuer ends with .goskope.com it means it was issued by Netskope.
 
Browse to 'notskope.com' to see what data center you are connected to.  If you are not being sent through Netskope the source will come up as unknown.  This isn't an officially sanctioned tool but it's helpful and there are other ways if it is down for some reason.
 
Build a policy that is a bit obscure, but that triggers a block page.  I pick on a particular site and built a custom category to match only that site with a custom block page.   That way I can quickly just type the URL and get my block and I know.  I will also change the name of this policy by incrementing a number in the name  ' Bob's Connectivity Check 47".  I do that because I can see if the current policy set has been synced to the data centers so that if I am testing other new policy I know that the desired policy set has been rolled out to the data center processing my traffic.
Badge +8

Good day, you can check the lock icon in the URL section of your browser to see what certificate was presented to the site. If it's a goskope.com certificate then it went through Netskope.  Additionally, this traffic can be observed in SkopeIT under either the Application Events or Page Events section.  

Badge +6

Hi, Easiest way is to Click on the padlock in the browser and you should see your tenants netskope certificate as below <yourcompany>.goskope.com

 

Badge +13

Just to clarify, checking SSL certs is a way to identify if SSL decryption is happening. Depending on how you define interception, esp from an end user's perspective, interception could also mean any inspection of traffic, including plaintext http. In which case the above method would not apply and end users would need to run a tracert.  Intentionally causing a policy violation (like downloading the eicar file) might be another way for end users to see, but this won't work if policy isn't enabled for the violation that the user is attempting.

 

Badge +12

If you're looking to confirm that your traffic is being steered through Netskope then you could use www.notskope.com - a simple webpage that will confirm the Netskope data centre that you're using (if any). Note: if you are not steering 'All Web Traffic' (i.e. you are only steering specific cloud applications) then you'll need to create a custom app for the notskope.com domain in order for it to be steered!

Reply