Netskope Global Technical Success (GTS)

Considerations when enabling DEIP

Netskope Cloud Version - 122

Objective

Provide insights on what to expect and special considerations before enabling DEIP

Prerequisite

Dedicated Egress IP (DEIP) license is required

Context

Netskope manages a vast pool of IP ranges for traffic that traverses NewEdge. Every POP has a specific range of IPs that can be found in this well known support article. Basically, the Client will steer traffic to NewEdge, it will be inspected at the Netskope Cloud Proxy and will Egress with one IP belonging to the processing POP. The aforementioned ranges are shared across Netskope’s customers. If a customer desires to have its own exclusive pool of IPs, there is when DEIP comes into play.

How is DEIP enabled?

• Once the feature is purchased and enabled in the backend you’ll be able to activate it for your traffic. Please keep in mind that it’s not enabled by default. You must go to your Tenant UI Settings > Security Cloud Platform > Configuration > Dedicated Egress IP Footprint and click on the enable toggle.

• If no criteria is defined in the section below the toggle then DEIP will apply to all your traffic traversing Netskope’s NewEdge.
• All the conditions in the conditional DEIP policies are OR’ed, that means if any of the criteria is matched then that traffic egresses out via the dedicated egress IP
• Additional important information can be found in this KB

Special considerations

1. Understand DEIP application:

• By default, DEIP applies to all inline traffic for SWG, CASB, Cloud Firewall, and RBI.
• Conditional (Policy-Based) DEIP, introduced in R112, allows for traffic control.
• Cloud Firewall traffic always uses DEIP, regardless of Conditional DEIP policies.

2. Prepare for implementation:

• Identify any conditional access policies in destination SaaS apps that may require updates.
• If such policies exist, add the assigned DEIP IPs to the application's allowlist to prevent blocking.

3. Configure DEIP:

• Log in to your Netskope tenant.
• Navigate to the appropriate section for DEIP configuration (Settings > Security Cloud Platform > Configuration > Dedicated Egress IP Footprint)
• Enable DEIP for your organization.

4. Implement best practices:

• Use DEIP primarily for allowlisting purposes.
• Utilize other features like localization zones for commodity web browsing.
• Note that DEIPs cannot be aggregated and must be allowlisted individually or by larger prefixes.

5. Consider using Conditional DEIP:

• This feature allows separation of NewEdge DC egress traffic.
• It enables Localization Zones and DEIP to work together.
• Example use case: Configure SaaS apps to use DEIPs, while other traffic uses regular Netskope shared IPs.

6. Monitor and test:

• After implementation, closely monitor traffic and user experience.
• Test access to critical applications and services to ensure they're not impacted.

7. Troubleshoot if needed:

• - If issues arise, check allowlists in destination SaaS apps.
• - Verify DEIP and Conditional DEIP (if used) configurations.

Where can I find my assigned DEIPs?

You can find those in the UI by going to Settings > Security Cloud Platform > Enforcement > Proxy IP Addresses > NETSKOPE IP RANGES

You’ll see on the first tab the assigned dedicated IPs to your tenant:

Terms and Conditions

• All documented information undergoes testing and verification to ensure accuracy.
• In the future, it is possible that the application's functionality may be altered by the vendor. If any such changes are brought to our attention, we will promptly update the documentation to reflect them.

Notes

• This article is authored by Netskope Global Technical Success (GTS).
• For any further inquiries related to this article, please contact Netskope GTS by submitting a support case with 'Case Type – How To Questions'.