I am sharing my modest knowledge with the Netskope community. I hope this helps a few of you on understanding the basic Netskope traffic flow and log analysis.
Versions prior to 96.1 :
1. The Netskope Client uses DNS over HTTPS (dns.google) to resolve the Netskope gateway's IP address (gateway-tenant hostname.goskope.com)
2. If DNS over HTTPS is unsuccessful, the client will fail over to the LDNS technique (UDP 53) to resolve the IP address for gateway-tenant hostname.goskope.com.
Version starting with 96.1:
There is no longer a requirement to resolve NS Gateway domains using the Google DNS service (dns.google). The GSLB services deliver a POP list based on the client IP address while performing a REST API request to gateway.gslb.goskope.com.
Note: GSLB option will be only available when the backend tenant flag is activated.
Basic Traffic flow
Let’s take an example of the SaaS Application Box.com!
ST Agent driver captures the TCP SYN Packet and indicates it to Netskope ST Agent services.
Note: Only the Advanced debugging packet capture option on the NS client can see ST Agent Driver-level PCAP. Wireshark Packet capture on a normal adapter will only show the encrypted packets with the destination IP as Netskope gateway.
Log into the endpoint. Right-click the Netskope icon in the System Tray and then click Save Logs.
To verify any service-related error or logs
To verify the POP selection logs.
To confirm whether the traffic is directed through Netskope or not.
POP selecting using EDNS
2019/10/17 09:47:59.527 stAgentSvc p1334 t4c4c 4 tunnel.cpp:694 nsTunnel TLS Connecting to gateway-.goskope.com:443 2019/10/17 09:47:59.676 stAgentSvc p1334 t4c4c 4 restapi.cpp:80 restapi SSL resolve EDNS downloaded successfully 2019/10/17 09:47:59.679 stAgentSvc p1334 t4c4c 4 nsDnsResolver.cpp:179 dnsResolver Hostname gateway-.goskope.com resolved by EDNS 2019/10/17 09:47:59.680 stAgentSvc p1334 t4c4c 4 nsssl.cpp:1217 nsssl TLS remote host gateway-.goskope.com resolved to 220.127.116.11, port 443 2019/10/17 09:48:01.728 stAgentSvc p1334 t4c4c 4 tunnel.cpp:729 nsTunnel TLS SSL connected to the server: gateway-.goskope.com:443 successfully
POP selecting using LDNS
2019/10/14 11:40:49.864 stAgentSvc p1244 t2980 2 nsHTTPClient.cpp:372 downloader curl_easy_perform failed, code 28, error Timeout was reached 2019/10/14 11:40:49.866 stAgentSvc p1244 t2980 2 restapi.cpp:75 restapi Failed to download SSL resolve EDNS, Error: -2 2019/10/14 11:40:49.871 stAgentSvc p1244 t2980 2 nsDnsResolver.cpp:204 dnsResolver Failed to resolve gateway-.goskope.com by EDNS 2019/10/14 11:40:49.874 stAgentSvc p1244 t2980 4 nsDnsResolver.cpp:47 dnsResolver Hostname gateway-.goskope.com resolved by LDNS 2019/10/14 11:40:49.875 stAgentSvc p1244 t2980 4 nsssl.cpp:1217 nsssl DTLS remote host gateway-.goskope.com resolved to 18.104.22.168, port 443
eg: Traffic steered through Netskope
2019/10/18 20:28:21.148 stAgentSvc pfbc t296c 4 tunnel.cpp:618 nsTunnel TLS [sessId 1] Tunneling flow from addr:
10.173.13.40:53256, process: chrome.exe to host: www. box .com, addr: 22.214.171.124:443
eg: Traffic bypassed from Netskope
2018/10/10 13:17:58.272225 stAgentSvc pf280 t4807 4 bypassAppMgr.cpp:371 BypassAppMgr bypassing flow to
exception host: zoom.us, process: zoom.us
List of certificate pinned Applications on steered configuration.
The list of IP and domain-based exceptions configured on the Steering configuration
Windows Tenant Config location : “%PROGRAMDATA%/netskope\stagent”
MAC Tenant Config location : /Library/Application/Support/Netskope/STAgent
Windows user Config location : %APPDATA%/netskope\stagent
MAC user Config location : <Home Directory>/Library/Application Support/Netskope/STAgent
Thank you 🙂
In order to view this content, you will need to sign in to your account. Simply click the "Sign In" button belowSign In