About IPS Settings

About IPS Settings

On the IPS Settings page (Settings > Threat Protection > IPS Settings), you can enable Netskope Intrusion Prevention System (IPS) for your organization as well as create exceptions using allow lists and signature overrides.

IPS Status

Choose the type of traffic you want to inspect for any IPS violations:

  • Non-Web Traffic: Netskope IPS examines non-web traffic. This option only appears if you have Cloud Firewall.

  • Cloud Apps & Web Traffic: Netskope IPS examines web traffic except traffic that matches policies with the actions set to Forward to Proxy or Isolate.

The IPS Status section in IPS Settings.

Select the user notification you want to display when users visit cloud apps or websites that violate your IPS policy. You can use the default IPS notification or create a custom one. If you create a custom notification, ensure the action is set to Block.

When blocked, users will see a similar notification:

The default user notification template for CTEP violations.

Some IPS blocks, such as malicious responses, won’t notify users.

Allow List

Under Allow List, you can see the following options:

  • Source IP Allowlist: The Network Location profiles that contain the source IP addresses you want to bypass from IPS. For web traffic, you can add the public source IP address; however, for non-web traffic, you must add the private source IP address. Click Edit to add or remove profiles.
  • Domain Allowlist: The domains, fully qualified domain names (FQDNs), and wildcards you want to bypass from IPS. Click Edit to enter domains or FQDNs separated by a comma.
  • Destination IP Allowlist: The Network Location profiles that contain the destination IP addresses you want to bypass from IPS. Click Edit to add or remove profiles.
The Allow List tab on the IPS Settings page.

Signature Overrides

Under Signature Overrides, you can:

  1. Enable Alert Only Mode to allow all traffic with signature matches and only send alerts. If enabled:
    • Netskope won’t block traffic. Netskope will change any enabled overrides from the Block action to the Alert action.
    • Netskope won’t generate alerts for disabled overrides.
  2. Search for a signature name in the table.
  3. Filter signatures in the table by traffic type if you have the Cloud Firewall.
  4. Create a signature override.
  5. View a list of configured signature overrides. For each override, you can see the following information:
    • Signature ID: The ID of the signature.
    • Signature Name: The name of the signature.
    • Status: The signature is enabled or disabled for matching.
    • Action: If you enabled signature matching, you can see one of the following actions when a match occurs.
      • Alert: Netskope allows the traffic and generates an alert in Skope IT.
      • Block: Netskope blocks the traffic.
    • Last Edited: The last time the override was edited and by who.
  6. Sort the table by signature name, signature ID, or last edited.
  7. Select at least one override using the checkbox and click Remove to delete it.
  8. Click The Settings icon. to customize table columns or restore the default ones.
  9. Click The More icon. to edit or delete an override.
  10. View up to 100 overrides per page.
  11. View multiple pages of the table.

Viewing IPS Violation Alerts

After configuring the IPS settings, you then can view the detected IPS violations on the Skope IT About Alerts page (Skope IT > Alerts). To view the violations, select C2 and IPS for the Alert Type filter.

The C2 and IPS filters on the Skope IT Alerts page.

You can also filter and triage IPS violations based on the CVE ID.

The CVE ID filter on the Skope IT Alerts page.
Share this Doc

About IPS Settings

Or copy link

In this topic ...