Netskope Help

Add a Policy for SSL Decryption

You can add a policy for SSL Decryption, click Add Policy and specify match criteria for the traffic, followed by the desired action.

Note

By default, the policy is disabled, you must enable it after you are done configuring it.

You must specify at least one match criteria from the Add Match Criteria dropdown to create a policy. The system applies the ‘AND’ operator among multiple criteria groups (e.g. user, domain, and category), and the ‘OR’ operator among multiple match criteria values (e.g. Category 1, Category 2, Category 3).

The following table lists the match criteria options.

Criteria

Options

Source Network Location

Search and add a source network location (select all that apply) and match against User IP and Source IP addresses. Click +New to add a new network location. See Add New Network Location for SSL Decryption for details. 

Match Against Field

User IP Address - This is the user’s internal / private IP address (RFC 1918).

Egress Source IP Address - This is the user’s external NAT (Public) IP address.

Traffic that runs through the Netskope gateway, including both the User IP and Egress Source IP addresses are viewable by the system. The distinction is helpful so admins can make selective decisions for internal hosts (user IPs) versus all hosts in a given network (egress IPs).

Destination Network Location

Search and add a destination network location, select all that apply. Click +New to add a new network location. See Add New Network Location for SSL Decryption for details.

Category

Lists all categories

Domains

List domains as comma separated values.

Netskope supports domain names based on server name indication (SNI) and not certificate name (CN) or subject alternative name (SAN). Wildcard search is supported.

User

Lists all users

User Group

Lists all user groups

Organizational Unit

Lists all organizational units

App Suite

Lists app suites specified. Currently only Office 365 is supported on Netskope Client, IPSec, and GRE steering methods. Explicit proxy steering is not yet supported.

Bypass happens based on host-name vs app suite mapping. The proxy does not consider the referrer to bypass the traffic.

Apps

Lists apps to match rules based on selections. You can select one or more predefined or custom apps. Note, custom apps have higher priority over predefined apps.

In addition, you can select two Action options:

  1. Do not decrypt: traffic will not go through deep analysis.

    Important

    Office 365 services bypass policy is enabled by default for all new accounts provisioned after release 80. If your account was provisioned prior to release 80, this feature is not enabled by default. Contact Support to enable it in your account.

  2. Decrypt: traffic will move to deep analysis via Real-time Protection policies.

Add a policy name and any optional notes. 

Once you create a policy, you can perform the following actions described in the table below. 

Action

Description

Edit

Click the policy name or edit via the ellipses at the end of the policy row.

Disable

Click the policy name or disable via the ellipses at the end of the policy row.

Move to Position

Access the Move to Position dialog via the ellipses at the end of the policy row. You can select to move the policy to: Top of policy list, Bottom of policy list, Before policy, or After policy. Click Move to apply your change. Note, if you select before or after policy, a dropdown displays in which you must select a policy from the list.

Delete

Select the policy name and click Delete button or delete via the ellipses at the end of the policy row. Deleting a policy means that the corresponding traffic will be decrypted and sent for deep analysis. If you change your mind, click the ellipses to access the Revert Deletion button.

View Pending Changes

View a list of policies that are new or have changed and click Apply Changes to save and implement the policy. 

Filters

Use the filters at the top of the list page to quickly access or filter out policies by name or criteria added. Click +Add Filter to apply multiple match criteria to the filter. You can save the filter and access it via the carrot, above the Filters search bar. To delete any criteria, click the red X in the upper right corner of the filter label.