Netskope Help

Add a Policy for SSL Decryption

You can add a policy for SSL Decryption, click Add Policy and specify match criteria for the traffic, followed by the desired action.


By default, the policy is disabled, you must enable it after you are done configuring it.

You must specify at least one match criteria from the Add Match Criteria dropdown to create a policy. The system applies the ‘AND’ operator among multiple criteria groups (e.g. user, domain, and category), and the ‘OR’ operator among multiple match criteria values (e.g. Category 1, Category 2, Category 3).

The following table lists the match criteria options.



Source Network Location

Search and add a source network location (select all that apply) and match against User IP and Source IP addresses. Click +New to add a new network location. See Add New Network Location for SSL Decryption for details. 

Match Against Field

User IP Address - This is the user’s internal / private IP address (RFC 1918).

Egress Source IP Address - This is the user’s external NAT (Public) IP address.

Traffic that runs through the Netskope gateway, including both the User IP and Egress Source IP addresses are viewable by the system. The distinction is helpful so admins can make selective decisions for internal hosts (user IPs) versus all hosts in a given network (egress IPs).

Destination Network Location

Search and add a destination network location, select all that apply. Click +New to add a new network location. See Add New Network Location for SSL Decryption for details.


Lists all categories


List domains as comma separated values.

Netskope supports domain names based on server name indication (SNI) and not certificate name (CN) or subject alternative name (SAN). Wildcard search is supported.


Lists all users

User Group

Lists all user groups

Organizational Unit

Lists all organizational units

App Suite

List of app suites specified with table shown in the App Suite Details topic.

Each app suite name is mapped to a list of defined domains, and the domain list gets updated for new / changes periodically.


Lists apps that is uniquely identifiable base on a single domain name.

There is no overlapping domains to apps. You can select one or more predefined or custom apps and custom apps have higher priority over predefined apps.

In addition, you can select two Action options:

  1. Do not decrypt: traffic will not go through deep analysis.

  2. Decrypt: traffic will move to deep analysis via Real-time Protection policies.

Add a policy name and any optional notes. 

Once you create a policy, you can perform the following actions described in the table below. 




Click the policy name or edit via the ellipses at the end of the policy row.


Click the policy name or disable via the ellipses at the end of the policy row.

Move to Position

Access the Move to Position dialog via the ellipses at the end of the policy row. You can select to move the policy to: Top of policy list, Bottom of policy list, Before policy, or After policy. Click Move to apply your change. Note, if you select before or after policy, a dropdown displays in which you must select a policy from the list.


Select the policy name and click Delete button or delete via the ellipses at the end of the policy row. Deleting a policy means that the corresponding traffic will be decrypted and sent for deep analysis. If you change your mind, click the ellipses to access the Revert Deletion button.

View Pending Changes

View a list of policies that are new or have changed and click Apply Changes to save and implement the policy. 


Use the filters at the top of the list page to quickly access or filter out policies by name or criteria added. Click +Add Filter to apply multiple match criteria to the filter. You can save the filter and access it via the carrot, above the Filters search bar. To delete any criteria, click the red X in the upper right corner of the filter label.