Updated on February 11, 2025

Cloud TAP

Cloud TAP

Netskope Cloud TAP allows you to tap traffic that traverse the Netskope infrastructure, sending a copy for inspection.

Note

This feature is licensed. Contact your Netskope Sales team to enable this feature in your tenant. Cloud TAP is unavailable for PRC, FedRAMP, and PBMM customers.

About Cloud TAP

Many organizations have on-premises intrusion detection devices integrated with the network using a “tap”. That is, a tap sends a copy of the network traffic to the intrusion detection devices for inspection. As organizations move their traffic to the Netskope cloud they are looking for similar functionality. Here are the key requirements:

  • Capture traffic before decryption, as if it was captured while leaving the user’s host
  • Capture whole flows – both forward and return traffic
  • Deal with security vendors that cannot decrypt TLS by presenting a clear-text variant of the traffic
  • Use both on-premises and cloud-hosted security products

With Cloud TAP, Netskope can tap your connections as they traverse our gateway processes, and save a copy to cloud storage. This copying is continuous and the data is stored in a proprietary format, split into many BLOBs. You must provision a bucket from your organization’s cloud storage provider as an object store to accept the copy of traffic and TLS session keys. We store session keys next to the data, in the same object store. You can also store session keys in a different object store.

When enabled, Cloud TAP allows you to save a selection of your traffic to cloud storage and use a set of credentials you provide. This feature is available for Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure.

Requirements

Following are requirements for Cloud TAP:

  • For the Netskope tool (i.e., the Cloud TAP stitcher):
    • The machine must be Ubuntu 20.04 or newer.
    • You must install Docker Engine version 24.0.5 or newer on your machine.
    • Refer to Cloud TAP Stitcher Host Sizing to view the machine or host resource requirement for the Cloud TAP Stitcher and the desired throughput.
  • You must ensure that the Cloud TAP stitcher, cloud storage, and NDR instance are in the same cloud region.
  • You must ensure the Cloud TAP stitcher instance and NDR instance are in the same VPC/VNET.
  • You must ensure that the Cloud TAP stitcher has reachability to cloud storage.
  • For Cloud TAP stitcher access, you must set up roles with the necessary permission to allow the Cloud TAP stitcher to download traffic data from your cloud storage bucket.
    • If the Cloud TAP stitcher is running in a VM instance (i.e., outside a cloud provider environment), you must provide an export of the access credentials (a .json file).
    • If the Cloud TAP stitcher is running on a GCP cloud instance, you can grant the Cloud TAP stitcher permission and skip exporting the access credentials.
    • If the Cloud TAP stitcher is running on an AWS or Azure cloud instance, you must provide an export of the access credentials (a .json file). The capability to use native cloud provider authentication with an AWS or Azure cloud instance is not supported.
  • For Netskope Cloud TAP, you must set up roles with the necessary permissions to send traffic to your cloud storage bucket. You must also provide export access credentials (a .json file).
  • For your cloud storage buckets, you must provide a bucket for your cloud storage provider with the appropriate permissions and retention policy configured.

    Note

    For Azure, an Azure Blob storage account is required. When the Cloud TAP feature is enabled in your Netskope tenant, a default container named ‘netskope‘ is automatically created within the specified storage account.

  • You must also consider your traffic selection criteria and steering method:
    • user id, identity
    • destination TCP port
    • source IP address subnet

For AWS, use the following credentials format:

{
"access_key_id": "YOUR_ACCESS_KEY_ID_HERE",
"secret_access_key": "YOUR_SECRET_ACCESS_KEY_HERE"
}

For GCP, refer to the Google documentation for instructions on exporting and downloading the .json file. The following is an example of the resulting file:

{
"type": "service_account",
"project_id": "your_project_id",
"private_key_id": "your_private_key_id",
"private_key": "---PRIVATE KEY-----\n",
"client_email": "your_service_account_email",
"client_id": "your_client_id",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://accounts.google.com/o/oauth2/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/your_service_account_email"
}

For Azure, use the following credentials format:

{
"access_key": "YOUR_ACCESS_KEY_HERE"
}

Configuring Cloud TAP

In order to use Cloud TAP, you must deploy and configure the Cloud TAP stitcher, and enable Cloud TAP in your Netskope tenant.

The following sections describe the various configuration steps.

Usage Dashboard

You can view the Usage Dashboard by clicking View Dashboard.

The Usage Dashboard shows the amount of data copied from Netskope to storage.

Articles

Share this Doc

Cloud TAP

Or copy link

In this topic ...