Configuring Cloud Firewall Steering Exceptions

Configuring Cloud Firewall Steering Exceptions

Navigate to Settings > Security Cloud Platform > Traffic Steering > Steering Configuration > Default tenant config > Exceptions tab to view the Exceptions list page.

Exception configurations are not a single global list for the entire account, they are part of each Steering Configuration workflow. Exceptions are configured by first selecting a steering configuration, and then clicking Exceptions, which enables you to specify the traffic you want to bypass the Netskope Cloud.

Steering configuration controls what kind of traffic gets steered to Netskope for real-time deep analysis and what kind of traffic gets bypassed. Admins can configure a set of firewall apps to bypass processing using the Exceptions feature.

When using exceptions, consider these factors:

  • In order to use this feature, you must configure the steering exception to steer all traffic.
  • Netskope Client will not steer traffic to the Netskope cloud for any apps in the exception list. However, the Netskope proxy and app-firewall can still receive traffic matching this exception list in the following scenarios:
    • when traffic is steered to the Netskope cloud through GRE or IPSec tunnels, or,
    • when the Netskope Client detects an upstream GRE/IPSec tunnel and goes dormant and does not process exceptions, or,
    • when the steering and exception configuration are updated in the Netskope UI and the new version takes too long to reach the Netskope Client but the Netskope proxy and app-firewall have the new version already.

Creating Application Exceptions

To learn more: Adding Exceptions.

Creating DNS Exceptions

To learn more: Adding Exceptions.

Note

VMware Fusion forwards all DNS request by NAT due of which DNS exceptions fail. Follow the below steps to use DNS Security as an additional parameter in nat.conf.

Add below given parameter to “/Library/Application Support/VMware Fusion/vmnet8/nat.conf” and restart your Mac device.

[dns]
prohibitHostLookup = 1

Bypassing Network Events

By default Exceptions are not logged in Skope IT Events. To see the bypassed traffic for Exceptions in Skope IT, you need to enable this feature on the Steering Configuration page.

BypassTraffic.jpg

Click the pencil icon to view the Log Bypassed Traffic window. Enable the Log radio button and click Save.

LogTraffic.jpg

Navigate to Skope IT > Network Events to view your bypassed applications.

BypassApps.jpg
Share this Doc

Configuring Cloud Firewall Steering Exceptions

Or copy link

In this topic ...