Configuring Cloud Firewall Steering Exceptions
Configuring Cloud Firewall Steering Exceptions
Navigate to Settings > Security Cloud Platform > Traffic Steering > Steering Configuration > Default tenant config > Exceptions tab to view the Exceptions list page.
Exception configurations are not a single global list for the entire account, they are part of each Steering Configuration workflow. Exceptions are configured by first selecting a steering configuration, and then clicking Exceptions, which enables you to specify the traffic you want to bypass the Netskope Cloud.
Steering configuration controls what kind of traffic gets steered to Netskope for real-time deep analysis and what kind of traffic gets bypassed. Admins can configure a set of firewall apps to bypass processing using the Exceptions feature.
When using exceptions, consider these factors:
- In order to use this feature, you must configure the steering exception to steer all traffic.
- Netskope Client will not steer traffic to the Netskope cloud for any apps in the exception list. However, the Netskope proxy and app-firewall can still receive traffic matching this exception list in the following scenarios:
- when traffic is steered to the Netskope cloud through GRE or IPSec tunnels, or,
- when the Netskope Client detects an upstream GRE/IPSec tunnel and goes dormant and does not process exceptions, or,
- when the steering and exception configuration are updated in the Netskope UI and the new version takes too long to reach the Netskope Client but the Netskope proxy and app-firewall have the new version already.
Creating Application Exceptions
To learn more: Adding Exceptions.
Creating DNS Exceptions
To learn more: Adding Exceptions.
Note
VMware Fusion forwards all DNS request by NAT due of which DNS exceptions fail. Follow the below steps to use DNS Security as an additional parameter in nat.conf.
Add below given parameter to “/Library/Application Support/VMware Fusion/vmnet8/nat.conf” and restart your Mac device.
[dns] prohibitHostLookup = 1
Bypassing Network Events
By default Exceptions are not logged in Skope IT Events. To see the bypassed traffic for Exceptions in Skope IT, you need to enable this feature on the Steering Configuration page.
Click the pencil icon to view the Log Bypassed Traffic window. Enable the Log radio button and click Save.
Navigate to Skope IT > Network Events to view your bypassed applications.