Netskope Help

Create a Real-time Protection Policy for Isolation (Targeted RBI)

Policies are defined using a set of variables. These variables define the criteria for detecting policy violations.

For descriptions for each of the variables used, refer to Real-time Protection Policy Variables.


When you see a text box during the policy workflow, click in the text box to view your additional options or to edit your selection(s). These options dynamically display based on your initial template choice. Many criteria are set to ‘Any’ by default. This means the policy engine will not match against the criteria.

When available, click Add Criteria to see what other match criteria are supported. Add more criteria to your policy to make it more specific.

Optionally, click the 'X' to the far right of the text box to remove a criteria.

To create a Targeted RBI Policy you need to take into account the following constraints and configurations for webpages to be isolated properly.

  1. On the Real-time Protection Policies page, click New Policy > RBI. Your menu options may differ based on the licenses available for your account.


    When you select RBI, the system automatically picks 'web access' and populates recommended fields, such as Category with the recommended RBI categories.

  2. Select the Source. Click in the text box to select users. Traffic Criteria is sorted as 'Source' and 'Destination.' The system will show the most appropriate criteria based on your policy template selection. Many criteria are set to 'Any' by default. This means the policy engine will not match against the criteria.

  3. Optionally, click Add Criteria to see what other match criteria are supported. Add more criteria to your policy to make it more specific.

  4. For Destination, Category is automatically selected and it’s the only criteria that can be used for targeted RBI. You can choose to isolate any web page which falls in the following category list:

    Newly Registered Domain

    No Content

    Parked Domains


    Web Proxies/Anonymizers.


    These categories are described in the RBI Category Definitions.


    The system will notify you if you have added unrecommended categories to an isolation policy. Remove the unrecommended categories to avoid website performance degradation.

  5. You can add more Destination criteria. The system will show the most appropriate criteria based on Application, Category, App Instance, or Private App selection. Leave this blank for RBI policies.

  6. Select a Profile and Action. For RBI policies, select the "Isolate" action.

  7. Do not add a DLP profile. They do not apply for targeted RBI.

  8. Enter a name and a description.


    When creating policy names, only use alphanumeric characters and symbols such as "_" underscore, "-" dash, and "[ or ]" square brackets. You cannot use the greater than ">" and less than "<" symbols in policy names. 

  9. Select an Email Notification. Select the notification frequency. Choose None if you don't want an email notification about the policy violation and the resulting action. When you choose 'Every,' you can select the frequency of the email notifications from the dropdown list – 30 Mins, 60 Mins, 6 Hours, 24 Hours. Or, choose to notify 'After each event.'

    Select the User, Admin, or Users to be notified. You can use the default email template or create a new template. Optionally, you can specify an email address that will appear as the sender in the email notification. When finished, click Done to save your email notification setting and exit the window.

  10. Click Save in the upper right corner to save your new policy. You should see it in the Policy list page.

Real-time Protection Policy Variables

The following variables can be defined for a Real-time Protection policy. You can use a variety of variables in a policy. If a variable is not used in the policy, it is defined as Any.




Users created manually in the UI or Active directory users that are automatically populated from the enterprise AD server.

User Groups

These are the Active Directory (AD) groups that are automatically populated to the Netskope cloud from the Enterprise AD server. Specifying user groups in a policy requires installing the Netskope AD adapter on a server that is part of your domain in order to export the AD user group names.

Organizational Unit

This information is obtained from the exported AD groups. Specifying organizational units in a policy requires installing the Netskope AD adapter on a server that is part of your domain in order to export the AD organizational unit names.

Cloud Apps + Web

Cloud app variables include:

  • Applications: Choose an individual app, like Dropbox.

  • Categories: Choose a type of app or web, like cloud storage. For more information, see Category Definitions.

  • App Instances: Choose an app instance to include in a policy. Multiple SaaS app instances can exist at the same time (like an corporate app instance versus a personal app instance). Existing app instance labels appear in the dropdown list.

Cloud Confidence Index Level (CCI Level)

A CCI Level can be applied when certain app categories, like Application Suite, are chosen. CCI measures the enterprise readiness of the cloud apps taking into consideration their security, auditability, and business continuity. Each app is assigned a score of 0-100, and based on the score, placed into one of five cloud confidence levels: Excellent, High, Medium, Low, or Poor. CCI can be used as a matching criteria in the policy. For example, you can choose to not let users share content in cloud storage apps rated Medium or below.

DLP Profile

A data loss prevention (DLP) profile detects violations like PCI (which identifies credit card information). DLP profiles and rules can be configured in Policies > DLP.

Threat Protection Profile

A threat protection profile detects malware files and malicious sites. Threat protection profiles can be configured in Settings > Threat Protection.


The Netskope content analytics engine performs deep packet inspection to detect a specific cloud app and also to extract the relevant information about the activities performed with that app. It can detect if the user downloads a file, uploads a file, shares a file, and also detects the file name, and so on. Today the Netskope engine can detect 41,000+ apps and can track 80+ activities.


What the user is allowed to do for that specific activity (like allowed to share only within the organization). Constraints are shown only for the activities that support each constraint. Constraint profiles are defined in Policies > Profiles > Constraints. Refer to Profiles for details on configuring constraints profiles.

Additional Attributes

These optional variables detect the following:

  • Access Method: The access type, like client, mobile, GRE, IPSec, and so on.

  • Browser: The browser type, like Chrome, Internet Explorer, and so on.

  • Device Classification: Managed or unmanaged devices based on the classifications created in Settings > Manage > Device Classification. This option is only applicable for access methods: Client, Mobile Profile, Revere Proxy.

  • File Size: The size of files, like files larger or smaller than 2 MB (whatever your specify).

  • File Type: The file types, like spreadsheets, text files, and so on.

  • Source Countries: The countries from where queries originate from.

  • Destination Countries: The countries to where queries are sent.

  • OS: Operating system types, like Mac, Linux, Windows, Android, iOS, and so on.

  • Source Network: The network address, range, or any network, including user IP address or egress IP address.

  • User Type: The user, to a user, or from a user.

  • Video Category: Displays only when YouTube is the selected app. You can configure policies for video categories as defined by YouTube. This enables you to selectively allow access, or not, to certain types of content within YouTube.


Action taken when a violation is detected:

  • Alert: Inspects the session and performs deep analytics but no action is taken. It will generate an alert under the Alert tab.

  • Allow: All activities will be permitted on managed devices.

  • Block: Blocks the specified app session if all criteria are matched. For example, if the policy is configured to block only a download activity for cloud storage, only the download will be blocked. All other activities will be permitted. You can specify a default block page or a custom block page to be displayed when a block action is taken. Block Template options include the following but you may see other templates in your set up that are unique to your account:

    • Default Template: Default template for Block and User Alert which is available when the account is set up.

    • No Notification (Mute): No notifications are displayed when this option is selected. Additionally, this option is available for all categories, apps, and instances.

    • Block Template with URL: URL the user is redirected to automatically or after clicking the Stop Button. Admins can add this URL while designing the template. In addition, admins can add variable tags for the redirect URL(s).

    • Block with Justification Box: Justification box option provides a text box within the notification window where the user can enter a justification message.

    • Block with UA Action: User Alert action is configured with an option the user selects to "Proceed" or "Block" the activity.


      Except the Default Template and No Notification (Mute) options noted above, all other other templates are created and maintained by account admins.

  • Idle Timeout: Enter the amount of minutes to trigger a session timeout.

  • Bypass: Bypasses the detection when the criteria are matched. For example, if you want to bypass all activities from being detected except for login and logout, then choose all the activities except Login Successful and Logout, and then set the action as Bypass.

  • User Alert: When a user alert action is chosen, you can specify a default user alert page or custom page to be displayed to the user as defined in the policy. The user justification page for a user alert action will have Proceed and Stop Action buttons. The Proceed button will allow the activity and generates an activity event with the user's justification reason, whereas the Stop Action just blocks the activity. The user's justification reason for the activity is cached for 30 minutes.

  • Quarantine: If a user uploads a document that has a DLP violation, you can quarantine the file, which moves the file to a quarantine folder for you to review and take appropriate action. You can then choose to allow the file to be uploaded or block the file from being uploaded. This option is available only when DLP is included in a policy. Also the action can be taken only for the upload activity.

  • Encryption: You can encrypt files in the named instances of cloud apps that are sanctioned if it matches certain policy criteria. Encryption is available only when an app instance of a cloud app is chosen. To learn how to create an app instance, refer to Create an App Instance. The encryption action can be applied to an upload activity. If any other activity is chosen, like download, encryption will not show under the list of actions.