Exceptions
A steering configuration steers traffic to Netskope cloud. By specifying exceptions in a steering configuration you can send traffic from a selected source (for example, apps, domains, etc) directly to their respective destination and bypass Netskope cloud. For example, in an environment that uses a full tunnel VPN setup you may want to send specific traffic to the respective VPN gateway directly and not to the Netskope cloud.
This article provides detailed information on adding various exceptions to a steering configuration. Ensure that you have administrator privileges to your Netskope tenant WebUI. For the purpose of illustration this article uses the default tenant configuration as an example.
Recommended Reading
We recommend that you read the following articles for better understanding of Netskope steering configuration.
Steering Exception Considerations
When using exceptions, consider these factors:
OU and User Group based exceptions cannot be applied when the Netskope Secure Web Gateway uses the cookie-surrogate feature to get user identity.
In the case of GRE and IPSEC deployments, the Netskope Secure Web Gateway gets the user identity with the help of the Netskope Client (if installed and enabled), or through SAML authentication. If by chance the traffic arrives before the user identity is known to the Netskope Secure Web Gateway, OU and User Group based exceptions cannot be applied.
If the user identity is not known to the Netskope Secure Web Gateway, the default exception configuration will be applied.
Exception Traffic Logs
By default exception traffic is not logged in Skope IT Events. If you prefer to see exception traffic in Skope IT, you must enable it on the Steering Configuration page.
Supported Exceptions
The following are the supported exceptions:
Exception Type | Dynamic Steering Enabled | Dynamic Steering Disabled | ||
|---|---|---|---|---|
On-Prem | Off-Prem | Cloud Apps | All Traffic | |
Y | N | Y | Y | |
N | Y | N | Y | |
Y | Y | Y | Y | |
Y | Y | Y | Y | |
N | Y | N | Y | |
Y | Y | Y | Y | |
Y | Y | Y | N | |
Y | Y | Y | Y | |
Application
Organizations that use home grown applications can use the Application exception to bypass traffic from their custom app definitions. App definitions allows you to add custom apps, connectors or private apps. To learn more about creating App Definitions, see App Definition.
Adding an Application Exception
Go to Settings > Security Cloud Platform > Steering Configuration.
On the Steering Configuration page, select a steering configuration.
Click the Exceptions tab.
Click New Exception.
In the New Exception window:
Exception Type: Choose Application and select applications from the dropdown list. You can also search for applications.
Action: Choose one of the following actions.
Bypass: Choose to bypass the selected apps, sending all traffic straight to the destination. This is the default action.
Bypass, except for DNS traffic: If you enabled the Steer DNS traffic option and selected an application that includes port 53 (the standard port for DNS), choose to bypass the selected apps, sending all traffic except DNS traffic to the destination.
Notes: Optionally, enter comments or notes for the exception.
Click Add to save the application exception.
Category
A category defines a collection of destinations (websites) that serve similar types of content. For example, the Art category is a collection of websites that contain creative art judged solely for its intellectual or aesthetic components. When you select the Art category as an exception, traffic to all destinations (websites) in this category will bypass Netskope cloud and will be sent directly to their respective destinations
Note
If dynamic steering is enabled, the Category exception is not available for on-premises devices.
To learn more about built-in categories, see Category Definitions.
To learn more about creating custom categories, see Create Custom Categories.
Adding a Category Exception
Select a steering configuration. This procedure illustrates using the Default Tenant Configuration.
In the Default Tenant Configuration page, click the EXCEPTIONS tab.
To add a new category exception click the NEW EXCEPTION drop down list and select Category.
In the New Exception pop-up window, do the following:
Click the Categories textbox to view the list of default built-in categories.
Select one or more categories. Click anywhere outside the drop down list to complete your selection.
Click ADD to complete the procedure.
Certificate Pinned Applications
By adding applications as a certificate pinned application exception, the traffic from such applications is bypassed by Netskope cloud. A pinned app stores the public certificate or key of its destination website and presents it to Netskope cloud. When contacting the destination website/server, Netskope cloud verifies the pinned certificate with the server certificate. If they are validated, Netskope cloud bypasses traffic from the pinned application.
Adding a Certificate Pinned Application Exception
On the Steering Configuration page, select a steering configuration.
Go to EXCEPTIONS tab in the Steering Configuration page and select Certificate Pinned Application from the NEW EXCEPTION drop down list.
In the New Exception pop-up window, enter the following:
Certificate Pinned App: Select from one of the pre-configured certificate pinned applications. Click
to view the predefined and custom certificate pinned apps on the Certificate Pinned Apps page. You can also click the + icon to create a new certificate pinned app.Custom App Domains: These are domains used by the application to send traffic from the managed device. Enter each domain separated by a comma. Netskope doesn't support wildcard domains (e.g., *.example.com) for certificate pinned applications. You must enter specific domain names, such as example.com, drive.example.com, mail.example.com, or *. This field is also case sensitive.
Actions: You can choose to bypass or block traffic per platform.
Note
There are separate platforms options to add a new application for Android and Chrome OS. When adding a certificate pinned application, use:
Domain-based configuration for Android 9 or lower.
Process-based configuration for Android 10 or higher.
Toggle the Advanced Options (available only for Windows and Mac devices) to enable the following granular control:
Bypass + Direct: Bypass the configured apps / domains directly to the destination.
Bypass + Tunnel: The client tunnels the traffic from apps / domains but the Netskope proxy will bypass it. This option is useful for domains associated with an SSO authentication service, since these services use the source IP of the Netskope cloud to determine if access to the cloud app is protected by Netskope.
Bypass Managed Devices + Direct: The client will bypass the app only if the device is managed, per the Device Classification policy, but will otherwise block it.
Bypass Managed Devices + Tunnel: The client will tunnel (to be bypassed by Netskope proxy) only if the device is managed, per the Device Classification policy, but will otherwise block it.
Block: The mode and other options are not applicable and the client blocks all the app traffic.
Viewing Domain Exceptions for Predefined Certificate Pinned Applications
On the Exceptions page, you can see the predefined and custom certificate pinned applications that are bypassed from the Netskope cloud for your steering configuration. To see a list of all predefined certificate pinned application exceptions: Certificate Pinned Applications.
 |
You can click the certificate pinned application exception to edit the bypass settings and view a list of the default App Domains bypassing Netskope.
 |
In Custom App Domains, you can enter additional domains to bypass. Enter each domain separated by a comma. Netskope doesn't support wildcard domains (e.g., *.example.com) for certificate pinned applications. You must enter specific domain names, such as example.com, drive.example.com, mail.example.com, or *.
Domains
Domain exception is used to bypass traffic to and from domains as configured in the exception. You can enter multiple domains separated by comma. Domain names are entered either as Fully Qualified Domain Name (FQDN) or wildcard names. When you trust a domain and would like to bypass all its traffic, you could add the specific domain as a wildcard entry. Wildcard domains (e.g., *.example.com) include the root domain and all subdomains. Among many reasons, a common purpose to add domain exception is to bypass traffic from domains that are used for software updates. For example, upgrading Macbooks with macOS updates.
Note
The default exception list includes common domains (as wildcard entries) that are used for software updates. If a software / app update is interrupted ensure that the domain used for update is added to the exception list.
Wildcard Pattern | Matches | Does Not Match |
|---|---|---|
*.netskope.com | www.netskope.com | netskope.com |
netskope.com | netskope.com | www.netskope.com |
Adding a Domain Exception
To add domain exceptions, go to the Steering Configuration page and select a configuration.
In the EXCEPTIONS tab, click NEW EXCEPTION drop down list and select Domains.
In the New Exception pop-up window, enter one more domain separated by comma.
Click ADD to complete the process.
DNS
The DNS exception allows you to bypass DNS traffic.
Adding a DNS Exception
Go to Settings > Security Cloud Platform > Steering Configuration.
On the Steering Configuration page, select a steering configuration.
Click the Exceptions tab.
Click New Exception.
In the New Exception window:
Exception Type: Choose DNS and enter the domains you want to create exceptions for.
For each domain, you must specify the Record Type or choose All Record Types. You can click + Add to add more domains or click Import From CSV to upload a CSV file (the maximum upload is 8 MB).
Note
If the Record Type is PTR, you must enter IP addresses or IP ranges.
Action: All traffic bypasses the Netskope cloud and goes straight to its destination. You can’t modify this field.
Notes: Optionally, enter comments or notes for the DNS exception.
Click Add to save the DNS exception.
Destination Location
Destination Location exception bypasses traffic sent to specific destinations as defined in the network location profile. When installing Netskope Client along with 3rd party apps, like a VPN application, you will need to add exceptions to bypass VPN traffic and send it directly to the respective VPN gateway. The Destination Location exception allows you to add target destinations either as Fully Qualified Domain Name (FQDN) and/or public IP address.
Important
Before adding destination exceptions, you must create network location objects. A Network Location is a profile with a list of public IP addresses.
Adding a Network Location Exception
Login to your tenant webUI and go to Policies > Network Location (under Profiles).
In the Network Location page, click New Network Location and select Single Object or Multiple Object.
Select Single Object, if you are adding a small set of destinations manually.
In the Add Network Location pop-up window, enter the destination address (IP address/range or CIDR network). Click the + icon to add additional addresses. Click Next to continue.
Give a name for this network location. You will need this when adding the exception in steering configuration.
Select Multiple Objects, if you are adding a large set of destinations via a CSV file.
In the Upload Network Locations pop-up window, select the CSV file (max size 8 MB) with the list of destination addresses. The CSV file must have entries in the following format:
[Net Location Name], [IP Address 1], [IP Address 2], , ,For example: Location1, 11.2.3.4, 12.3.5.125/16
Click Upload to complete the process.
Adding a Destination Location Exception
To add a Destination Location exception, go to the Steering Configuration page and select a configuration.
In the EXCEPTIONS tab, click NEW EXCEPTION drop down list and select Destination Location.
In the New Exception pop-up window, enter select the Network Location profile from the list.
Click ADD to complete the process.
Important
When you select Destination Location as the exception, ensure that you select the Treat like local IP address option to bypass the traffic.
Source Location
Source location exception bypasses traffic from a specific set of address (treated as source of traffic) as defined in the network location profile.
To learn about creating source network location, see Adding a Network Location Exception.
To learn about a network location as the exception, follow the steps described for Adding a Destination Location Exception
Source Countries
The Source Countries exception allows you to bypass traffic from specific geo-locations.
Adding a Source Country Exception
To add Source Country exception, go to the Steering Configuration page and select a configuration.
In the EXCEPTIONS tab, click NEW EXCEPTION drop down list and select Source Countries.
In the New Exception pop-up window, enter select one or more countries from the list.
Click ADD to complete the process.