Netskope Help

GRE & IPSec Tunnel Gateway - HTTP(S) Non-Standard Port Support

With cloud firewall support in GRE and IPSec gateway, there is a need to steer HTTP(S) traffic over the non-standard ports in addition to the HTTP(S) standard ports 80/443 to Netskope proxy for tenants who have opted for the cloud firewall service. The rest of the traffic from these tenants will continue to be steered to cloud firewall.

Since the gateway services operate at network layers L3 and L4, they are agnostic to other configuration attributes like user, group, domain that are part of the custom port configuration. So as part of non-standard port configuration, the gateways can only steer traffic based on the L4 port numbers for the TCP protocol. The other configuration like group, domain will be ignored.

Configure a Custom Port

In addition to the standard HTTP(S) ports, you can configure non-standard ports to steer HTTP(S) traffic to Netskope proxy for tenants who have opted for the cloud firewall service. To do so, follow the steps below:

  1. Log in to the Netskope tenant UI.

  2. Navigate to Settings > Security Cloud Platform > Traffic Steering > Steering Configuration.

  3. In Default tenant config, click ... and Edit.

  4. Under Traffic Steering, click All Traffic.

  5. Click the Non-Standard-Ports tab.

  6. Check the Steer non-standard ports checkbox.

  7. Under Ports, enter the non-standard HTTP(S) port number.

    Note

    You can enter multiple non-standard HTTP(S) port numbers by clicking +NEW or import a CSV file.

  8. Click Save.

Important

Customer should ensure that only HTTP(S) traffic is steered through the non-standard ports to Netskope proxy. If non-HTTP(S) traffic is steered to Netskope proxy, the firewall rules will not apply to such traffic.

Explicit Proxy Using Custom Port

Customers who opt for Netskope cloud firewall and use explicit proxy over GRE and IPSec tunnels should configure the explicit proxy IP and port information using the non-standard port configuration work-flow.

The gateway services will continue to steer traffic received from explicit proxy based on the explicit proxy port information available in the non-standard port configuration. The Netskope proxy will handle the non-standard port configuration for explicit proxy as appropriate.