Netskope Help

Integrate with Symantec DLP
Overview

Netskope offers the capability to leverage your existing Symantec DLP Network Prevent investment by integrating with the Netskope cloud solution. Netskope performs a first pass of DLP scanning of unstructured content in the cloud and sends the documents to the on premises Symantec Vontu solution for the final verdict.

The general workflow includes:

  1. Netskope initially scans content destined for SaaS applications. Files that trigger DLP violations are quarantined to a sanctioned app using the API Connector service.

  2. Netskope's Secure Forwarder is a virtual appliance, which exists in the customer premises and monitors for such quarantined files.

  3. The Netskope system exposes several REST APIs to get the list of quarantined files in a specified period, download a quarantined file and take action (Allow or Block) on a specified quarantined file.

  4. A service on the Secure Forwarder polls for the list of quarantined files which have not yet been acted upon and then for each such file, downloads the file and invokes an ICAP client in order to relay this content to the ICAP server of Symantec DLP Network prevent in the customer's environment.

  5. The Symantec DLP Network prevent replies back with an Allow or Block response encapsulated in the ICAP protocol. The service on the Secure Forwarder decapsulates the ICAP protocol headers and then takes action to allow or block the file as the case maybe, using the aforementioned Netskope REST APIs.

Workflow

The following diagram shows the integration workflow.

image
Prerequisites

You can use this feature with the N1000, N2000, or N5000 appliances or the Secure Forwarder (virtual appliance) Version 2.32 or greater. You must have admin rights and have the other set up complete and operational before starting the integration.

Deploy the Secure forwarder in the same network as the Symantec DLP Network prevent.

Symantec DLP Network Prevent Configuration
  1. In the Symantec DLP Network prevent configuration, enable ICAP.

  2. Record the request and the response URIs that will be used in the Netskope configuration.

    See Symantec documentation here for additional details regarding enabling ICAP.

Netskope Configuration

Follow the steps outlined below to enable the DLP engine.

Note

Refer to your Symantec DLP Network prevent documentation for the reqmod and respmod URI endpoints.

Command

Description

enable

This command enables the DLP client to run content through the On-Premises DLP engine via the ICAP protocol.

Reqmod-uri

URI for the REQMOD service of the On-Premises DLP engine. For example: icap://icap01.dp.com/reqmod

Respmod-uri

URI for the RESPMOD service of the On-Premises DLP engine For example: icap://icap01.dp.com/respmod

  1. Access the system console using ssh.

  2. Log in to the system using your admin credentials. Ensure you have accessed the nsshell.

  3. Enter configure to initiate the nsshell configure mode.

  4. Enter the following configuration commands:

    1. set dataplane dlp-engine enable true

    2. set dataplane dlp-engine reqmod-uri <URI>

    3. set dataplane dlp-engine respmod-uri <URI>

  5. Enter show dataplane dlp-engine to check your work.

  6. Enter save to save your changes.

  7. Enter exit to leave the configure mode.

  8. Enter exit to leave the nsshell and exit the console.

Secure Forwarder Example Configuration
# set dataplane dlp-engine enable true
# set dataplane dlp-engine reqmod-uri icap://172.16.11.100/reqmod
# set dataplane dlp-engine respmod-uri icap://172.16.11.100/respmod
# save
Configuration saved
No bypass domain list configured...
Restarting dlpclient service
#