Manage a Publisher
After deploying your publisher, use the following sections to make modifications to your Publishers.
After assigning private apps to specific Publishers, you can change one or more Publishers simultaneously. The Private Apps page enables you to change private apps assignments in bulk. For example:
Change one or more publishers for private apps.
Quickly migrate existing private apps to a new publisher.
Disconnect private apps before deleting a publisher.
To change publishers for private apps:
Go to Settings > Security Cloud Platform > App Definition > Private Apps.
Select one or more private app check boxes and click Change Publishers.
The selected private apps are shown in the Bulk Change Publisher dialog box. Click in the Publisher text field and select one or more publisher in the dropdown list, and then click Save.
In addition to changing publishers for private apps, this page enables you to delete one or more private apps. Select one or more private app check boxes, and click Delete, and then click Delete again to confirm. If the private app being deleted is specified in a policy, a message box informs you of this factor and you'll need to remove it from the policy in order to delete the private app.
This topic describes how to upgrade one or more Publishers. Using at least a pair of Publishers for each private app is recommended so they can provide high-availability access. Before upgrading all Publishers, upgrade a test Publisher first, and then proceed to the other Publishers.
To use these instructions, first identify the Publishers that you want to upgrade.
Note
A Publisher needs reachability to the official Ubuntu Mirrors during the update process. Please review and allow the appropriate destinations for a successful Publisher software update.
Upgrading Publishers
SSH into the Publisher you want to upgrade.
On the Publisher option menu, select Upgrade, and then select 1 to initiate the upgrade. The upgrade should take around a minute.
In the Netskope UI, go to Settings > Security Cloud Platform > Publishers. Locate the Publisher you just upgraded on the Publishers page to confirm it has a Connected status.
Repeat these steps for every Publisher you are using to access private apps.
Changing Publishers during an Upgrade
If the upgraded publisher has not re-established access, re-assign the app(s) to a different Publisher.
To change Publisher assignments in the Netskope UI, go to Settings > Security Cloud Platform > App Definition > Private Apps. Select the checkboxes for the apps assigned to the Publisher and click Change Publisher.
Click in the Publishers text field, and then select a different Publisher from the list. When finished, click Save.
Locate the Publisher you just assigned on the Publishers page to confirm it has a Connected status. If not, contact Netskope Support to stop the upgrade process and ask for assistance.
The following sections provide information about monitoring Publishers. Go to Private Access Troubleshooting for troubleshooting information.
Thresholds to Monitor
CPU Utilization > 75%
Memory Utilization > 90%
Disk Space Left < 1GB
To Validate Resolution of the NPA Cloud
curl https://dns.google/resolve?name=stitcher.npa.goskope.com&type=A&edns_client_subnet=PublisherEgressIP
Nslookup stitcher.netskope.com
Linux OS CLI Commands to Monitor Resources
top, cat /proc/meminfo, htop, sysstat, nload, iftop, nethog, bmon
SNMP OIDs to Monitor Resources
Available space on the disk: .1.3.6.1.4.1.2021.9.1.7.1
Used space on the disk: .1.3.6.1.4.1.2021.9.1.8.1
Percentage of space used on disk: .1.3.6.1.4.1.2021.9.1.9.1
Percentage of inodes used on disk: .1.3.6.1.4.1.2021.9.1.10.1
Path where the disk is mounted: .1.3.6.1.4.1.2021.9.1.2.1
Path of the device for the partition: .1.3.6.1.4.1.2021.9.1.3.1
Total size of the disk/partion (kBytes): .1.3.6.1.4.1.2021.9.1.6.1
Percentage of user CPU time: .1.3.6.1.4.1.2021.11.9.0
Raw user CPU time: .1.3.6.1.4.1.2021.11.50.0
Percentage of system CPU time: .1.3.6.1.4.1.2021.11.10.0
Raw system CPU time: .1.3.6.1.4.1.2021.11.52.0
Percentage of idle CPU time: .1.3.6.1.4.1.2021.11.11.0
Raw idle CPU time: .1.3.6.1.4.1.2021.11.53.0
Total RAM in machine: .1.3.6.1.4.1.2021.4.5.0
Total RAM used: .1.3.6.1.4.1.2021.4.6.0
Total RAM Free: .1.3.6.1.4.1.2021.4.11.0
Total bytes received on the interface: .1.3.6.1.2.1.2.2.1.10
Total bytes transmitted on the interface: .1.3.6.1.2.1.2.2.1.16
Additional Publisher Logs for Troubleshooting
Connection Segment | Description | Example |
|---|---|---|
Registration Logs - Publisher | Logs to verify successful registration, or failed registration. | Logs to check: ~/logs/publisher_wizard.log Successful Registration: 2021/07/27 20:00:41 UTC Registering with your Netskope address: ns-6413.us-sv5.npa.goskope.com 2021/07/27 20:00:41 UTC Publisher certificate CN: 130dbd9d40e4ad35 2021/07/27 20:00:41 UTC Attempt 1 to register publisher. 2021/07/27 20:00:43 UTC Publisher registered successfully. Failed Registration: 2021/08/19 13:21:06 UTC Attempt 1 to register publisher. 2021/08/19 13:21:08 UTC Get https://ns-6413.us-sv5.npa.goskope.com/api/discovery: x509: certificate signed by unknown authority 2021/08/19 13:21:08 UTC Registration failed because a discovery call didn't succeed. Please generate a new token and try again. |
Publisher ⇔ Netskope connectivity logs | Logs to check: ~/logs/agent.txt Succesful tunnel connection: eventlog.cpp:115:logPublisherTunnelEvent():0x0 {"eventId": "NPACONNECTED", "publisherId": "130dbd9d40e4ad35", "stitcherIp": "163.116.135.6", "tenant": "ns-6413.us-sv5.npa.goskope.com"} Successful connection and certificate verification: sslhelper.cpp:80:verify_callback():0x0 Verified: /DC=io/DC=newedge/CN=New Edge Root CA Failed connection due to SSL error sslhelper.cpp:302:logSslError():0x0 SSL Error 5 error:00000005:lib(0):func(0):DH lib | |
Publisher⇔ Netskope HTTPS logs | Management Plane: openssl s_client -connect ns-{TENANTID}.{POPNAME}.npa.goskope.com:443 -servername ns-{TENANTID}.{POPNAME}.npa.goskope.com Data Plane: openssl s_client -connect stitcher.npa.goskope.com:443 -servername ns-{TENANTID}.{POPNAME}.npa.goskope.com | |
Publisher⇔ Application Connection Logs | Logs to check: ~/logs/agent.txt Application definition and reachability: reachability.cpp:109:parse():0x2484790 Added protocols login.microsoftonline.com:tcp:443-443; tcp:80-80; udp:443-443; udp:80-80; Application connection: tcpproxyhandler.cpp:35:TcpProxyHandler():0x2504cf0 Creating tcp connection to login.microsoftonline.com:443 | |
Client connects and disconnects | May follow Publisher disconnects and can be used to correlate issues: neconfig.cpp:121:setClientId():0x0 Set clientId l0ThzLYeZnqA neconfig.cpp:121:setClientId():0x0 Set clientId l0ThzLYeZnqA Indicates a graceful shut down and will not always be present if there’s an issue: L3ClientChannel.cpp:48:destroy():0x1292810 Cleaning up l3clientChannel |
This topic explains how to enable SNMP on a Publisher and edit the firewall to allow external monitoring.
Connect to a Publisher using SSH and log in.
On the menu, select
6and exit to the CLI.Update all packages (recommended):
sudo apt-get update
Install SNMP.
sudo apt-get install snmpd -y
Configure the agentAddress in the
/etc/snmp/snmpd.conffile.Restart the SNMPD service.
sudo service snmpd restart
Check that SNMPD is started.
sudo service snmpd status
Verify the firewall (ufw) is running.
sudo ufw status
Configure UFW to allow connections to SNMPD. The SNMP daemon will listen for connections on port 161.
sudo ufw allow in to any port 161 proto udp
Verify the SNMP service has been allowed by the firewall permanently and that UDP traffic on Port 161 is allowed.
sudo ufw status Status: active To Action From -- ------ ---- 161/udp ALLOW Anywhere 161/udp (v6) ALLOW Anywhere (v6)