Netskope Help

Manage a Publisher

After deploying your publisher, use the following sections to make modifications to your Publishers.

After assigning private apps to specific Publishers, you can change one or more Publishers simultaneously. The Private Apps page enables you to change private apps assignments in bulk. For example:

  • Change one or more publishers for private apps.

  • Quickly migrate existing private apps to a new publisher.

  • Disconnect private apps before deleting a publisher.

To change publishers for private apps:

  1. Go to Settings > Security Cloud Platform > App Definition > Private Apps.

  2. Select one or more private app check boxes and click Change Publishers.

    ChangePublisher.png
  3. The selected private apps are shown in the Bulk Change Publisher dialog box. Click in the Publisher text field and select one or more publisher in the dropdown list, and then click Save.

    BulkChangePublishers.png

In addition to changing publishers for private apps, this page enables you to delete one or more private apps. Select one or more private app check boxes, and click Delete, and then click Delete again to confirm. If the private app being deleted is specified in a policy, a message box informs you of this factor and you'll need to remove it from the policy in order to delete the private app.

This topic describes how to upgrade one or more Publishers. Using at least a pair of Publishers for each private app is recommended so they can provide high-availability access. Before upgrading all Publishers, upgrade a test Publisher first, and then proceed to the other Publishers.

To use these instructions, first identify the Publishers that you want to upgrade.

Note

A Publisher needs reachability to the official Ubuntu Mirrors during the update process. Please review and allow the appropriate destinations for a successful Publisher software update.

Upgrading Publishers
  1. SSH into the Publisher you want to upgrade.

  2. On the Publisher option menu, select Upgrade, and then select 1 to initiate the upgrade. The upgrade should take around a minute.

  3. In the Netskope UI, go to Settings > Security Cloud Platform > Publishers. Locate the Publisher you just upgraded on the Publishers page to confirm it has a Connected status.

Repeat these steps for every Publisher you are using to access private apps.

Changing Publishers during an Upgrade

If the upgraded publisher has not re-established access, re-assign the app(s) to a different Publisher.

  1. To change Publisher assignments in the Netskope UI, go to Settings > Security Cloud Platform > App Definition > Private Apps. Select the checkboxes for the apps assigned to the Publisher and click Change Publisher.

  2. Click in the Publishers text field, and then select a different Publisher from the list. When finished, click Save.

  3. Locate the Publisher you just assigned on the Publishers page to confirm it has a Connected status. If not, contact Netskope Support to stop the upgrade process and ask for assistance.

The following sections provide information about monitoring Publishers. Go to Private Access Troubleshooting for troubleshooting information.

Thresholds to Monitor

CPU Utilization > 75%

Memory Utilization > 90%

Disk Space Left < 1GB

To Validate Resolution of the NPA Cloud

curl https://dns.google/resolve?name=stitcher.npa.goskope.com&type=A&edns_client_subnet=PublisherEgressIP

Nslookup stitcher.netskope.com

Linux OS CLI Commands to Monitor Resources

top, cat /proc/meminfo, htop, sysstat, nload, iftop, nethog, bmon

SNMP OIDs to Monitor Resources

Available space on the disk: .1.3.6.1.4.1.2021.9.1.7.1

Used space on the disk: .1.3.6.1.4.1.2021.9.1.8.1

Percentage of space used on disk: .1.3.6.1.4.1.2021.9.1.9.1

Percentage of inodes used on disk: .1.3.6.1.4.1.2021.9.1.10.1

Path where the disk is mounted: .1.3.6.1.4.1.2021.9.1.2.1

Path of the device for the partition: .1.3.6.1.4.1.2021.9.1.3.1

Total size of the disk/partion (kBytes): .1.3.6.1.4.1.2021.9.1.6.1

Percentage of user CPU time: .1.3.6.1.4.1.2021.11.9.0

Raw user CPU time: .1.3.6.1.4.1.2021.11.50.0

Percentage of system CPU time: .1.3.6.1.4.1.2021.11.10.0

Raw system CPU time: .1.3.6.1.4.1.2021.11.52.0

Percentage of idle CPU time: .1.3.6.1.4.1.2021.11.11.0

Raw idle CPU time: .1.3.6.1.4.1.2021.11.53.0

Total RAM in machine: .1.3.6.1.4.1.2021.4.5.0

Total RAM used: .1.3.6.1.4.1.2021.4.6.0

Total RAM Free: .1.3.6.1.4.1.2021.4.11.0

Total bytes received on the interface: .1.3.6.1.2.1.2.2.1.10

Total bytes transmitted on the interface: .1.3.6.1.2.1.2.2.1.16

Additional Publisher Logs for Troubleshooting

Connection Segment

Description

Example

Registration Logs - Publisher

Logs to verify successful registration, or failed registration.

Logs to check:

~/logs/publisher_wizard.log

Successful Registration:

2021/07/27 20:00:41 UTC Registering with your Netskope address: ns-6413.us-sv5.npa.goskope.com

2021/07/27 20:00:41 UTC Publisher certificate CN: 130dbd9d40e4ad35

2021/07/27 20:00:41 UTC Attempt 1 to register publisher.

2021/07/27 20:00:43 UTC Publisher registered successfully.

Failed Registration:

2021/08/19 13:21:06 UTC Attempt 1 to register publisher.

2021/08/19 13:21:08 UTC Get https://ns-6413.us-sv5.npa.goskope.com/api/discovery: x509: certificate signed by unknown authority

2021/08/19 13:21:08 UTC Registration failed because a discovery call didn't succeed. Please generate a new token and try again.

Publisher ⇔ Netskope connectivity logs

Logs to check:

~/logs/agent.txt

Succesful tunnel connection:

eventlog.cpp:115:logPublisherTunnelEvent():0x0 {"eventId": "NPACONNECTED", "publisherId": "130dbd9d40e4ad35", "stitcherIp": "163.116.135.6", "tenant": "ns-6413.us-sv5.npa.goskope.com"}

Successful connection and certificate verification:

sslhelper.cpp:80:verify_callback():0x0 Verified: /DC=io/DC=newedge/CN=New Edge Root CA

Failed connection due to SSL error

sslhelper.cpp:302:logSslError():0x0 SSL Error 5 error:00000005:lib(0):func(0):DH lib

Publisher⇔ Netskope HTTPS logs

Management Plane: openssl s_client -connect ns-{TENANTID}.{POPNAME}.npa.goskope.com:443 -servername ns-{TENANTID}.{POPNAME}.npa.goskope.com

Data Plane: openssl s_client -connect stitcher.npa.goskope.com:443 -servername ns-{TENANTID}.{POPNAME}.npa.goskope.com

Publisher⇔ Application Connection Logs

Logs to check:

~/logs/agent.txt

Application definition and reachability:

reachability.cpp:109:parse():0x2484790 Added protocols login.microsoftonline.com:tcp:443-443; tcp:80-80; udp:443-443; udp:80-80; Application connection:

tcpproxyhandler.cpp:35:TcpProxyHandler():0x2504cf0 Creating tcp connection to login.microsoftonline.com:443

Client connects and disconnects

May follow Publisher disconnects and can be used to correlate issues: neconfig.cpp:121:setClientId():0x0 Set clientId l0ThzLYeZnqA

neconfig.cpp:121:setClientId():0x0 Set clientId l0ThzLYeZnqA

Indicates a graceful shut down and will not always be present if there’s an issue: L3ClientChannel.cpp:48:destroy():0x1292810 Cleaning up l3clientChannel

This topic explains how to enable SNMP on a Publisher and edit the firewall to allow external monitoring.

  1. Connect to a Publisher using SSH and login.

  2. On the menu, select 5 and exit to the CLI.

  3. Install SNMP and snmp-utils.

    sudo yum install net-snmp net-snmp-utils
  4. Configure the SNMP daemon to start after a device restart.

    sudo systemctl enable snmpd
  5. Check the snmpd service to make sure it is running.

    systemctl status snmpd.service
  6. Install your favorite file editing utility, in this nano.

    sudo yum install nano
  7. Edit the snmpd.conf file to change community strings and increase security.

    sudo nano /etc/snmp/snmpd.conf
  8. Restart the snmpd service.

    sudo systemctl restart snmpd.service
  9. Check the snmpd service to make sure it is running.

    systemctl status snmpd.service
  10. Verify the firewall service.

    sudo firewall-cmd --state running
  11. Determine what the default zone is.

    firewall-cmd --get-default-zone
    public
  12. Determine what zones are active. Please note that if the publisher has not connected to an application yet the docker interface will not be present.

    firewall-cmd --get-active-zones
    docker interfaces: docker0
    public interfaces: ens32 virbr0
  13. Add the SNMP service to the public firewall zone.

    sudo firewall-cmd --zone=public --add-service=snmp
    success
  14. Confirm that the SNMP service has been added to the public firewall zone.

    sudo firewall-cmd --list-all
    public (active)
    target: default
    icmp-block-inversion: no
    interfaces: ens32 virbr0
    sources:
    services: dhcpv6-client snmp ssh
    ports:
    protocols:
    masquerade: no
    forward-ports:
    source-ports:
    icmp-blocks:
    rich rules:
    rule family="ipv4" destination address="191.1.1.1/32" port port="784" protocol="tcp" accept
    rule family="ipv4" destination address="191.1.1.1/32" port port="785" protocol="udp" accept
    sudo firewall-cmd --zone=public --list-all
    public (active)
    target: default
    icmp-block-inversion: no
    interfaces: ens32 virbr0
    sources:
    services: dhcpv6-client snmp ssh
    ports:
    protocols:
    masquerade: no
    forward-ports:
    source-ports:
    icmp-blocks:
    rich rules:
    rule family="ipv4" destination address="191.1.1.1/32" port port="784" protocol="tcp" accept
    rule family="ipv4" destination address="191.1.1.1/32" port port="785" protocol="udp" accept

Test access to SNMP. If it works, then add permanent.

  1. Add the SNMP service to the firewall permanently.

    sudo firewall-cmd --zone=public --permanent --add-service=snmp
    success
  2. Verify that the SNMP service has been added to the firewall permanently.

    sudo firewall-cmd --zone=public --permanent --list-services
    dhcpv6-client snmp ssh