Skip to main content

Netskope Help

Manage a Publisher

After deploying your publisher, use the following sections to make modifications to your Publishers.

After assigning private apps to specific Publishers, you can change one or more Publishers simultaneously. The Private Apps page enables you to change private apps assignments in bulk. For example:

  • Change one or more publishers for private apps.

  • Quickly migrate existing private apps to a new publisher.

  • Disconnect private apps before deleting a publisher.

To change publishers for private apps:

  1. Go to Settings > Security Cloud Platform > App Definition > Private Apps.

  2. Select one or more private app check boxes and click Change Publishers.

    ChangePublisher.png
  3. The selected private apps are shown in the Bulk Change Publisher dialog box. Click in the Publisher text field and select one or more publisher in the dropdown list, and then click Save.

    BulkChangePublishers.png

In addition to changing publishers for private apps, this page enables you to delete one or more private apps. Select one or more private app check boxes, and click Delete, and then click Delete again to confirm. If the private app being deleted is specified in a policy, a message box informs you of this factor and you'll need to remove it from the policy in order to delete the private app.

This topic describes how to upgrade one or more Publishers. Using at least a pair of Publishers for each private app is recommended so they can provide high-availability access. Before upgrading all Publishers, upgrade a test Publisher first, and then proceed to the other Publishers.

To use these instructions, first identify the Publishers that you want to upgrade.

Note

A Publisher needs reachability to the official Ubuntu Mirrors during the update process. Please review and allow the appropriate destinations for a successful Publisher software update.

Upgrading Publishers
  1. SSH into the Publisher you want to upgrade.

  2. On the Publisher option menu, select Upgrade, and then select 1 to initiate the upgrade. The upgrade should take around a minute.

  3. In the Netskope UI, go to Settings > Security Cloud Platform > Publishers. Locate the Publisher you just upgraded on the Publishers page to confirm it has a Connected status.

Repeat these steps for every Publisher you are using to access private apps.

Changing Publishers during an Upgrade

If the upgraded publisher has not re-established access, re-assign the app(s) to a different Publisher.

  1. To change Publisher assignments in the Netskope UI, go to Settings > Security Cloud Platform > App Definition > Private Apps. Select the checkboxes for the apps assigned to the Publisher and click Change Publisher.

  2. Click in the Publishers text field, and then select a different Publisher from the list. When finished, click Save.

  3. Locate the Publisher you just assigned on the Publishers page to confirm it has a Connected status. If not, contact Netskope Support to stop the upgrade process and ask for assistance.

The following sections provide information about monitoring Publishers. Go to Private Access Troubleshooting for troubleshooting information.

Thresholds to Monitor

CPU Utilization > 75%

Memory Utilization > 90%

Disk Space Left < 1GB

To Validate Resolution of the NPA Cloud

curl https://dns.google/resolve?name=stitcher.npa.goskope.com&type=A&edns_client_subnet=PublisherEgressIP

Nslookup stitcher.netskope.com

Linux OS CLI Commands to Monitor Resources

top, cat /proc/meminfo, htop, sysstat, nload, iftop, nethog, bmon

SNMP OIDs to Monitor Resources

Available space on the disk: .1.3.6.1.4.1.2021.9.1.7.1

Used space on the disk: .1.3.6.1.4.1.2021.9.1.8.1

Percentage of space used on disk: .1.3.6.1.4.1.2021.9.1.9.1

Percentage of inodes used on disk: .1.3.6.1.4.1.2021.9.1.10.1

Path where the disk is mounted: .1.3.6.1.4.1.2021.9.1.2.1

Path of the device for the partition: .1.3.6.1.4.1.2021.9.1.3.1

Total size of the disk/partion (kBytes): .1.3.6.1.4.1.2021.9.1.6.1

Percentage of user CPU time: .1.3.6.1.4.1.2021.11.9.0

Raw user CPU time: .1.3.6.1.4.1.2021.11.50.0

Percentage of system CPU time: .1.3.6.1.4.1.2021.11.10.0

Raw system CPU time: .1.3.6.1.4.1.2021.11.52.0

Percentage of idle CPU time: .1.3.6.1.4.1.2021.11.11.0

Raw idle CPU time: .1.3.6.1.4.1.2021.11.53.0

Total RAM in machine: .1.3.6.1.4.1.2021.4.5.0

Total RAM used: .1.3.6.1.4.1.2021.4.6.0

Total RAM Free: .1.3.6.1.4.1.2021.4.11.0

Total bytes received on the interface: .1.3.6.1.2.1.2.2.1.10

Total bytes transmitted on the interface: .1.3.6.1.2.1.2.2.1.16

Additional Publisher Logs for Troubleshooting

Connection Segment

Description

Example

Registration Logs - Publisher

Logs to verify successful registration, or failed registration.

Logs to check:

~/logs/publisher_wizard.log

Successful Registration:

2021/07/27 20:00:41 UTC Registering with your Netskope address: ns-6413.us-sv5.npa.goskope.com

2021/07/27 20:00:41 UTC Publisher certificate CN: 130dbd9d40e4ad35

2021/07/27 20:00:41 UTC Attempt 1 to register publisher.

2021/07/27 20:00:43 UTC Publisher registered successfully.

Failed Registration:

2021/08/19 13:21:06 UTC Attempt 1 to register publisher.

2021/08/19 13:21:08 UTC Get https://ns-6413.us-sv5.npa.goskope.com/api/discovery: x509: certificate signed by unknown authority

2021/08/19 13:21:08 UTC Registration failed because a discovery call didn't succeed. Please generate a new token and try again.

Publisher ⇔ Netskope connectivity logs

Logs to check:

~/logs/agent.txt

Succesful tunnel connection:

eventlog.cpp:115:logPublisherTunnelEvent():0x0 {"eventId": "NPACONNECTED", "publisherId": "130dbd9d40e4ad35", "stitcherIp": "163.116.135.6", "tenant": "ns-6413.us-sv5.npa.goskope.com"}

Successful connection and certificate verification:

sslhelper.cpp:80:verify_callback():0x0 Verified: /DC=io/DC=newedge/CN=New Edge Root CA

Failed connection due to SSL error

sslhelper.cpp:302:logSslError():0x0 SSL Error 5 error:00000005:lib(0):func(0):DH lib

Publisher⇔ Netskope HTTPS logs

Management Plane: openssl s_client -connect ns-{TENANTID}.{POPNAME}.npa.goskope.com:443 -servername ns-{TENANTID}.{POPNAME}.npa.goskope.com

Data Plane: openssl s_client -connect stitcher.npa.goskope.com:443 -servername ns-{TENANTID}.{POPNAME}.npa.goskope.com

Publisher⇔ Application Connection Logs

Logs to check:

~/logs/agent.txt

Application definition and reachability:

reachability.cpp:109:parse():0x2484790 Added protocols login.microsoftonline.com:tcp:443-443; tcp:80-80; udp:443-443; udp:80-80; Application connection:

tcpproxyhandler.cpp:35:TcpProxyHandler():0x2504cf0 Creating tcp connection to login.microsoftonline.com:443

Client connects and disconnects

May follow Publisher disconnects and can be used to correlate issues: neconfig.cpp:121:setClientId():0x0 Set clientId l0ThzLYeZnqA

neconfig.cpp:121:setClientId():0x0 Set clientId l0ThzLYeZnqA

Indicates a graceful shut down and will not always be present if there’s an issue: L3ClientChannel.cpp:48:destroy():0x1292810 Cleaning up l3clientChannel

This topic explains how to enable SNMP on a Publisher and edit the firewall to allow external monitoring.

  1. Connect to a Publisher using SSH and log in.

  2. On the menu, select 6 and exit to the CLI.

  3. Update all packages (recommended):

    sudo apt-get update
  4. Install SNMP.

    sudo apt-get install snmpd -y
  5. Configure the agentAddress in the /etc/snmp/snmpd.conf file.

  6. Restart the SNMPD service.

    sudo service snmpd restart
  7. Check that SNMPD is started.

    sudo service snmpd status
  8. Verify the firewall (ufw) is running.

    sudo ufw status
  9. Configure UFW to allow connections to SNMPD. The SNMP daemon will listen for connections on port 161.

    sudo ufw allow in to any port 161 proto udp
  10. Verify the SNMP service has been allowed by the firewall permanently and that UDP traffic on Port 161 is allowed.

    sudo ufw status
    Status: active
    To           Action     From
    --           ------     ----
    161/udp      ALLOW      Anywhere
    161/udp (v6) ALLOW      Anywhere (v6)