Manage a Publisher
After deploying your publisher, use the following sections to make modifications to your Publishers.
After assigning private apps to specific Publishers, you can change one or more Publishers simultaneously. The Private Apps page enables you to change private apps assignments in bulk. For example:
Change one or more publishers for private apps.
Quickly migrate existing private apps to a new publisher.
Disconnect private apps before deleting a publisher.
To change publishers for private apps:
Go to Settings > Security Cloud Platform > App Definition > Private Apps.
Select one or more private app check boxes and click Change Publishers.
The selected private apps are shown in the Bulk Change Publisher dialog box. Click in the Publisher text field and select one or more publisher in the dropdown list, and then click Save.
In addition to changing publishers for private apps, this page enables you to delete one or more private apps. Select one or more private app check boxes, and click Delete, and then click Delete again to confirm. If the private app being deleted is specified in a policy, a message box informs you of this factor and you'll need to remove it from the policy in order to delete the private app.
This topic describes how to upgrade one or more Publishers. Using at least a pair of Publishers for each private app is recommended so they can provide high-availability access. Before upgrading all Publishers, upgrade a test Publisher first, and then proceed to the other Publishers.
To use these instructions, first identify the Publishers that you want to upgrade.
Note
A Publisher needs reachability to the official Ubuntu Mirrors during the update process. Please review and allow the appropriate destinations for a successful Publisher software update.
Upgrading Publishers
SSH into the Publisher you want to upgrade.
On the Publisher option menu, select Upgrade, and then select 1 to initiate the upgrade. The upgrade should take around a minute.
In the Netskope UI, go to Settings > Security Cloud Platform > Publishers. Locate the Publisher you just upgraded on the Publishers page to confirm it has a Connected status.
Repeat these steps for every Publisher you are using to access private apps.
Changing Publishers during an Upgrade
If the upgraded publisher has not re-established access, re-assign the app(s) to a different Publisher.
To change Publisher assignments in the Netskope UI, go to Settings > Security Cloud Platform > App Definition > Private Apps. Select the checkboxes for the apps assigned to the Publisher and click Change Publisher.
Click in the Publishers text field, and then select a different Publisher from the list. When finished, click Save.
Locate the Publisher you just assigned on the Publishers page to confirm it has a Connected status. If not, contact Netskope Support to stop the upgrade process and ask for assistance.
The following sections provide information about monitoring Publishers. Go to Private Access Troubleshooting for troubleshooting information.
Thresholds to Monitor
CPU Utilization > 75%
Memory Utilization > 90%
Disk Space Left < 1GB
To Validate Resolution of the NPA Cloud
curl https://dns.google/resolve?name=stitcher.npa.goskope.com&type=A&edns_client_subnet=PublisherEgressIP
Nslookup stitcher.netskope.com
Linux OS CLI Commands to Monitor Resources
top, cat /proc/meminfo, htop, sysstat, nload, iftop, nethog, bmon
SNMP OIDs to Monitor Resources
Available space on the disk: .1.3.6.1.4.1.2021.9.1.7.1
Used space on the disk: .1.3.6.1.4.1.2021.9.1.8.1
Percentage of space used on disk: .1.3.6.1.4.1.2021.9.1.9.1
Percentage of inodes used on disk: .1.3.6.1.4.1.2021.9.1.10.1
Path where the disk is mounted: .1.3.6.1.4.1.2021.9.1.2.1
Path of the device for the partition: .1.3.6.1.4.1.2021.9.1.3.1
Total size of the disk/partion (kBytes): .1.3.6.1.4.1.2021.9.1.6.1
Percentage of user CPU time: .1.3.6.1.4.1.2021.11.9.0
Raw user CPU time: .1.3.6.1.4.1.2021.11.50.0
Percentage of system CPU time: .1.3.6.1.4.1.2021.11.10.0
Raw system CPU time: .1.3.6.1.4.1.2021.11.52.0
Percentage of idle CPU time: .1.3.6.1.4.1.2021.11.11.0
Raw idle CPU time: .1.3.6.1.4.1.2021.11.53.0
Total RAM in machine: .1.3.6.1.4.1.2021.4.5.0
Total RAM used: .1.3.6.1.4.1.2021.4.6.0
Total RAM Free: .1.3.6.1.4.1.2021.4.11.0
Total bytes received on the interface: .1.3.6.1.2.1.2.2.1.10
Total bytes transmitted on the interface: .1.3.6.1.2.1.2.2.1.16
Additional Publisher Logs for Troubleshooting
Connection Segment | Description | Example |
---|---|---|
Registration Logs - Publisher | Logs to verify successful registration, or failed registration. | Logs to check: ~/logs/publisher_wizard.log Successful Registration: 2021/07/27 20:00:41 UTC Registering with your Netskope address: ns-6413.us-sv5.npa.goskope.com 2021/07/27 20:00:41 UTC Publisher certificate CN: 130dbd9d40e4ad35 2021/07/27 20:00:41 UTC Attempt 1 to register publisher. 2021/07/27 20:00:43 UTC Publisher registered successfully. Failed Registration: 2021/08/19 13:21:06 UTC Attempt 1 to register publisher. 2021/08/19 13:21:08 UTC Get https://ns-6413.us-sv5.npa.goskope.com/api/discovery: x509: certificate signed by unknown authority 2021/08/19 13:21:08 UTC Registration failed because a discovery call didn't succeed. Please generate a new token and try again. |
Publisher ⇔ Netskope connectivity logs | Logs to check: ~/logs/agent.txt Succesful tunnel connection: eventlog.cpp:115:logPublisherTunnelEvent():0x0 {"eventId": "NPACONNECTED", "publisherId": "130dbd9d40e4ad35", "stitcherIp": "163.116.135.6", "tenant": "ns-6413.us-sv5.npa.goskope.com"} Successful connection and certificate verification: sslhelper.cpp:80:verify_callback():0x0 Verified: /DC=io/DC=newedge/CN=New Edge Root CA Failed connection due to SSL error sslhelper.cpp:302:logSslError():0x0 SSL Error 5 error:00000005:lib(0):func(0):DH lib | |
Publisher⇔ Netskope HTTPS logs | Management Plane: openssl s_client -connect ns-{TENANTID}.{POPNAME}.npa.goskope.com:443 -servername ns-{TENANTID}.{POPNAME}.npa.goskope.com Data Plane: openssl s_client -connect stitcher.npa.goskope.com:443 -servername ns-{TENANTID}.{POPNAME}.npa.goskope.com | |
Publisher⇔ Application Connection Logs | Logs to check: ~/logs/agent.txt Application definition and reachability: reachability.cpp:109:parse():0x2484790 Added protocols login.microsoftonline.com:tcp:443-443; tcp:80-80; udp:443-443; udp:80-80; Application connection: tcpproxyhandler.cpp:35:TcpProxyHandler():0x2504cf0 Creating tcp connection to login.microsoftonline.com:443 | |
Client connects and disconnects | May follow Publisher disconnects and can be used to correlate issues: neconfig.cpp:121:setClientId():0x0 Set clientId l0ThzLYeZnqA neconfig.cpp:121:setClientId():0x0 Set clientId l0ThzLYeZnqA Indicates a graceful shut down and will not always be present if there’s an issue: L3ClientChannel.cpp:48:destroy():0x1292810 Cleaning up l3clientChannel |
This topic explains how to enable SNMP on a Publisher and edit the firewall to allow external monitoring.
Connect to a Publisher using SSH and login.
On the menu, select
5
and exit to the CLI.Install SNMP and snmp-utils.
sudo yum install net-snmp net-snmp-utils
Configure the SNMP daemon to start after a device restart.
sudo systemctl enable snmpd
Check the snmpd service to make sure it is running.
systemctl status snmpd.service
Install your favorite file editing utility, in this nano.
sudo yum install nano
Edit the snmpd.conf file to change community strings and increase security.
sudo nano /etc/snmp/snmpd.conf
Restart the snmpd service.
sudo systemctl restart snmpd.service
Check the snmpd service to make sure it is running.
systemctl status snmpd.service
Verify the firewall service.
sudo firewall-cmd --state running
Determine what the default zone is.
firewall-cmd --get-default-zone public
Determine what zones are active. Please note that if the publisher has not connected to an application yet the docker interface will not be present.
firewall-cmd --get-active-zones docker interfaces: docker0 public interfaces: ens32 virbr0
Add the SNMP service to the public firewall zone.
sudo firewall-cmd --zone=public --add-service=snmp success
Confirm that the SNMP service has been added to the public firewall zone.
sudo firewall-cmd --list-all public (active) target: default icmp-block-inversion: no interfaces: ens32 virbr0 sources: services: dhcpv6-client snmp ssh ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: rule family="ipv4" destination address="191.1.1.1/32" port port="784" protocol="tcp" accept rule family="ipv4" destination address="191.1.1.1/32" port port="785" protocol="udp" accept
sudo firewall-cmd --zone=public --list-all public (active) target: default icmp-block-inversion: no interfaces: ens32 virbr0 sources: services: dhcpv6-client snmp ssh ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: rule family="ipv4" destination address="191.1.1.1/32" port port="784" protocol="tcp" accept rule family="ipv4" destination address="191.1.1.1/32" port port="785" protocol="udp" accept
Test access to SNMP. If it works, then add permanent.
Add the SNMP service to the firewall permanently.
sudo firewall-cmd --zone=public --permanent --add-service=snmp success
Verify that the SNMP service has been added to the firewall permanently.
sudo firewall-cmd --zone=public --permanent --list-services dhcpv6-client snmp ssh