Netskope Help

Managing Error Settings

You can use the steering error settings to configure actions for anomalies observed in the HTTP/HTTPS traffic.

Note

Netskope doesn't perform SSL inspection for any bypassed traffic in the error settings.

To configure the error settings for your steering configurations:

  1. Go to Settings > Security Cloud Platform > Steering Configuration.

  2. Click Manage Error Settings. The Error Settings window appears. All error settings are global.

  3. In the Error Settings window:

    • No SNI: Bypass or block traffic between the Netskope Client and the Netskope Cloud Proxy if the Netskope Cloud Proxy can't determine the Server Name Indication (SNI).

    • Malformed SSL: Bypass or block traffic between the Netskope Client and the Netskope Cloud Proxy if the designated port is 443 but fails to parse the first packet in the SSL traffic.

    • CRL/OCSP Check: Block traffic between the Netskope Cloud Proxy and the internet server if the server’s certificate is revoked. Netskope terminates SSL for this error and performs deep packet inspection for failed CRL and OCSP checks. Selecting Bypass ignores mismatches and failures.

    • SSL Handshake Error: Bypass or block traffic between the Netskope Cloud Proxy and the internet server if the SSL handshake fails.

    • Self-Signed Server Certificate: Bypass or block traffic between the Netskope Cloud Proxy and the internet server if the server’s certificate is self-signed.

    • Incomplete Certificate Trust Chain: Bypass or block traffic between the Netskope Cloud Proxy and the internet server if the server’s certificate chain is incomplete.

    • Untrusted Root Certificate: Bypass or block traffic between the Netskope Cloud Proxy and the internet server if the server’s certificate isn't trusted.

    • Malformed HTTP: Bypass or block traffic between the Netskope Client and the Netskope Cloud Proxy if the Netskope Cloud Proxy receives an invalid HTTP request.

    • SSL Host Mismatch: Block traffic between the Netskope Cloud Proxy and the internet server if the domain name of the server doesn’t match the common name in a server’s certificate. Netskope terminates SSL for this error and performs deep packet inspection for SSL host mismatches. Selecting Bypass ignores mismatches and failures.

    The Error Settings window on the Steering Configuration page.

After configuring the error settings, the steering configuration starts bypassing or blocking extranet services.

Recommended Error Settings

Below are the Netskope recommended error settings that you can configure for your organization to optimize security:

Error Setting

Default Setting

Recommended Setting

User Notification Type

No SNI

Bypass

Block

Browser

Malformed SSL

Bypass

Block

Browser

CRL/OCSP Check

Bypass

Block

Browser

SSL Handshake Error

Bypass

Block

Browser

Self-Signed Server Certificate

Block

Block

Browser

Incomplete Certificate Trust Chain

Bypass

Block

Browser

Untrusted Root Certificate

Block

Block

Browser

Malformed HTTP

Block

Block

None

SSL Host Mismatch

Block

Block

Browser