Managing Error Settings

Managing Error Settings

You can use the steering error settings to configure actions for anomalies observed in the HTTP/HTTPS traffic.

Note

Netskope doesn’t perform SSL inspection for any bypassed traffic in the error settings.

To configure the error settings for your steering configurations:

  1. Go to Settings > Security Cloud Platform > Steering Configuration.
  2. Click Manage Error Settings. The Error Settings window appears. All error settings are global.
  3. In the Error Settings window:

    Note

    Due to a limitation, when you select Bypass for SSL failure actions (e.g., Incomplete Certificate Trust Chain), the first connection to a given site on a given node will receive a block page while Netskope caches the certificate’s status. Users must reload the page to continue to the site.

    • No SNI: Bypass or block traffic between the Netskope Client and the Netskope Cloud Proxy if the Netskope Cloud Proxy can’t determine the Server Name Indication (SNI).
    • Malformed SSL: Bypass or block traffic between the Netskope Client and the Netskope Cloud Proxy if the designated port is 443 but fails to parse the first packet in the SSL traffic.
    • Domain Fronting Protection: Bypass or block traffic if domain fronting is detected. Netskope detects domain fronting when the SNI and HTTP request Host header are mismatched. Selecting Bypass ignores mismatches.
    • Before configuring the Domain Fronting Protection feature, Netskope recommends using it in monitor mode first by reviewing the transaction events for domain-fronted fields and domains to gain granular understanding of domain-fronted sites.

      Warning

      The Domain Fronting Protection option is a global setting and will be applicable to all websites. If you experience blocked traffic to legitimate domains, update the Domain Fronting Protection option to Bypass to unblock the traffic immediately. Then contact Netskope Support to report the domains that were blocked.

      Additionally, HTTP/2 is not currently supported for Domain Fronting Protection. Using this feature with HTTP/2 might cause HTTP/2 websites to not load properly or to load slowly without error notifications.

      There are cases where the SNI mismatches the Host header, or research teams use domain fronting for testing purposes. Netskope REST APIs are available to configure wildcard domains or full-domain matches, allowing you to set domain fronting exceptions as a global list across the entire tenant. The following APIs are available: Generic List and Domain Fronting Profile.

      More information is available in Swagger. In the UI, navigate to Settings > Tools > REST API v2 and click API Documentation to access the Swagger API documentation. To learn more about REST APIs, see REST API v2 Overview.

    • Custom Signing CA Error: When the Netskope proxy is reloading due to planned upgrades, block or bypass (fail open) HTTPS requests during the Netskope proxy re-booting time. This is only applicable when the custom signing CA feature is used for inline TLS decryption, which allows customers to upload their own certificate for TLS decryption without trusting Netskope’s root CA.
    • CRL/OCSP Check: Block traffic between the Netskope Cloud Proxy and the internet server if the server’s certificate is revoked. Netskope terminates SSL for this error and performs deep packet inspection for failed CRL and OCSP checks. Selecting Bypass ignores mismatches and failures.
    • SSL Handshake Error: Bypass or block traffic between the Netskope Cloud Proxy and the internet server if the SSL handshake fails.
    • Self-Signed Server Certificate: Bypass or block traffic between the Netskope Cloud Proxy and the internet server if the server’s certificate is self-signed.
    • Incomplete Certificate Trust Chain: Bypass or block traffic between the Netskope Cloud Proxy and the internet server if the server’s certificate chain is incomplete.

      Note

      If your organization enabled Dynamic Trusted Store, but you have this setting set to Block, Netskope might block the initial visit to the domain that doesn’t have an intermediate certificate because it’s still fetching the certificate. Users can refresh the website to proceed.

    • Untrusted Root Certificate: Bypass or block traffic between the Netskope Cloud Proxy and the internet server if the server’s certificate isn’t trusted.
    • Malformed HTTP: Bypass or block traffic between the Netskope Client and the Netskope Cloud Proxy if the Netskope Cloud Proxy receives an invalid HTTP request.
    • SSL Host Mismatch: Block traffic between the Netskope Cloud Proxy and the internet server if the domain name of the server doesn’t match the common name in a server’s certificate. Netskope terminates SSL for this error and performs deep packet inspection for SSL host mismatches. Selecting Bypass ignores mismatches and failures.
The Error Settings Window On The Steering Configuration Page.
The Error Settings Window On The Steering Configuration Page.

After configuring the error settings, the steering configuration starts bypassing or blocking extranet services.

Error Settings

Below are the Netskope error settings that you can configure for your organization to optimize security:

Error SettingDefault SettingUser Notification Type
No SNIBypassBrowser
Malformed SSLBypassBrowser
Domain Fronting ProtectionBypassBrowser
CRL/OCSP CheckBypassBrowser
SSL Handshake ErrorBypassBrowser
Self-Signed Server CertificateBlockBrowser
Incomplete Certificate Trust ChainBypassBrowser
Untrusted Root CertificateBlockBrowser
Malformed HTTPBlockNone
SSL Host MismatchBlockBrowser
Admin can change the default settings for each error setting according to their requirement.
Share this Doc

Managing Error Settings

Or copy link

In this topic ...