Netskope Cloud Firewall
Netskope Cloud Firewall
This document guides you to configure the Netskope cloud firewall. The Netskope cloud firewall controls your organizations’ outbound non-HTTP(S) traffic. However, if you intend to manage the HTTP(S) traffic (on port 80/443 and non standard ports), you can refer to the Netskope Secure Web Gateway and Netskope Cloud Access Security Broker documentation.
Netskope cloud firewall provides centralized management, visibility, and consistent policies for distributed offices and roaming users. Also, advanced security and access controls without the cost, complexity, and performance limitations of traditional firewall appliances. Netskope also provides integrated cloud hosted firewall capabilities that allow granular control over your organizations’ outbound non-HTTP(S) traffic viz., TCP, UDP, and ICMP traffic.
Netskope cloud firewall provides network security on outbound traffic across all ports and protocols for users and offices. Cloud firewall policy controls include 5-tuple (source and destination addresses and ports with protocol), plus user-IDs and group-IDs, fully qualified domains and wildcards as destinations, an application layer gateway for FTP, and firewall event logging.
With Netskope cloud firewall, you can apply an allow / block security policy based on source and destination IP address, destination ports, protocols, and users.
Netskope Cloud Firewall Key Benefits and Capabilities
- Firewall Policy Controls: Includes 5-tuple (source / destination address and port, protocol), user-IDs and group-IDs, FQDNs and wildcards for egress firewall policy settings.
- FTP Application Layer Gateway: Enables seamless use of FTP through cloud edge network address translation services.
- Firewall Event Logging: Full logging of all desired cloud firewall events (TCP,UDP, and ICMP), available for export.
- Integrated SASE Architecture: Netskope Security Cloud integrates cloud firewall with Secured Web Gateway (SWG), Cloud Access Security Broker (CASB), and Zero Trust Network Access (ZTNA) solutions for users and offices, to provide protection to all ports and protocols. Secure remote users and branch offices with Firewall-as-a-Service (FWaaS) using one console, one policy engine, and one platform.
- Lower Cost of Operation: Reduce appliance expenses and maintenance,dependency on endpoint firewalls, and administration efforts with multiple consoles.
- Protect Users: Provides network security for outbound traffic on all port sand protocols for safe direct to internet access with the Netskope client on managed devices. Cloud firewall filters egress traffic of managed users covering all ports and protocols, plus FQDNs and wildcards as destinations, an FTP ALG, and with full logging.
- Secure Office: Provides network security for all outbound ports and protocols for safe direct to internet access via GRE and IPSec tunnels for any user or device. SD-WAN compatible, cloud firewall supports IPSec and GRE tunnels from offices to the Netskope Security Cloud to filter egress traffic.
Netskope enables you to steer non-HTTP(S) traffic using various methods. The following sections describe the various configuration steps.
- Configure a GRE Tunnel
- Configure an IPSec Tunnel
- GRE & IPSec Tunnel Gateway – HTTP(S) Non-Standard Port Support
- Netskope Client Support in Cloud Firewall
- Network Location
- Creating a Firewall App Definition
- Real-time Protection Policies
- Bandwidth Control (Beta)
- Configuring Cloud Firewall Steering Exceptions
- SSL Decryption
- Cloud Firewall Network Events and Alerts
- Cloud Firewall Advanced Analytics Events
- DNS Security