Manage a Publisher

Manage a Publisher

After deploying your publisher, use the following sections to make modifications to your Publishers.

Configure Publisher Auto-Updates

Publisher Auto-updates provide a scalable means to update both the underlying operating system and the Publisher software.  In high-availability Publisher deployments where two or more Publishers are assigned to an application, Netskope’s auto-update has implicit logic to stagger updates even if all Publishers are assigned to the same upgrade profile.  This ensures that applications remain available during the upgrade.

You can get Publisher updates automatically, and also specify the version to be upgraded or downgraded for the Publishers. Options include the very latest Publisher, one of the two previous versions of the Publisher, or a Beta version.

For example, if the latest Publisher version is, Netskope will support Auto-Updates to version,,, or a Beta version. Updates for software defects and security vulnerabilities will only be introduced in the latest software version. So you should consider updating your Publishers to the latest version to take advantage of enhancements and security updates.

The Publisher checks for a minimum disk space of 300 MB for System and Publisher upgrades. If the disk space verification fails, the Admin is notified through a message in the Admin UI and through email alerts, if notifications have been set up.

Auto-update use case factors include:

  • When Auto-Update is enabled for your tenant, all Publishers are included in a Default profile. The Default profile is disabled by default. When a default profile is enabled, all Publishers associated with this profile are enabled with the Auto-Update capability. Moving forward, all Publishers will be required to create or select an Update Profile upon creation.
  • You can perform a manual upgrade even if an Auto-Update profile is disabled.
  • Scheduled auto-updates will not occur when an Auto-Update profile is disabled.
  • An initiated upgrade process will continue if you disable the Auto-Update profile while the upgrade is in progress.
  • Before upgrading all Publishers, upgrade a test Publisher first, and then proceed to the other Publishers.

Publisher Auto-Update Best Practices

In enterprise environments, Netskope recommends the following:

  • Schedule Publisher updates during maintenance windows or non-peak hours for their location.  You can have multiple Publisher Auto-Update profiles scoped to Publishers in different regions.
  • Enable Auto-update alerts for successful and failed Publisher Auto-Updates including the following:
    • Version update succeeded
    • Version update failed
    • Version update started but reconnection failed.

    You can optionally also enable alerts for upgrades that start, and a 24-hour alert about when Auto-Updates will start.

  • Ensure that all Publishers check for N-2 releases at least monthly to ensure you stay within the Publisher Support Policy.
  • Ensure that at least one Publisher is available during the upgrade of other Publishers to provide administrative access should an upgrade fail.  You can consider deploying dedicated Publishers for administrative functions to provide SSH access or via your virtualization solution’s interface.

Configure Auto-Update Profiles

You can create, edit, or delete Auto-Update profiles, including the Default profile.

  1. Go to Settings > Security Cloud Platform > Publishers and click Configure Auto-Update on the right side of the page.
  2. You can search for and sort existing profiles in the Auto-Updates Profiles dialog box, plus edit and delete profiles using the pencil and trash can icons. To create a new Auto-Update profile, click Add New.
  3. Enter a profile name.
  4. From the dropdown list, select Beta Release, Latest Release, or one of the previous versions of the latest release.


    If you want to downgrade to a previous version, select the Latest-1 or Latest-2 version.

  5. Specify a release frequency. For a Weekly update, specify the day of the week. For a Monthly update, specify the week and the day.
  6. Select a time and a time zone to start the update. Publisher updates take around two hours to complete from the start time specified in the Update Profile.
  7. When finished, click Save.

Manage Auto-Update Profiles

After Auto-Update profiles have been created, you can search for a profile, and also sort the profiles in the table in the Auto-Update Profile dialog box.

Auto-Update profiles can be applied to a single Publisher or multiple Publishers.

There are a couple of methods to modify an existing Auto-Update Profile, depending on whether you’re modifying single Publishers or multiple Publishers.

Single Publisher

For a single Publisher, select Edit from the Publisher side menu.


In the Edit Publisher dialog box, you can change the Update Profile for a Publisher by searching for and selecting a profile from the dropdown list.


You can also delete and update a Publisher using the options on Publisher dropdown list. Click Update to immediately upgrade the Publisher to the Publisher version specified in the Update Profile.


Click Configure Auto-Update to open the Auto-Updates Profile dialog box, which allows you to edit and delete a profile using the pencil and trash can icons.


Multiple Publishers

For multiple Publishers, select the Publishers (in the left column), and then click Update to immediately upgrade all the Publishers to the Publisher version specified in the Update Profile.


To change Auto-Update Profiles for multiple Publishers, click Change Update Profile To and select an Update profile from the dropdown list. Click Save and Continue and then Save.


Configure Auto-Update Alerts

To receive notifications of when updates occur, for specific users, and the type of event that occurs, you can configure Auto-Update Alerts.

  1. Click Configure Auto-update Alerts on the right side of the page.

    Specify who you want to receive notifications, and then the events that you want to know about.

  2. Select the admins in the dropdown list; only users with Admin privileges for your tenant are shown in this list. To add Users, enter the user’s email address, separated by commas if there is more than one.
  3. Select the Alert types you want Admins and Users to receive via email:
    • Version updates will start in 24 hours:  Profile-based. Publishers associated with a Profile are batched.
    • Version update started: Stitcher-based. Publishers associated with a stitcher are batched.
    • Version update succeeded: Batch-wise, they will be divided in to 3 batches (for example, if there are three versions specified). Publisher 1 in batch 1, Publishers 2 and 3 in batch 2, and Publishers 4 and 5 in batch 3. There will be three emails.
    • Version updated failed: Stitcher-based. For example, if there are seven Publishers, and batch 2 has three Publishers, out of the three Publishers in batch 2, two publishers are connected to Stitcher 1, and the remaining Publisher is connected to Stitcher 2. Upgrade failure notifications will result in two emails.
    • Version update started but reconnection failed: Profile-based. Failures are due to a timeout.
  4. Click Next to save this configuration.

Publisher Auto-Update Error Guidance

If an error occurs during an auto-update, refer to these troubleshooting recommendations.

Publisher auto-update failed while attempting to open the upgrade trigger file.Check logs/publisher_wizard.log for more detail.
Publisher auto-update failed due to timeout.Contact Netskope Support.
Publisher reconnection failed due to timeout.Contact Netskope Support.
Publisher auto-update failed while upgrading Docker engine.Check logs/publisher_wizard.log and the logs in /var/log/apt for more details.
Publisher Host OS update failed.Check logs/publisher_wizard.log and the logs in /var/log/apt for more details.
Publisher Host OS update was stopped. Not enough disk space for the publisher Host OS update.Check logs/publisher_wizard.log for more details and free up the disk space for the Host OS update.
Publisher auto-update failed while downloading docker image.Check network connectivity between the Publisher and Also check logs/publisher_wizard.log and the Docker log with the journalctl -u docker.service command for more details.
Publisher software update was skipped. The new version and the existing version are the same.Check the desired upgrade version.
Publisher auto-update failed while attempting to stop the existing Publisher container.Check logs/publisher_wizard.log and the Docker log with the journalctl -u docker.service command for more details.
Publisher auto-update failed while attempting to install the Publisher UI package.Please check logs/publisher_wizard.log and the Docker log with the journalctl -u docker.service command for more details.
Publisher auto-update failed.Check logs/publisher_wizard.log and the Docker log with the journalctl -u docker.service command for more details.
Publisher auto-update failed while launching the Publisher U.ICollect the log bundle and contact Netskope Support.
Publisher software update was stopped. Not enough disk space for the publisher software update.Check logs/publisher_wizard.log for more details and free up the disk space for the Publisher software update.

Re-enroll a Publisher

You can re-enroll a new instance of Publisher into an existing entry in the Admin Console. Follow these steps to re-enroll a Publisher instance.

  1. In the Netskope UI, go to Settings > Security Cloud Platform > Publishers.
  2. Click on the Publisher that needs to be re-enrolled. Make sure the Publisher is in the Disconnected State.
  3. Click Save and Continue.
  4. Click Generate Token.
  5. Click Copy to get the registration token.
  6. Click Done.

You can now install the new Publisher instance on a new VM, or on the existing VM. Use the token to Register the new Ubuntu Publisher instance. All the existing App Definitions that reference this Publisher will continue to work.

Install Kernel Updates

As part of Publisher software update, it’s recommended to regularly update the kernel of the host Ubuntu OS.

Install Kernel Updates on an OVA Publisher

A kernel update requires 1GB of free space. There will be a reboot of the OS at the end of the update. Update the kernel on the OVA-based Publishers using these steps.

  1. Connect to the Publisher using SSH and log in.
  2. On the menu, select 6 to Exit the Wizard.
  3. Verify the hash of the script before running it.
    • File:
    • shasum 256: 3569c918cbab50cf0aee5e5847b3b2d554d673a44898d7ee4376e03bf01ba65f
  4. Verify the curl command availability on the Publisher instance with this command:
    which curl 
  5. If curl not available, install the curl using this command.

    sudo apt-get install curl
  6. Run the below command to update and provide consent to the script to restart the machine.
    sudo curl -o && sudo python3
  7. Optional) As a security best practice, it’s advisable to uninstall the curl command. You can uninstall curl using this command:
    sudo apt-get remove curl

At the end of the script execution, the Publisher should reboot and ready with the latest Kernel updates.

In case you encounter issues with the update and the Publisher VM is not in a usable state, we recommend raising a support ticket to troubleshoot further. Please attach logs and screenshots of the issue to help with troubleshooting. You can proceed reinstalling the Publisher using the fresh Publisher image and re-enroll into the Admin Console. Steps to re-enroll are here.

Install Kernel Updates on Non-OVA Publishers

The unattended kernel updates are turned on by default for AMI, VHD and VHDX. Updates to the kernel are installed automatically on these image instances. A standard Publisher OS reboot would bring the instance’s kernel up to date. Publisher release notes will include details if and when there is a restart of the Publisher instance needed to update the kernel.

Manually Update Publisher DNS Servers and DNS Search Domains

To manually change the NPA Publisher DNS settings you’ll need to create a netplan configuration, apply the netplan configuration, then restart the Publisher docker container (or reboot).

  1. Exit the NPA Publisher menu to the linux shell.
  2. Create and edit this file for the custom netplan configuration using nano or vi:
  3. Paste in this content including custom entries for nameserver addresses (DNS servers) and or nameserver search (search domains). Delete either line if not needed, and then save the file:
      version: 2
            addresses: [,]
            search: [corp.internal,]
            use-dns: false
            use-domains: false
  4. Run this command to update the configuration:
    sudo netplan apply
  5. Run this command to restart the Publisher docker container:
    docker restart $(docker ps | grep "new_edge_access:latest" | awk '{ print $1 }')
  6. Run this command to confirm the container was restarted successfully:
    docker ps
  7. For the IMAGE new_edge_access:latest, confirm that the STATUS column says Up XX seconds (where the time correlates with the recent restart):
    CONTAINER ID   IMAGE                    COMMAND                  CREATED       STATUS          PORTS     NAMES
    ab9c2c957abe   new_edge_access:latest   "/bin/bash -l automa…"   2 weeks ago   Up 11 seconds             elated_jang
  8. If desired, run this command to return to the NPA Publisher Wizard:
    sudo ./npa_publisher_wizard

Configure a Publisher for Software Updates via Explicit Proxy

This article explains how to configure an Ubuntu Host to enable Publisher’s software updates via an Explicit Proxy. Note that this only applies to Publisher outbound traffic for OS and Docker updates. The Publisher tunnel itself does not support traversing explicit proxy and must be allowed to connect direct to the Netskope NPA stitcher IP space.

  1. Configure the http_proxy and https_proxy environment variables via /etc/environment. Here is an example used in a configuration to ensure * is excluded. will also need to be excluded for AWS installations.
    sudo vi /etc/environment
    export http_proxy=""
    export https_proxy=""
    export no_proxy="localhost,,,,,, *"
  2. Next configure docker-ce proxy settings, similar to the Ubuntu settings.
    sudo mkdir /etc/systemd/system/docker.service.d/
    sudo vi /etc/systemd/system/docker.service.d/http-proxy.conf
    sudo systemctl daemon-reload
    sudo systemctl restart docker
  3. Log out and log in so the /etc/environment variables are applied.
  4. In the Netskope UI, test the configuration by clicking Update on the Publisher page.

Guidance for Installing 3rd-party Applications on Publishers

Please be aware that any additional software (not included with the Netskope provided package) that is installed on a Publisher instance will be sharing resources with the Publisher application. In addition, Netskope and 3rd-party domains and Publisher software processes may need to be whitelisted in the 3rd-party software.

Network security software that monitors each and every action on the Publisher instance may cause performance issues. You can install security software as long as doing so does not impact Publisher performance. It is your responsibility to ensure that enough resources are allocated for all the software applications running on a Publisher instance.

To troubleshoot issues, Netskope Support may request you to test/recreate without 3rd-party software to narrow down the root cause.

Change Publishers for Private Apps

After assigning private apps to specific Publishers, you can change one or more Publishers simultaneously. The Private Apps page enables you to change private apps assignments in bulk. For example:

  • Change one or more Publishers for private apps.
  • Quickly migrate existing private apps to a new Publisher.
  • Disconnect private apps before deleting a Publisher.

To change publishers for private apps:

  1. Go to Settings > Security Cloud Platform > App Definition > Private Apps.
  2. Select one or more private app check boxes and click Change Publishers.
  3. The selected private apps are shown in the Bulk Change Publisher dialog box. Click in the Publisher text field and select one or more publisher in the dropdown list, and then click Save.

In addition to changing publishers for private apps, this page enables you to delete one or more private apps. Select one or more private app check boxes, and click Delete, and then click Delete again to confirm. If the private app being deleted is specified in a policy, a message box informs you of this factor and you’ll need to remove it from the policy in order to delete the private app.

CentOS-based Publisher Support End of Life

Starting with release 105 (end of May 2023), Netskope Private Access will stop supporting CentOS as the base OS for Publishers and only support Ubuntu-based Publishers.

Ubuntu provides an improved security posture from available CIS benchmarks for Linux distros, and Ubuntu also enables the Auto-Update capability for Publishers. Netskope recommends that you replace existing CentOS Publishers with Ubuntu Publishers using one of these methods.

Method 1

You can generate a new token for an existing CentOS Publisher and use that to register a new Ubuntu Publisher. This will expire the previous registration for the existing CentOS Publisher and replace it with the Ubuntu Publisher. With this method, you do not have to update the App Definitions that reference the existing CentOS Publishers.

Method 2

You can configure new Publishers, add them to the App definitions, and then remove the existing CentOS Publishers in the App Definition.


  • Ubuntu Publishers have feature parity with CentOS Publishers and do not have any capability limitations.
  • You can use a mix of CentOS and Ubuntu Publishers simultaneously for application access during this move to Ubuntu only support.

Enable SNMP on a Publisher

This topic explains how to enable SNMP v3 on a Publisher and edit the firewall to allow external monitoring.

  1. Connect to a Publisher using SSH and log in.
  2. On the menu, select 6 and exit to the CLI.
  3. Update all packages (recommended):
    sudo apt-get update
  4. Install SNMP.
    sudo apt-get -y install snmpd libsnmp-dev
  5. Configure the agentAddress in the /etc/snmp/snmpd.conf file. Add this line to the file:
    disk / 10000
  6. Stop the snmpd service so you can add a user.
    sudo service snmpd stop
  7. Add an SNMP v3 user.
    sudo net-snmp-config --create-snmpv3-user  -A <AuthPassword> -X <CryptoPassword> -a <MD5|SHA> -x <AES|DES> <user>
  8. Restart the SNMPD service.
    sudo service snmpd restart
  9. Check that SNMPD is started.
    sudo service snmpd status
  10. Verify the firewall (ufw) is running.
    sudo ufw status
  11. Configure UFW to allow connections to SNMPD. The SNMP daemon will listen for connections on port 161.
    sudo ufw allow in to any port 161 proto udp
  12. Verify the SNMP service has been allowed by the firewall permanently and that UDP traffic on Port 161 is allowed.
    sudo ufw status
    Status: active
    To           Action     From
    --           ------     ----
    161/udp      ALLOW      Anywhere
    161/udp (v6) ALLOW      Anywhere (v6)

Publisher Monitoring

The following sections provide information about monitoring Publishers. Go to Private Access Troubleshooting for troubleshooting information.

Thresholds to Monitor

CPU Utilization > 75%

Memory Utilization > 90%

Disk Space Left < 1GB

To Validate Resolution of the NPA Cloud



Linux OS CLI Commands to Monitor Resources

top, cat /proc/meminfo, htop, sysstat, nload, iftop, nethog, bmon

SNMP OIDs to Monitor Resources

Available space on the disk: .

Used space on the disk: .

Percentage of space used on disk: .

Percentage of inodes used on disk: .

Path where the disk is mounted: .

Path of the device for the partition: .

Total size of the disk/partion (kBytes): .

Percentage of user CPU time: .

Raw user CPU time: .

Percentage of system CPU time: .

Raw system CPU time: .

Percentage of idle CPU time: .

Raw idle CPU time: .

Total RAM in machine: .

Total RAM used: .

Total RAM Free: .

Total bytes received on the interface: .

Total bytes transmitted on the interface: .

Publisher Logs for Troubleshooting

Connection SegmentDescriptionExample
Registration Logs – PublisherLogs to verify successful registration, or failed registration.Logs to check:


Successful Registration:

2021/07/27 20:00:41 UTC Registering with your Netskope address:

2021/07/27 20:00:41 UTC Publisher certificate CN: 130dbd9d40e4ad35

2021/07/27 20:00:41 UTC Attempt 1 to register publisher.

2021/07/27 20:00:43 UTC Publisher registered successfully.

Failed Registration:

2021/08/19 13:21:06 UTC Attempt 1 to register publisher.

2021/08/19 13:21:08 UTC Get x509: certificate signed by unknown authority

2021/08/19 13:21:08 UTC Registration failed because a discovery call didn’t succeed. Please generate a new token and try again.

Publisher ⇔ Netskope connectivity logsLogs to check:


Succesful tunnel connection:

eventlog.cpp:115:logPublisherTunnelEvent():0x0 {“eventId”: “NPACONNECTED”, “publisherId”: “130dbd9d40e4ad35”, “stitcherIp”: “”, “tenant”: “”}

Successful connection and certificate verification:

sslhelper.cpp:80:verify_callback():0x0 Verified: /DC=io/DC=newedge/CN=New Edge Root CA

Failed connection due to SSL error

sslhelper.cpp:302:logSslError():0x0 SSL Error 5 error:00000005:lib(0):func(0):DH lib

Publisher⇔ Netskope HTTPS logsManagement Plane: openssl s_client -connect ns-{TENANTID}.{POPNAME} -servername ns-{TENANTID}.{POPNAME}

Data Plane: openssl s_client -connect -servername ns-{TENANTID}.{POPNAME}

Publisher⇔ Application Connection LogsLogs to check:


Application definition and reachability:

reachability.cpp:109:parse():0x2484790 Added protocols; tcp:80-80; udp:443-443; udp:80-80;Application connection:

tcpproxyhandler.cpp:35:TcpProxyHandler():0x2504cf0 Creating tcp connection to

Client connects and disconnectsMay follow Publisher disconnects and can be used to correlate issues: neconfig.cpp:121:setClientId():0x0 Set clientId l0ThzLYeZnqA

neconfig.cpp:121:setClientId():0x0 Set clientId l0ThzLYeZnqA

Indicates a graceful shut down and will not always be present if there’s an issue: L3ClientChannel.cpp:48:destroy():0x1292810 Cleaning up l3clientChannel

Disable Password Expiry for a Publisher

Password policy for the Publisher are enabled for versions 101 or lower. The Publisher host user password may expire if not changed regularly. This article explains how to disable the password expiry. Versions 102 and above will have the password policy disabled, and you are now required to apply your corporate password policy to your Publishers.

AWS AMI Publisher

If your AWS publisher was deployed from the Netskope prebuilt images (from AWS marketplace), the following instructions can help you to remove the password expiry. This approach is applicable for version 94+ Ubuntu Publishers.

The Ubuntu publisher built in with the AWS System Manager (SSM) agent. You can use SSM to log in to the Publisher EC2 instance and remove the password expiry.

  1. Create an IAM role with the SSM permissions.
    1. Create an IAM role.
    2. Add permission policy AmazonSSMManagedInstanceCore into the IAM role.
  2. Attach the IAM role to the Publisher EC2 instance.
  3. Connect with the Publisher EC2 instance via SSM.
  4. After you log in into the Publisher, use this following command to disable the password expiry.
    sudo chage -m 0 -M 99999 ubuntu
  5. Use the following to confirm the password expiry was disabled or not.
    sudo chage -l ubuntu
  6. You should able to log in to the Publisher via SSH after disabling the password expiry.

Azure VHD Publisher

If your Azure publisher was deployed from the Netskope prebuilt images (from Azure marketplace), the following instructions can help you to remove the password expiry. This approach is applicable for version 96+ Ubuntu Publishers.

  1. You can use the built-in Reset password function in the Azure portal.
  2. For Mode, select Reset Password, your username, and new password (twice) to reset your ubuntu password.
  3. After resetting the password, you should be able to log in to the Publisher via SSH.
  4. Disable the password expiry using this command.
    sudo chage -m 0 -M 99999 ubuntu
  5. Use this command to confirm if the password was disabled successfully or not.
    sudo chage -l ubuntu

OVA/VHDX Publisher

If your Azure publisher was deployed from the Netskope prebuilt OVA/VHDX images, use these steps to remove the password expiry. You should be able to boot into Single User Mode from Linux GRUB to remove the password expiry.

  1. Reboot the VM.
  2. Enter the GRUB menu by keeping pressing the shift key. If you are using Windows, you may need to disable the sticky key.
  3. From the GRUB boot prompt, press the E button to edit the first boot option.
  4. In the GRUB menu, find the kernel line starting with linux /vmlinuz and add init=/bin/bash at the end of the line.
  5. Press CTRL+X to save the changes and boot the server into single-user mode. Once booted. the server will boot into the root prompt.
  6. Type in the command mount -o remount,rw / to mount the file system.
  7. Use chage -m 0 -M 99999 ubuntu to disable the password expiry, and use chage -l ubuntu to confirm if the password was disabled successfully or not.
  8. Reboot the system. Use reboot -f to reboot the VM.
  9. You will see the GRUB menu again. Press enter on the first item or wait 30 seconds, the boot process will continue. And you should be able to log in into your VM again with your password.

Share this Doc
In this topic ...