Add a Policy for SSL Decryption
Add a Policy for SSL Decryption
SSL decryption policies allow you to specify the traffic you want to leave encrypted and not further analyzed by Netskope via the Real-time Protection policies.
Netskope continues to match against Real-time Protection policies when a connection is matched with a SSL Do Not Decrypt policy. As a part of the SSL decryption policy lookup, when traffic is dropped due to a Real-time Protection policy match, a Skope IT event alert is generated. A user alert or block notification isn’t sent to the user.
To configure a SSL decryption policy:
- Navigate to Policies > SSL Decryption.
- Click Add Policy. The New SSL Decryption Policy page appears.
- For Match Criteria, specify the match criteria for the traffic. You must specify at least one match criteria from the Add Criteria dropdown to create a policy. The system applies the ‘AND’ operator among multiple criteria groups (e.g. user, domain, and category), and the ‘OR’ operator among multiple match criteria values (e.g. Category 1, Category 2, Category 3).
The following table lists the match criteria options.
- For Action, you can select one of the following options:
- Do Not Decrypt: Traffic will not go through deep analysis.
- Decrypt: Traffic will move to deep analysis via the Real-time Protection policies.
- For Set Policy, enter a Policy Name. Optionally, you can enter a Policy Description.
- Click Save.
The Access Method and OS Family match criteria options are Controlled-GA features. Contact your Netskope sales representative or support to enable the options on your tenant.
|Source Network Location
|Search and add a source network location (select all that apply) and match against User IP and Source IP addresses. Click +New to add a new network location. See Add New Network Location for SSL Decryption for details.
By default, you can only configure one Source IP type per SSL decryption policy.
To configure both source IP types together in one policy, the “RBAC V2” and “Source IP Egress AND Condition” features must be enabled for your tenant. Contact Support to enable these features.
|Match Against Field
|User IP Address – This is the user’s internal / private IP address (RFC 1918).
Egress Source IP Address – This is the user’s external NAT (Public) IP address.
Traffic that runs through the Netskope gateway, including both the User IP and Egress Source IP addresses are viewable by the system. The distinction is helpful so admins can make selective decisions for internal hosts (user IPs) versus all hosts in a given network (egress IPs).
|Destination Network Location
|Search and add a destination network location, select all that apply. Click +New to add a new network location. See Add New Network Location for SSL Decryption for details.
|Lists all categories
|List domains as comma separated values.
Netskope supports domain names based on server name indication (SNI) and not certificate name (CN) or subject alternative name (SAN). Wildcard search is supported.
|Lists all users
|Lists all user groups
|Lists all organizational units
|List of app suites specified with table shown in the App Suite Details topic.
Each app suite name is mapped to a list of defined domains, and the domain list gets updated for new / changes periodically.
|Lists apps that are uniquely identifiable based on a single domain name.
There are no overlapping domains to apps. You can select one or more predefined or custom apps and custom apps have higher priority over predefined apps.
|Lists all applicable access methods.
|Lists all device operating system families.
This match criteria option is only applicable when the Netskope Client is deployed on the device. For example, the access method is Client or Client is used in combination with other access methods.
By default, the policy is disabled; you must enable it after you are done configuring it.
Once you create a policy, you can perform the following actions described in the table below.
|Click the policy name or edit via the ellipses at the end of the policy row.
|Click the policy name or disable via the ellipses at the end of the policy row.
|Move to Position
|Access the Move to Position dialog via the ellipses at the end of the policy row. You can select to move the policy to: Top of policy list, Bottom of policy list, Before policy, or After policy. Click Move to apply your change. Note, if you select before or after policy, a dropdown displays in which you must select a policy from the list.
|Select the policy name and click Delete button or delete via the ellipses at the end of the policy row. Deleting a policy means that the corresponding traffic will be decrypted and sent for deep analysis. If you change your mind, click the ellipses to access the Revert Deletion button.
|View Pending Changes
|View a list of policies that are new or have changed and click Apply Changes to save and implement the policy.
|Use the filters at the top of the list page to quickly access or filter out policies by name or criteria added. Click +Add Filter to apply multiple match criteria to the filter. You can save the filter and access it via the carrot, above the Filters search bar. To delete any criteria, click the red X in the upper right corner of the filter label.