Cloud Exchange Hardening

Cloud Exchange Hardening

The following sections provide guidance to make your Netskope Cloud Exchange tenants secure.

Host Hardening

CE runs on Docker on a Linux host. All best practices should be applied to harden the underlying host using CIS L1 benchmarks for either Ubuntu or Red Hat Enterprise Linux. To watch HA setup videos, go here.

Secrets Manager

When configured, users can configure Netskope tenants, custom plugin repositories, and plugins using secrets from their configured Secrets Manager.

System Wide Connectivity

The Netskope CE platform needs access to GitHub, Docker Hub, Netskope tenant, partners platforms and other 3rd-party platforms you wish to integrate with. Do evaluate network configurations like HTTP Proxy setup, Firewall rules, etc., to ensure the connectivity is available. The Netskope CE stack needs connectivity to these Public URLs.

For fetching third party plugins:


For fetching alerts and events from Netskope tenant:

  • https://*.<tenant-domain>

For fetching web transactions from Netskope datalake:

  • https://*
  • https://*
  • Currently, Netskope web transaction logs are retrieved from or However, these addresses are subject to change – thus the recommendation to use wildcards to ensure reachability

For reporting analytics to Netskope AWS service:


For pulling docker images from Docker Hub (connectivity to additional hosts may be required since the docker images will be behind a CDN):


If you are behind an HTTP or HTTPS proxy server, for example in corporate settings, you need to add the proxy configuration in the Docker systemd service file. Refer to for details.

Firewall/Proxy Rules

Netskope IP Ranges

If you have conditional access enabled with vendors or SaaS apps for Netskope solutions, or need to SSL Allowlist by IP instead of domains, here is the list of Netskope consolidated list of IP addresses (for tenant access from Cloud Exchange in case your firewall does not support FQDN-based rules). Subscribe to this link by clicking the Follow icon on this page:

Cloud Exchange Ports

Port Configurable? Description
443/80 Yes, during the setup script. Used to access the CE UI.
15672 No. Used to access the RabbitMQ dashboard.

Note that Cloud Exchange can be accessed via TLS 1.3 or 1.2 (as of 4.x). The choice of which version to use is configured via the setup script. Set TLS 1.3 and do not configure TLS 1.2 support.

Cloud Exchange Proxy

Cloud Exchange supports configuring a global proxy that can be used selectively as needed to communicate with external resources. Where a proxy is available for use, leverage the Cloud Exchange setup script tool (as of 4.x) to set the proxy globally.

HA Hardening

  • In order to establish the necessary connectivity between Docker services across various machines and facilitate the integration of nodes into the cluster, we have exposed the ports listed below from the Docker services. It is imperative that these ports remain accessible from all machines where the Netskope CE HA deployment is intended. To enhance security measures, it is also advisable to restrict access to these ports from other IP addresses.
    The below ports will be used for the clustering of the MongoDB and RabbitMQ services. Also the UI ports are required to perform a health check from all the machines.





    Yes, during the setup script.

    Used to access the CE UI.



    A peer discovery service used by RabbitMQ nodes and CLI tools



    Used by AMQP 0-9-1 and AMQP 1.0 clients without and with TLS



    HTTP API clients, management UI and rabbitmqadmin, without and with TLS



    Used for inter-node and CLI tools communication



    Used for inter-node and CLI tools communication



    The default port for mongodb and mongos instances.

  • As we are utilizing NFS for shared storage, it is important to configure the NFS volume in a manner that restricts access exclusively to Netskope CE instances. This precaution is of utmost importance in order to strengthen security measures.

CE as VM Hardening

  1. It does not require docker or github connectivity to setup the Cloud Exchange mandatorily
  2. Maintenance password will not be visible in .env file once it has been set while configuring Cloud Exchange.
  3. Default cteadmin user can run only predefined set of commands with sudo privileges.
  4. Root user password of OVA is only available to Netskope Cloud Exchange support team.
  1. It does not require docker or github connectivity to set up the Cloud Exchange mandatorily.
  1. It does not require docker or github connectivity to set up the Cloud Exchange mandatorily.

CE API Rate Limiting (UI to Backend)

  • Cloud exchange is restricted to serve 100 API requests per seconds.
  • This rate limit is only applicable for Cloud exchange UI to Backend communications.

Cloud Exchange Users

Default Username Default Password Configurable? Description
admin admin Yes, Can be changed during the first login. Used to access the Cloud Exchange UI.
user Yes, via Maintenance Password during the setup. Used to access the RabbitMQ dashboard.
cteadmin Yes, via Maintenance Password during the setup. Used to access the mongo database.

User Lockout Mechanism

  • Users are allowed up to 5 login attempts.
  • If a user fails to log in within these 5 attempts, they will be locked out of their account for a duration of 2 minutes.
  • With each successive set of 5 attempts, the lockout duration will increase incrementally.
  • For the second set of 5 failed login attempts, resulting in 10 unsuccessful attempts, the lockout duration will be 5 minutes.
  • After three sets of 5 failed login attempts, resulting in 15 unsuccessful attempts, the user will face a more extended lockout period of 6 hours.
  • For every set of 5 consecutive attempts, until the user successfully logs in, the lockout period will be 6 hours.
  • Once the user successfully logs in, the cycle will continue.

Note: This mechanism will only be applicable for local users and not for SSO.

Strict Password Policy for the CE User

  • Password must contain at least one lower case letter
  • Password must contain at least one uppercase letter
  • Password must contain at least one special character (e.g #, @,)
  • Password must contain at least one numeric character
  • Minimum 8 characters are required for the password
  • Maximum 72 characters are supported for the password

IdP Support

Cloud Exchange supports integrating with Identity Providers via SSO, though users can also be created locally on the box by the admin administrator that is logged in locally. There will only be one root admin. SSO should be the primary method of logging into CE, and where available, should leverage multi-factor authentication. There should be no other local users defined if possible.

Only users that require tokens should be provided roles that include token creation. Roles and users can be set up to have read-only only access. Use least privileged access to create roles with read-only access when possible for most users.

Password Management

There is currently no mechanism to enforce complex passwords or password expiration in Cloud Exchange. Again, SSO is expected to manage these advanced identity requirements. Account credentials should have an expiration and users should be prompted to reset their SSO password periodically.

The original admin should change its default password during the first session. If other users had to be defined locally, the administrator should periodically change their passwords via the GUI, although users can also be prompted to change their passwords manually in their own sessions via the Settings > Account > Change Password setting.

Managing Credentials

The following privileges are required with the v2 token:

  • Read + Write /api/v2/policy/urllist
  • Read + Write /api/v2/policy/urllist/deploy
  • Read + Write /api/v2/policy/urllist/file
  • Read + Write /api/v2/incidents/uba/getuci
  • Read + Write /api/v2/ubadatasvc/user/uci
  • Read /api/v2/events/dataexport/events/alert
  • Read /api/v2/events/dataexport/events/application
  • Read /api/v2/events/dataexport/events/audit
  • Read /api/v2/events/dataexport/events/connection
  • Read /api/v2/events/dataexport/events/incident
  • Read /api/v2/events/dataexport/events/infrastructure
  • Read /api/v2/events/dataexport/events/network
  • Read /api/v2/events/dataexport/events/page
  • Read /api/v2/events/dataexport/alerts/compromisedcredential
  • Read /api/v2/events/dataexport/alerts/ctep
  • Read /api/v2/events/dataexport/alerts/dlp
  • Read /api/v2/events/dataexport/alerts/malsite
  • Read /api/v2/events/dataexport/alerts/malware
  • Read /api/v2/events/dataexport/alerts/policy
  • Read /api/v2/events/dataexport/alerts/quarantine
  • Read /api/v2/events/dataexport/alerts/securityassessment
  • Read /api/v2/events/dataexport/alerts/uba
  • Read /api/v2/events/dataexport/alerts/watchlist

Encrypting Logs

The Logs managed by Log Shipper are not persisted within CE during normal operations. The logs are fetched and transmitted over TLS communication.

In case of RabbitMQ paging out the messages to disk, the log messages would get stored on disk momentarily.

Table of Acronyms

Acronym Description
AD Active Directory
API Application Programming Interface
ARE Application Risk Exchange
CE Cloud Exchange
CLS Cloud Log Shipper
CTE Cloud Threat Exchange
CTO Cloud Ticket Orchestrator
CIS CIS benchmark standard
DLP Data Leak Prevention
IdP Identity Provider
SSL Secure Socket Layer
SSO Single Sign-on
TLS Transport Layer Security
UI User Interface
URE User Risk Exchange

Share this Doc

Cloud Exchange Hardening

Or copy link

In this topic ...