Netskope Client Troubleshooting Guide

Netskope Client Troubleshooting Guide

This guide is designed to help troubleshoot issues with end-users and administrators using Netskope Client.

Netskope Client steers traffic from the end-user device to the Netskope Cloud. The Client creates an SSL tunnel from the end device and terminates it at the Netskope forward proxy in the Cloud. The tunnel carries traffic that is selected by the administrators as part of the steering configuration. All intermediate and root CA Certificates are installed in the system cert store during the Netskope Client installation to facilitate the SSL termination.

General Troubleshooting Methods

Is my Netskope Client installed and active?

The easiest way is to check the taskbar or menu bar for an active Netskope icon on your screen.

Windows

macOS

Linux

 If Netskope Client is hidden by your administrator, use the Task Manager (Windows) or Activity Monitor(macOS) to check the Netskope Client service. 

To learn more, view Using Netskope Client.

Where can I view more details about the Netskope Client?

 To view details, do the following:

  1. Click the Netskope Client icon.

  2. Select Configuration to display the window. The following details are constant including Organization, Gateway, Steering Configuration, and so on.

    • Organization

    • Gateway: The Gateway IP however will be intelligently identified based on your location. In this case, A user based out of Austin, TX is redirected to the closest Netskope datacenter of Dallas for gateway-tenant.goskope.com.

    • Gateway IP

    • User Email: The User Email will typically be the UPN derived from the iDP and unique to each user.

To learn more, view Netskope Client.

Is my Netskope Client disabled?

An administrator or end-user can enable a disabled Client. If disabled, click the Netskope Client icon and select Enable Netskope Client option to activate the Client again.

How can I know if I am connected to the nearest datacenter?

The Netskope Client always routes traffic to the nearest datacenter (with Client assisted GTM). The Gateway IP in the Netskope Client Configuration must display the location of the nearest datacenter.

How do I know if a specific website is steered through Netskope?

The Netskope Client steers traffic from the user machine to the Netskope Cloud.

  • Cloud Apps – Only defined SaaS app traffic over ports 80, 443 is steered.

  • All Web Traffic – All traffic going to ports 80,443 is steered. Non-standard ports configured on the webUI are also steered. 

  • All Traffic – Steer all HTTP(S) and non-HTTP(S) to the Netskope cloud for deep analysis.

    In CASB/Cloud Apps mode, Netskope does not steer All Web traffic today and is limited to specific applications defined in the steering configuration. The easiest way is to view the application browser certificate and check if the Issuer is signed by Netskope.

    The following example shows the browser certificate details when the traffic from box.com is steered through Netskope.

    Steered through Netskope

    Not steered through Netskope

    For non-web traffic, you can check SkopeIT in your tenant and view whether your traffic was bypassed or blocked by Netskope.

    How does the Netskope Client determine what to steer?

    The Netskope Client inspects the end device packets using OS packet filtering capabilities (Traffic mode and exceptions). This process varies according to the OS and the presence of Explicit Proxy in the network.

    Will my applications/web sites see my IP address or Netskope address?

    All sites that are steered through Netskope will see the source (egress) IP as coming from Netskope IP address space.

    If applications require source IP allowlisting, they will need to allowlist the Netskope IP ranges found here: Consolidated List of IP Ranges for Allowlisting.

    Private Access

    How can I know if my Client is connected to NPA?

    1. Right-click on the Netskope Client icon in the system tray and select Configuration. Private Access should show as Connected.

      For Windows, you can also check one of the following options:

      • The tooltip of Netskope Client icon in the tray icon shows the NPA status. Or,

      • Click the Netskope Client icon and check the Services section. It displays Private Access if the NPA status is enabled.

    2. If the Configuration shows Private Access as Disabled, make sure the Steer all Private Apps option is enabled in the Steering Configuration settings for your tenant. Go to Settings > Security Cloud Platform > Steering Configuration.

      If you are using only the Default tenant configuration, click Edit in the upper right corner. If you have multiple Steering Configurations, click on the name of the Steering Configuration you are using for NPA to open the details page.

Endpoint DLP

Where can I enable Endpoint DLP to my client configuration?

Endpoint DLP is an add-on feature for the Netskope Client. To enable Endpoint DLP for the Netskope Client, contact your sales representative.

Select Enable Endpoint DLP to enable Endpoint Data Loss Prevention for the client configuration and apply Content and Device Control policies to the devices. You can enable Endpoint DLP for the Default Tenant Config to apply policies to all client users or for custom client configurations to apply policies to specific users.

Troubleshooting Configuration Issues

How can I perform a speed test on the connected Netskope POP?

  1. Click the Netskope Client icon.

  2. Select Advanced Debugging.

  3. Click Speed Test.

  4. Select the desired File Size option.

  5. Click Start.

    For example, view the following screenshots for macOS:

    How can I restart the Netskope Service on my Windows, macOS, or Linux devices?

    Use the following commands:

    Windows

    Ensure that Protect Client configuration and resources field is disabled in Client Configuration.

    • Start Service: stagentsvc -start

    • Stop Service: stagentsvc -stop

macOS
  • Pre Big Sur

    • Start Service: sudo launchctl load

      /Library/LaunchDaemons/com.netskope.stagentsvc.plist 

    • Stop Service: sudo launchctl unload

      /Library/LaunchDaemons/com.netskope.stagentsvc.plist 

  • BigSur/Monterey or later

    There is no command to stop network extension. You need to disable the client from the UI.

Linux
  • Start service: sudo systemctl start stagentd.service

  • Stop service: sudo systemctl stop stagentd.service

How can I gather information about the Netskope Client using API?

https://<tenant-URL>/api/v1/clients – This endpoint returns information related to the Netskope Client. To learn more, view Get Client Data.

How do I save my Netskope Client logs?

  • To save Client logs, go to Netskope Client icon > Save Logs. You can save the .zip log file to a specific folder.

  • If the Client is hidden by your administrator, use command-line options to save the .zip log files.

    • Windows = Nsdiag.exe –o mylogs.zip

    • Mac = ./nsdiag –o mylogs.zip

    • Linux = /opt/netskope/stagent/nsdiag -o mylogs.zip

    • Android = NetskopeLogs.zip

How can I collect the log details from my Netskope account?

  1. Go to Settings > Security Cloud Platform > Devices page, search for the username and click the device name.

  2. Click Collect Log on the top right-hand corner.

  3. Once the log file is generated, the admin (requestor) receives an email link to download the log to their local computer in zip format.

Where can I find the Netskope certificates and branding files?

  • Windows: C:\ProgramData\netskope\stclient

  • macOS: /Library/Application\ Support/Netskope/STAgent

  • Linux: /opt/netskope/stagent/

  • Android:Settings > Biometrics and SecurityOther Security Settings > View Security Certificates. Tap on the User tab. You can see the Security certificates for Netskope.

  • iOS: Settings > VPN > VPN Profile > More Details. The branding file is protected and not viewable.

Where can I find the Netskope Log files?

Windows
ProcessesLog Location
Netskope Client services and other processes running as admin%ProgramData%/Netskope/stagent/Logs
User process%APPDATA%/Netskope/STAgent/Logs
Service crash dump%ProgramData%/Netskope/stagent/Logs
UI Crash dump%APPDATA%/Netskope/stagent/Logs
macOS
ProcessesLog Location
System extensions and other processes with root privilege/Library/Logs/Netskope
User process ~/Library/Logs/Netskope
Linux
ProcessesLog Location
Service and installation logs/opt/netskope/stagent/logs
UI and stAgentApp~/.netskope/stagent/logs
Android
  1. Go to the Netskope Client app.

  2. Click the three dots.

  3. Select Send Logs

  4. You can download it to the desired location.

iOS

Users cannot read Netskope logs on iOS devices, but you can download Netskope logs zip files and share them through AirDrop and email.

Where can I find the Netskope executables and diagnostic tools?

  • Windows: C:\ProgramFiles(x86)\Netskope\STclient\

  • macOS: /Library/Application\ Support/Netskope/STAgent

  • Linux: /opt/netskope/stagent/

  • Diagnostic command in Windows: %ProgramFiles(x86)%\Nestkope\STclient\nsdiag.exe

  • Diagnostic command in Mac: /Library/Application Support/Netskope/STclient/nsdiag

  • Diagnostic command in Linux: /opt/netskope/stagent/nsdiag

Share this Doc

Netskope Client Troubleshooting Guide

Or copy link

In this topic ...