Managing Error Settings
Managing Error Settings
You can use the steering error settings to configure actions for anomalies observed in the HTTP/HTTPS traffic.
Netskope doesn’t perform SSL inspection for any bypassed traffic in the error settings.
To configure the error settings for your steering configurations:
- Go to Settings > Security Cloud Platform > Steering Configuration.
- Click Manage Error Settings. The Error Settings window appears. All error settings are global.
- In the Error Settings window:
Due to a limitation, when you select Bypass for SSL failure actions (e.g., Incomplete Certificate Trust Chain), the first connection to a given site on a given node will receive a block page while Netskope caches the certificate’s status. Users must reload the page to continue to the site.
- No SNI: Bypass or block traffic between the Netskope Client and the Netskope Cloud Proxy if the Netskope Cloud Proxy can’t determine the Server Name Indication (SNI).
- Malformed SSL: Bypass or block traffic between the Netskope Client and the Netskope Cloud Proxy if the designated port is 443 but fails to parse the first packet in the SSL traffic.
- Domain Fronting Protection: Bypass or block traffic between the Netskope Cloud Proxy and the internet server if domain fronting is detected. Netskope detects domain fronting when the SNI and HTTP request Host header are mismatched. Selecting Bypass ignores mismatches.
- Custom Signing CA Error: When the Netskope proxy is reloading due to planned upgrades, block or bypass (fail open) HTTPS requests during the Netskope proxy re-booting time. This is only applicable when the custom signing CA feature is used for inline TLS decryption, which allows customers to upload their own certificate for TLS decryption without trusting Netskope’s root CA.
- CRL/OCSP Check: Block traffic between the Netskope Cloud Proxy and the internet server if the server’s certificate is revoked. Netskope terminates SSL for this error and performs deep packet inspection for failed CRL and OCSP checks. Selecting Bypass ignores mismatches and failures.
- SSL Handshake Error: Bypass or block traffic between the Netskope Cloud Proxy and the internet server if the SSL handshake fails.
- Self-Signed Server Certificate: Bypass or block traffic between the Netskope Cloud Proxy and the internet server if the server’s certificate is self-signed.
- Incomplete Certificate Trust Chain: Bypass or block traffic between the Netskope Cloud Proxy and the internet server if the server’s certificate chain is incomplete.
If your organization enabled Dynamic Trusted Store, but you have this setting set to Block, Netskope might block the initial visit to the domain that doesn’t have an intermediate certificate because it’s still fetching the certificate. Users can refresh the website to proceed.
There are cases where the SNI mismatches the Host header, or research teams use domain fronting for testing purposes. Before configuring the Domain Fronting Protection feature, Netskope recommends using it in monitor mode first by reviewing the transaction events for domain-fronted fields and domains to gain granular understanding of domain-fronted sites.
The Domain Fronting Protection option is a global setting and will be applicable to all websites. If you experience blocked traffic to legitimate domains, update the Domain Fronting Protection option to Bypass to unblock the traffic immediately. Then contact Netskope Support to report the domains that were blocked.
Additionally, HTTP/2 is not currently supported for Domain Fronting Protection. Using this feature with HTTP/2 might cause HTTP/2 websites to not load properly or to load slowly without error notifications.
Netskope REST APIs are available to configure wildcard domains or full-domain matches for Domain Fronting Protection. Note that these APIs are domain-specific bypasses for this feature and aren’t global settings. The following APIs are available: Generic List and Domain Fronting Profile.
More information is available in Swagger. In the UI, navigate to Settings > Tools > REST API v2 and click API Documentation to access the Swagger API documentation. To learn more about REST APIs, see REST API v2 Overview.
These APIs are unavailable for the Singapore and United Arab Emirates Netskope POPs.
- Untrusted Root Certificate: Bypass or block traffic between the Netskope Cloud Proxy and the internet server if the server’s certificate isn’t trusted.
- Malformed HTTP: Bypass or block traffic between the Netskope Client and the Netskope Cloud Proxy if the Netskope Cloud Proxy receives an invalid HTTP request.
- SSL Host Mismatch: Block traffic between the Netskope Cloud Proxy and the internet server if the domain name of the server doesn’t match the common name in a server’s certificate. Netskope terminates SSL for this error and performs deep packet inspection for SSL host mismatches. Selecting Bypass ignores mismatches and failures.
After configuring the error settings, the steering configuration starts bypassing or blocking extranet services.
Below are the Netskope error settings that you can configure for your organization to optimize security:
|Error Setting||Default Setting||User Notification Type|
|Domain Fronting Protection||Bypass||Browser|
|SSL Handshake Error||Bypass||Browser|
|Self-Signed Server Certificate||Block||Browser|
|Incomplete Certificate Trust Chain||Bypass||Browser|
|Untrusted Root Certificate||Block||Browser|
|SSL Host Mismatch||Block||Browser|