Skip to main content

Netskope Help

Netskope IPSec with Fortinet FortiGate

This guide illustrates how to configure a VPN IPSec tunnel between Netskope and a FortiGate firewall device. This configuration example uses a FortiGate device running FortiOS version 6.4.3. It can work on all FortiOS versions.

There’re two options to accomplish the configuration: CLI and GUI. CLI is faster, but some users are more comfortable with the GUI option. Both are covered here.

Configure FortiGate using a CLI
  1. Create a VPN IPsec Phase 1.

    config vpn ipsec phase1-interface
        edit "NSKP-POP-XXXXX"
            set interface "wan1"             << change for your wan interface
            set ike-version 2
            set keylife 28800
            set peertype any
            set net-device disable
            set mode-cfg enable
            set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
            set localid "XXXXX@XXXXXX"       << change for your localid
            set dhgrp 16 15 14
            set remote-gw 163.116.XXXX.38    << change for your selected POP
            set psksecret XXXXXXX            << change for your preshared
  2. Create a VPN IPsec Phase 2.

    config vpn ipsec phase2-interface
        edit "NSKP-POP-XXXXX"
            set phase1name "NSKP-POP-XXXXX"
            set proposal aes256gcm aes128gcm aes128-sha1 aes256-sha1
            set dhgrp 16 15 14
            set auto-negotiate enable
            set keylifeseconds 7200
  3. Create at least one policy with VPN interface associated. For example:

    config firewall policy
        edit 999
            set srcintf "internal"
            set dstintf "NSKP-POP-XXXXX"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always
            set service "HTTP" "HTTPS"
            set logtraffic all
            set nat enable
  4. Create a route to push VPN into RIB.

    config router static
        edit 999
            set priority 10
            set device "NSKP-POP-XXXXX"
  5. Create a policy-based router to redirect webtraffic to Netskope.

    config router policy
        edit 998
            set input-device "internal"                 << incoming interface
            set src ""        << LAN network
            set dst ""
            set protocol 6
            set start-port 443
            set end-port 443
            set output-device "NSKP-POP-XXXXX"
        edit 999
            set input-device "internal"                 << incoming interface
            set src ""        << LAN network
            set dst ""
            set protocol 6
            set start-port 80
            set end-port 80
            set output-device "NSKP-POP-XXXXX"
How to Configure FortiGate using WebUI

To begin, you must create a VPN IPsec interface.

  1. Create a new IPsec Tunnel.

  2. Find the command Wizard and select Custom.

  3. In the Remote Gateway section, enter the IP Address and Interface information. Continue to the Authentication section and complete the Method and Pre-shared Key sections.

  4. Complete the Phase 1 section.



    The Local ID must be entered.Netskope recommends usingan email format as a local ID, such as It must be the same as the source identity in your Netskope tenant.

  5. Complete the Phase 2 section. Enter the appropriate information into the Diffie-Hellman Group and Seconds sections.

  6. Click OK.

Create at least one policy.

  1. To create a policy with a VPN interface associated, go to Policy&Objects > Firewall Policy and click Create New.

  2. Enter the necessary information. For example:


To create a route that will push the VPN into RIB, go to Network > Static Routes and click Create New and then OK.



Administrative distance must be the same as the default route. Set a worse priority.

  1. By default, PBR is not enabled in the Web GUI, so a policy-based router must be implemented to redirect traffic to the Netskope tenant. To do so, go to System > Feature Visibility > Advanced Routing. Enable Advanced Routing and clickApply. It isn't necessary to reboot. This change doesn’t affect production.

  2. Go to Network > Policy Routers > Create New.

  3. Create at least two PBRs (one for HTTP and another for HTTPS).


To integrate Netskope IPSec with Fortigate, create a IPsec tunnel in your Netskope tenant.

  1. Go to Settings > Security Cloud Platform > IPSec and click Add New Tunnel.

  2. Enter a unique tunnel name.

  3. (Optional) Enter the source IP address.

  4. Enter the source identity, which can be an IP address, FQDN, or email address.

  5. Select the Primary and Failover Netskope POPs from the dropdown lists. Select POPs nearest to your location.

  6. Enter your pre-shared key.

  7. Select an encryption cipher type from the dropdown list.

  8. Select the maximum bandwidth for the tunnel from the dropdown list.

  9. When finished, click Add.


Some Useful Debug Commands

Below are some commands that can be useful when completing the configuration.

How to debug an IPSec connection:


How to get router info routing-table all:


How to get an IPSec tunnel summary:


How to get IPSec like gateway:


How to diagnose a sniffer packet on any port 443 4 0 a: