New Features And Enhancements In Release 112.0.0
New Features And Enhancements In Release 112.0.0
Here is the list of the new features and enhancements.
Important Announcement
We’re using a new IP address range. To ensure uninterrupted service, you must update your allowlist to include the new range. For details, see: Support.
Advanced Analytics
Bulk Move Feature
Added the ‘Bulk Move’ feature to Advanced Analytics. Users can now select multiple folders, dashboards or widgets and move them to a different location from the Personal or Group folder
API Data Protection
New Policy Enhancement for Google Drive
Starting this release, Classic API Data Protection has introduced an advanced policy action with a new checkbox on the policy wizard page to Remove inherited collaborators from parent folder in team drive. This checkbox is available for Google Team Drive under the Restrict Access policy action. On selecting this checkbox, Netskope policy engine removes violating inherited collaborators from the parent folder in Team Drive. If this checkbox is unchecked, Netskope does not remove inherited collaborators from the parent folder level.
Re-categorization of Exposure for Microsoft 365 OneDrive and SharePoint
Starting this release, Classic API Data Protection will treat links created for a file at the organization level as an ‘Enterprise’ exposure. This exposure is applicable for Microsoft 365 OneDrive and SharePoint apps only. For more information, see File Sharing Exposure.
CASB Real-time Protection
GCP Inline Browser Support
The inline activity coverage for browser/console traffic for the following GCP services/apps are now supported for real-time protection:
-
Google Cloud Kubernetes Engine API
-
GCP Service Networking
-
GCP Cloud Functions
The supported browser/console traffic coverage is listed in the Supported GCP Entities for Real-time Protection topic.
Box Admin Application Update
Enhanced the Box Admin app coverage for optimised activity detection and instance identification.
Google Workspace Apps API Coverage Enhancements
Enhanced coverage for API traffic across the following Google Workspace Apps:
-
Google Drive
-
Google Gmail
-
Google Chat
-
Google Calendar
-
Google Keep
MS Yammer Application
Added support to detect the engage.cloud.microsoft domain as a Yammer application.
Data Protection
Alert & Continue for Email Outbound policy
With this release, Alert and Continue policy evaluation is now available for Email Outbound policies, in addition to Cloud/Web access policies. It is now possible to configure Email Outbound policies with DLP profiles and select the Continue policy evaluation after match option to continue policy evaluation after a policy match. This feature enables the Netskope Cloud to continue evaluating Email Outbound policies for additional DLP violations, instead of terminating and exiting policy evaluation after a match.
In order to use the Continue policy evaluation after match option, an Email Outbound must have one or more DLP profiles with actions set to Alert. Any DLP profile matches with actions other than Alert will result in the termination of policy processing.
When multiple DLP profile matches occur while using this feature, any incidents generated will list all matching DLP profiles and related policies. In addition to this, a single policy alert will continue to be generated and list all matching policies.
Intrusion Prevention System (IPS)
Traffic Type for IPS Signature Overrides
When creating an IPS signature override, you can now filter by signatures by web or non-web traffic if you have Cloud Firewall. The IPS Settings page also displays whether signatures apply to web and/or non-web traffic.
To learn more: About IPS Settings.
Next Generation API Data Protection
General Availability (GA) of Atlassian Confluence
As part of this release, Next Generation API Data Protection for Atlassian Confluence is now qualified as GA. With this qualification, Next Generation API Data Protection for Atlassian Confluence can now support policy creation, DLP, threat protection using ongoing and retroactive scan, alerts and more. To learn more:
-
For features supported, see Next Generation API Data Protection Feature Matrix per Cloud App.
-
To configure Atlassian Confluence, see Configure Atlassian Confluence for Next Generation API Data Protection.
-
For a list of activities monitored by Netskope, see Activities Monitored by Netskope.
Microsoft 365 Outlook App Support
Next Generation API Data Protection now supports Microsoft 365 Outlook (Commercial). With this qualification, Next Generation API Data Protection for Microsoft Outlook can support policy creation, audit, DLP, threat protection, and more. To learn more:
-
For features supported, see Next Generation API Data Protection Feature Matrix per Cloud App.
-
To configure Microsoft 365 Outlook, see Configure Microsoft 365 Outlook for Next Generation API Data Protection.
-
For a list of activities monitored by Netskope, see Activities Monitored by Netskope.
- If you currently use the classic version of the Microsoft 365 Outlook app, no action required. You should continue to use the classic version that you use today. Netskope will notify you via a banner message on the Netskope tenant UI when you can switch over to the Next Generation apps.
- If you currently do not use the classic version of the Microsoft 365 Outlook app, Netskope will make the app available to you in phases. To check if the app is available on your Netskope tenant, follow the instruction below:
- Log in to your Netskope tenant and navigate to Settings > Configure App Access > Next Gen > CASB API.
- If you see the Microsoft 365 Outlook app listed, you are eligible to configure the app on the Next Generation API Data Protection platform.
- If you do not see the app, stay tuned, the app will be made available in due course. In the meanwhile, you can continue to set up the app available under Settings > Configure App Access > Classic > SaaS.
File-based DLP Alert for GitHub
Initially, when a DLP scan generated an alert for a commit, Netskope could only identify which commit violated the DLP rule. However, Netskope lacked the capability to determine the specific file and line responsible for the DLP rule violation, causing inconvenience for users trying to locate the affected file.
Now, with file-based alerts, Netskope can provide DLP alerts with detailed file-level information. Each section of a commit that includes any violations will result in a unique incident with a URL linking to that section of the commit. The alert will specify the violating commit, the associated file, and the specific code block that breaches the DLP rule. Additionally, it includes a URL that allows customers to easily view the identified violation within GitHub. To view a DLP incident, navigate to Incidents > DLP, look for a GitHub incident, and click it.
New Policy Action for Google Drive, Microsoft 365 OneDrive and SharePoint
Starting this release, Next Generation API Data Protection supports the Delete policy action for Google Drive, Microsoft 365 OneDrive & SharePoint apps. With this action, you can now configure a Next Generation API Data Protection policy to delete violating files and folders.
For additional nuances, see Create a Next Generation API Data Protection Policy.
New Inventory Enhancement
Starting this release, the Inventory page has introduced two new sections on the side panel details – Sharing and Links.
-
Sharing: Displays a list of user email addresses with whom the file is shared and the corresponding permission access level.
-
Links: Displays a list of ‘Links’ associated with a file along with the link metadata such as exposure level, permission level and link expiry date
Netskope Secure Web Gateway (NG SWG)
Conditional dedicated egress IP Support
When you are using dedicated egress IPs that have conditions configured to control which traffic uses dedicated egress IPs, all bypassed traffic (such as transactions matched an SSL Do Not Decrypt policy) would use the dedicated egress IP address regardless of the conditions that were configured.
Dedicated egress IP conditions are now applicable to bypassed traffic as well. Regardless of whether or not the transaction is decrypted, only transactions matching one of the dedicated egress IP conditions will egress using a dedicated egress IP address.
When the dedicated egress IP feature is enabled but no conditions are configured, all traffic will continue to egress using a dedicated egress IP address, whether the transaction is decrypted or not.
BYOK Support in China DC
This features allows users in China to use their own encryption keys to sign certificates that are used by Netskope to trust devices.
UI Changes to Support Ephemeral CA
Upon activating certs, users will now be notified that cert activation takes time to propagate in order to help them have more accurate expectations. They will also be warned of activating a cert deactivates the existing cert.
File Type Feature Migration
We suggest you to migrate the Inline Policies from old file types to new file type, as the old file type is deprecated.
Enhanced the mechanism by forcing the file type migration window to show up on the Inline Policy Page for those who have not migrated.
Bypassed NSProxy Traffic
With the new dynamic steering enhancement feature on NS Client, you may see inconsistent steering exceptions results on NS Proxy. This is due to on-prem and off-prem steering exceptions configurations being combined into one on NS Proxy. For example, NS Client steering configuration requires an off-prem flow should be inspected by NS Proxy. But on NS Proxy, the same flow will be bypassed if it is in the steering exceptions for on-prem.
With this feature, we allow you to disable steering exceptions to be evaluated on on NS Proxy as SSL exceptions completely. By default, this behavior is disabled.
Allow Differentiation in SSL Decryption by OS and Access Method
Introduced the ability to create SSL Decryption policies based on specific Access Method and OS. In R112, particularly we have added OS Family and Access Method filtering capabilities to the SSL Decryption Page.
Increase OU/groups for Inline Customers
We have extended the limit of unique user groups/OUs that can be used in Real-Time policies and SSL decryption policies from 1024 to 4096.
Netskope Private Access (NPA)
Private Apps Lists Filters
Filters are now available for Private Applications definitions on the web UI. Administrators can narrow down applications further using filters such as Tags and application type. The functionality is controlled by a backend flag introduced in R112. To enable this feature, please reach out to Support or your Netskope Account Team.
Remote Browser Isolation(RBI)
RBI Policy creation Guardrails: Browser Criteria.
RBI policy creation/edition enforcement indicates the user’s browser as part of the RBI policy source criteria, to increase Customer’s RBI Policy efficacy and severely reduce non isolable requests sent to RBI.
This new feature provides support for mandatory browser fields in isolate type policies. For example, RBI, Web Access and Cloud App Access. If Action is isolate, then, browsers field loads with supported browsers name. This field can not be left blank while saving the RTP.
Added New supported categories to Extended RBI License
RBI added support for new Web and cloud app categories in the “Extended RBI license”, including general and security categories:
-
Security Risk – Phishing/Fraud
-
Security Risk – Spam sites, Business, Consumer, Knowledge Management.
These categories will show up as supported categories for “Extended RBI license” customers adding them to isolate policies.
To learn more, see: RBI Category Definitions
Isolation Indicator Customization For Colored Frame
RBI templates have added support for frame/border color which facilitates setting the color of the Colored Frame isolation indicator to reflect the site risk (for example, red border) or align with customer’s corporate look and feel. You can set the frame color using the color picker or adding a HEX code and see a preview of the Isolation indicators.
To learn more, see: RBI Templates
SaaS Security Posture Management (SSPM)
Enhancement to Import from Rule Option
When you create a SaaS Security Posture Rule using Import from Rule option, it will by default copy the severity, description, remediation steps and compliance details of the pre-defined rules in the new rule.
Deep Visibility into SaaS Apps and 3rd Party Apps
With this update, SSPM introduces Apps and 3rd Party Apps beta page that will provide summary and details of all the SaaS Apps and 3rd Party Apps with the posture and resources in the UI.
To learn more: SaaS Security Posture Management Dashboard
Predefined Rules for R112 in SSPM
Added 14 new predefined rules. These are for the following categories:
-
Apps:
-
Salesforce: 7
-
Microsoft Entra: 2
-
Microsoft 365: 1
-
Github: 2
-
ServiceNow: 1
-
Zoom: 1
-
-
MITRE ATT&CK:
-
Collection: 1
-
Credential Access: 1
-
Exfiltration: 3
-
Initial Access: 6
-
Impact: 1
-
-
Security Domains:
-
Application: 3
-
Authentication: 5
-
Certificate Management: 1
-
Collaboration: 1
-
Data and File Security: 1
-
Encryption: 1
-
IAM: 2
-
Sharing: 1
-
Threat Protection: 1
-
3rd Party Apps: 2
-
New Security Subdomains for Rule Categorization
SSPM introduces 3 new subdomain categories which can help select the posture detection rule for 3rd Party Apps, Encryption and Sharing. The 72 existent rules are tagged to these new subdomains.
SkopeIT
Filtering MIP related alerts and incidents
The ability to apply filter MIP alerts and incidents is now available. You can now define filters to focus on violations raised due to a given MIP label.
Threat Protection
Useragent Field
Malware and IPS alerts in SkopeIT now displays user agent string values.
Traffic Steering
Display Steering Details
Added Steering Configuration details used by the Client on the Devices page.
Display MAC Address
Earlier, Client does not send the list of MAC addresses of the physical network interfaces that the device currently uses. Now, the Devices webUI displays the MAC addresses of these physical network interfaces.
Schedule Auto-upgrade For Client
Introduced a method that enables the tenant administrators to schedule an auto-upgrade according to their availability and convenience. Earlier, the Client upgraded automatically whenever a new version was available and the tenant administrator did not have the option to change the timing due to network or other issues at their end.
To learn more: Netskope Client Configuration.
New Device Status Events
Introduced “Tunnel Down” and “Tunnel Down Due to Error” events with additional details that explain the reason due to which the tunnel is down in WebUI > Devices page> Events.
To learn more: Devices
Post Frequency Change
Until version 112.0.0, the Client posts events to the webUI every five minutes and it is not configurable. From 112.0.0, you can configure the Client to post events every two, three, four, or five minutes.
Clientstatus enhancement
Improved Client status for removing duplicacy and increased efficiency.
Flexible Dynamic Steering
This feature was earlier in Beta and is now available as Controlled-GA. The feature still continues with the same enhancements that were made in the Beta release.
Enhanced the following in the Beta release:
-
On-Prem detection enhancement support multiple IPs for DNS detection and multiple HTTP hosts detection.
-
For the steering traffic mode, you can switch traffic mode between On-Prem, Off-Prem and the new mode None. When the traffic mode is None, the client will establish a tunnel but will not steer traffic. Exceptions will not be processed as they are only applicable for steered traffic.
-
For the steering exception rules:
-
Firewall app exceptions contains separate sets of rules between On-Prem and Off-Prem in All steering traffic mode.
-
Category exceptions contains set of rules between On-Prem and Off-Prem in Web or All mode.
-
If the packet matches configured exceptions and needs to be bypassed, you can select new exception bypass options to bypass locally on the client device, or bypass by tunnelling on backend.
-
To learn more, see Dynamic Steering.
Download Client Log
Prior to the new CA Cert rotation, the administrator cannot download the Client logs (uploaded before cert rotation) from the Devices WebUI. With this release, the admin can download Client logs before or after the Cert rotation.
Support for M3 Platform
Supports Apple M3 chipset hardware along with Apple x86, M1, M2 chipset hardwares.
To learn more, see Netskope Client Support OS Platform.
Tunnel Steering
GRE Schema Changes
Added bandwidth support in GRE site.
WebUI Migration
Enabled IPSec/GRE WebUIv2 for all new tenants.
Deprecated Feature
Deprecation of Quarantine And Restore Actions on the Malware Page
The md5 used in quarantine and restore alerts does not match the original malware file md5. All alerts will continue to be available on the SkopeIT page.