Netskope Help

Overview of Netskope On-Premise Appliance

Netskope's on-premises Cloud Access Security Broker (CASB) provides the ability to process and maintain data inside an enterprise's perimeter. The N1000, N2000, N5000, and N10000 appliances are the cornerstone of this service as they provide the physical footprint.

Note

This document is dedicated to the full on-premises deployment mode; there's a separate guide if you are managing appliances from the cloud.

When installed, your appliances should be using the latest software package.

N1000 and N2000 Appliances

The N1000 and N2000 are 1U appliances. They are best suited for log parsing and other traffic handling duties but can be used in any capacity.

The front of the units have a power button at the center, and a small bank of LEDs on the right side:

N2000Power.png

Important

Before turning off the appliance using the power button, log in to the appliance (using ssh or IPMI) and enter the command shutdown. Use the power button to turn off the appliance only after issuing this command.

The rear of the unit has several ports with specific purposes.

RearPorts1000And2000.png

In a typical installation, the IPMI port is used for initial setup only, the inbound port is used for log parsing functionality, and the TAP port is used to receive traffic from a decrypting TAP.

On older appliances, the rear of the unit is as shown in the following image.

RearPorts-oldAppliance.png

Two AC power supplies are in the rear left of the chassis and provide redundancy. The following image shows the rear of the N1000 chassis.

N1000PowerSupplies.jpg
N5000 and N10000 Appliances

The N5000 and N10000 are 2U appliances best suited for management duties because of its expanded event retention capabilities but can be used in any capacity.

The front of the units have a power button at the center, and a small bank of LEDs on the right side:

N5000Power.png

Important

Before turning off the appliance using the power button, log in to the appliance (using ssh or IPMI) and enter the command shutdown. Use the power button to turn off the appliance only after issuing this command.

The rear of the unit has several ports with specific purposes.

RearPorts5000.png

In a typical installation, the IPMI port is used for initial setup only, the inbound port is used for log parsing functionality, and the TAP port is used to receive traffic from a decrypting TAP.

Two AC power supplies are in the rear left of the chassis and provide redundancy. The following image shows the rear of the N5000 chassis.

N5000PowerSupplies.png
Appliance LED Status

The appliance has three LEDs in the front - Power LED, HDD LED, and System Status LED.

The following tables provide details about of various states of the LEDs that indicate the status of the appliance.

Power LED

Color

State

Criticality

Description

Green

Solid on

System OK

System booted and ready.

Off

N/A

Not ready

AC power is off.

HDD LED

Color

State

Criticality

Description

Amber

Solid on

HDD OK

HDD is active.

Amber

Blink

HDD OK

HDD is transferring data.

Off

N/A

Not ready

HDD is inactive.

System Status LED

Color

State

Criticality

Description

Action

Green

Solid on

System OK

System booted and ready.

No action

Green

Blink

Degraded

System degraded

  • Non-critical temperature threshold asserted

  • Non-critical voltage threshold asserted

    • Non-critical fan threshold asserted

    • Fan redundancy lost, sufficient system cooling maintained. This does not apply to non-redundant systems.

    • Power supply predictive failure

    • Power supply redundancy lost. This does not apply to non-redundant systems.

  • Correctable errors over a threshold of 10 and migrating to a mirrored DIMM (memory mirroring). This indicates the user no longer has spare DIMMs indicating a redundancy lost condition. The corresponding DIMM LED should light up.

Contact Netskope support.

Amber

Blink

Non-critical

Non-fatal alarm - system is likely to fail:

  • Critical temperature threshold asserted

    • CA TERR asserted

    • Critical voltage threshold asserted

    • VRD hot asserted

    • SMI Timeout asserted

Contact Netskope support.

Amber

Solid on

Critical, non-recoverable

Fatal alarm - system has failed or shut down

  • CPU Missing

  • Thermal Trip asserted

    • Non-recoverable temperature threshold asserted

    • Non-recoverable voltage threshold asserted

    • Power fault/Power Control Failure

    • Fan redundancy lost, insufficient system cooling. This does not apply to non-redundant systems.

    • Power supply redundancy lost insufficient system

Note

This state also occurs when AC power is first applied to the system. This indicates the BMC Is booting.

Contact Netskope support.

Off

N/A

Not ready

AC power off, if no degraded, non-critical, critical, or non-recoverable conditions exist.

  • System is powered down or S5 states, if no degraded, non-critical, critical, or non-recoverable conditions exist.

No action

System Specifications
appliances_system_spec.png
Outbound Ports

Use these ports for management connectivity and log uploads.

Note

In release 46 domain names changed. Using version 46 and later requires using the new domain names. Existing deployments (release 45 and prior) do not require the new domain names, but using them are recommended. The one required update is for auto-updates; either turn off auto-update or use the new download-<tenant hostname>.goskope.com domain name. New deployments with release 46 and higher do need to use the new domain names.

For management connectivity:

Domain

Description

Port

New:config-<tenant hostname>.goskope.com

Old: config.goskope.com

Use for configuration updates. The domain needs to be SSL allowlisted if you have SSL decryption enabled.

443

New: download-<tenant hostname>.goskope.com

Old: download.goskope.com

Use for software upgrades.

443

New: messenger-<tenant hostname>.goskope.com

Old: messenger.goskope.com

Use for reporting and status updates in the UI. The domain needs to be SSL allowlisted if you have SSL decryption enabled.

443

New: callhome-<tenant hostname>.goskope.com

Old: callhome.goskope.com

Use for receiving metrics from on-premises appliances and forwarding them to cloud tenants, as well as receiving event data from an on-premises dataplane appliances. Also for receiving custom user attributes from user endpoints. The domain needs to be SSL allowlisted if you have SSL decryption enabled.

443

defupdate.goskope.com

Note

There is no change in the domain name.

Use for downloading anti-malware definitions successfully.

443

Note

For international deployments, use ~ -<tenant hostname>.eu.goskope.com or ~ -<tenant hostname>.de.goskope.com.

For log uploads:

Domain

Description

Port

New: upload-<tenant hostname>.goskope.com

Old: upload.goskope.com

Use for sending logs to the Netskope cloud with SFTP. This is the default port for log uploads.

22

No change: logupload-<tenant hostname>.goskope.com

Use for sending logs to the Netskope cloud with HTTPS. This port is enabled by default.

443

No change: <tenant hostname>.goskope.com

Use for fetching the REST API token with HTTPS.

443

Note

For international deployments, use ~ -<tenant hostname>.eu.goskope.com or ~ -<tenant hostname>.de.goskope.com.

Inbound Ports

Service

Description

Port

Syslog

Use for receiving syslog traffic.

514

AD Connector

Use for getting IP-to-user mapping with the Netskope AD connector.

4400

SFTP and SCP

Use for management connectivity and log uploads to the log parser appliance.

22

FTPS

Use for management connectivity and log uploads to the log parser appliance.

21 (using explicit SSL)

Note

Netskope does not support implicit ssl over port 990.

Prerequisites

Before you begin the installation, make sure you meet these hardware and software requirements:

  • Hardware Requirements: To perform a successful install, you will need one temporary network cable for the IPMI port. You will also need two permanent network cables, one for the management interface port and one for the inbound interface port.

  • Software Requirements: To access the remote console for the appliance over the IPMI interface, you will need to a working Java Runtime Environment. If you don't have this, you can download it from http://www.java.com.