Overview of Netskope On-Premises Appliance

Overview of Netskope On-Premises Appliance

Netskope’s on-premises Cloud Access Security Broker (CASB) provides the ability to process and maintain data inside an enterprise’s perimeter. The N1000, N2000, and N5000 appliances are the cornerstone of this service as they provide a physical footprint.

Note

This document is dedicated to the full on-premises deployment mode; there’s a separate guide if you are managing appliances from the cloud.

When installed, your appliances should be using the latest software package.

New N2000 Appliances

The new N2000 Appliances are 1U appliances.

N2000_new_with_bezel.jpg

The front of the unit has a removable bezel.

N2000_new_without_bezel.JPG

When the bezel is removed, you can see a control panel with a power button and status LEDs.

N2000_new_front_labels.jpg

The following table describes the control panel.

Label NumberNameDescription
1Power buttonThe main power switch powers on or off the appliance. When switch maintains a standby power from the power supply to the appliance.
2UID button and LEDThe unit identification (UID) button powers on or off the blue light function of the Information LED and a blue LED on the rear of the chassis. The blue LEDs are used to locate the server in large racks.
3Power LEDIndicates power is being supplied to the system power supply units. This LED is illuminated when the system is operating normally.
4HDDIndicates activity on the hard drive when flashing.
5NIC LED for LAN1Indicates network activity on LAN1 when flashing.
6NIC LED for LAN2Indicates network activity on LAN2 when flashing.
7Information LEDAlerts operator to several states, as mentioned in the table below.

The following table describes the various states of the Information LED.

Information LED StatusDescription
Continuously on and redAn overheating condition has occurred. This may be caused by cable congestion.
Blinking red (1Hz)Fan failure, check for an inoperative fan.
Blinking red (0.25Hz)Power failure, check for a non-operational power supply.
Solid blueUID has been activated locally to locate the server in a rack environment.
Blinking blueUID has been activated using IPMI to locate the server in a rack environment.

The rear of the unit has several ports with specific purposes.

new_n2000_appliance_back.png

The IPMI port is used for initial setup only, the inbound port is used for log parsing functionality, and the TAP port is used to receive traffic from a decrypting TAP.

N2000_new_back_port_labels.jpg

The following table provides a mapping of the interface to ports on the unit.

InterfacePortsSpeed
IPMI1g
eth0Management1g
eth1Aux11g
eth2Tap1g
eth3Aux21g
eth4Out (Outbound)10g
eth5In (Inbound)10g

N1000 and N2000 Appliances

The N1000 and N2000 are 1U appliances. They are best suited for log parsing and other traffic handling duties but can be used in any capacity.

The front of the units has a power button at the center, and a small bank of LEDs on the right side:

N2000Power.png

Important

Before turning off the appliance using the power button, log in to the appliance (using ssh or IPMI) and enter the command shutdown. Use the power button to turn off the appliance only after issuing this command.

The rear of the unit has several ports with specific purposes.

RearPorts1000And2000.png

In a typical installation, the IPMI port is used for initial setup only, the inbound port is used for log parsing functionality, and the TAP port is used to receive traffic from a decrypting TAP.

On older appliances, the rear of the unit is as shown in the following image.

RearPorts-oldAppliance.png

Two AC power supplies are in the rear left of the chassis and provide redundancy. The following image shows the rear of the N1000 chassis.

N1000PowerSupplies.jpg

N5000 Appliances

The N5000 is a 2U appliance best suited for management duties because of its expanded event retention capabilities but can be used in any capacity.

The front of the unit has a power button at the center, and a small bank of LEDs on the right side:

N5000Power.png

Important

Before turning off the appliance using the power button, log in to the appliance (using ssh or IPMI) and enter the command shutdown. Use the power button to turn off the appliance only after issuing this command.

The rear of the unit has several ports with specific purposes.

RearPorts5000.png

In a typical installation, the IPMI port is used for initial setup only, the inbound port is used for log parsing functionality, and the TAP port is used to receive traffic from a decrypting TAP.

Two AC power supplies are in the rear left of the chassis and provide redundancy. The following image shows the rear of the N5000 chassis.

N5000PowerSupplies.png

Appliance LED Status

The appliance has three LEDs in the front – Power LED, HDD LED, and System Status LED.

The following tables provide details about of various states of the LEDs that indicate the status of the appliance.

Power LED

ColorStateCriticalityDescription
GreenSolid onSystem OKSystem booted and ready.
OffN/ANot readyAC power is off.

HDD LED

ColorStateCriticalityDescription
AmberSolid onHDD OKHDD is active.
AmberBlinkHDD OKHDD is transferring data.
OffN/ANot readyHDD is inactive.

System Status LED (Alert LED)

ColorStateCriticalityDescriptionAction
RedBlinkNon-criticalNon-fatal alarm – system is likely to fail:
  • Critical temperature threshold asserted
    • CA TERR asserted
    • Critical voltage threshold asserted
    • VRD hot asserted
    • SMI Timeout asserted
Contact Netskope support.
RedSolid on Critical, non-recoverableFatal alarm – system has failed or shut down
  • CPU Missing
  • Thermal Trip asserted
    • Non-recoverable temperature threshold asserted
    • Non-recoverable voltage threshold asserted
    • Power fault/Power Control Failure
    • Fan redundancy lost, insufficient system cooling. This does not apply to non-redundant systems.
    • Power supply redundancy lost insufficient system

Note

This state also occurs when AC power is first applied to the system. This indicates the BMC Is booting.

Contact Netskope support.
OffN/ANot readyAC power off, if no degraded, non-critical, critical, or non-recoverable conditions exist.
  • System is powered down or S5 states, if no degraded, non-critical, critical, or non-recoverable conditions exist.
  • If the system is functioning properly, disregard the LED caveat.
No action

System Specifications

appliances_system_spec.png

Outbound Ports

Use these ports for management connectivity and log uploads.

For management connectivity:

DomainDescriptionPort
config-<tenant-URL>Use for configuration updates. The domain needs to be SSL allowlisted if you have SSL decryption enabled.443
download-<tenant-URL>Use for software upgrades. 443
messenger-<tenant-URL> Use for reporting and status updates in the UI. The domain needs to be SSL allowlisted if you have SSL decryption enabled.443
callhome-<tenant-URL> Use for receiving metrics from on-premises appliances and forwarding them to cloud tenants, as well as receiving event data from an on-premises dataplane appliances. Also for receiving custom user attributes from user endpoints. The domain needs to be SSL allowlisted if you have SSL decryption enabled.443
defupdate.<tenant-URL>Use for downloading anti-malware definitions successfully.443

For log uploads:

DomainDescriptionPort
upload-<tenant-URL>Use for sending logs to the Netskope cloud with SFTP. This is the default port for log uploads.22
logupload-<tenant-URL>Use for sending logs to the Netskope cloud with HTTPS. This port is enabled by default. 443
<tenant-URL> Use for fetching the REST API token with HTTPS. 443

Inbound Ports

ServiceDescriptionPort
SyslogUse for receiving syslog traffic.514
AD ConnectorUse for getting IP-to-user mapping with the Netskope AD connector.4400
SFTP and SCPUse for management connectivity and log uploads to the log parser appliance.22
FTPSUse for management connectivity and log uploads to the log parser appliance.21 (using explicit SSL)

Note

Netskope does not support implicit SSL over port 990.

Prerequisites

Before you begin the installation, make sure you meet these hardware and software requirements:

  • Hardware Requirements: To perform a successful install, you will need one temporary network cable for the IPMI port. You will also need two permanent network cables, one for the management interface port and one for the inbound interface port.
  • Software Requirements: To access the remote console for the appliance over the IPMI interface, you will need to a working Java Runtime Environment. If you don’t have this, you can download it from http://www.java.com.
Share this Doc

Overview of Netskope On-Premises Appliance

Or copy link

In this topic ...