Skip to main content

Netskope Help

Protect Netskope IoT Security

The policy engine allows admins to define rules and take actions in detection of alerts or security incidents in enterprise IT deployments. Using Netskope IoT Security's policy engine, admins can enforce corrective measures for securing the network environment through alerts and micro segmentation using existing NACs, firewalls or other cloud based controllers in the environment.

You can navigate to the Policies tab to view a list of policies already created. To edit or delete the existing policies, click on the policy name from the list and you can edit or delete the policy.

Types of policies

You can configure three types of policies:

  1. Context-based policy: The purpose of a context-based policy is to define rules using device attributes as policy conditions. You can set context based policies with parameters like manufacturer, OS, model_name, etc.

  2. Network-based Policy: The purpose of a network-based policy is to define rules for triggering alerts and corrective actions based on device connection properties (Source IP address, Source Ports, Subnet, Destination IP address, Destination Port, etc) along with the device context (Type, OS, Ownership etc).

  3. Threat-based policy: The purpose of a threat-based policy is to define rules for triggering alerts and corrective actions on the detection of a device-level threat or anomaly. The threat-based policy can act upon multiple alert categories, such as DDoS attack, suspicious string, attempted user privilege gain, etc. You can also define the threat severity when you create a threat-based policy.

Create policy
  1. Navigate to Policies tab > Create Policies section.

  2. Mark the status of the policy to be active or inactive on creation.

  3. Give a unique policy name.

  4. Select the type of policy from context, threat, or network-based policy.

  5. Give a category of the policy. The category helps you easily organize the policies, but it does not affect the policy condition.

  6. Optionally, add a description to explain the policy behavior.

  7. Define a condition to check in the environment. You can define the policy rule or condition in these ways:

    • Custom: Create a customized policy by adding the rules using “and” or “or” conjunction. Select parameter field, operation and value to add a new rule.

    • Device: Select the devices from the list to check the condition.

    • Groups: Select a group created in your appliance. You can create groups in the Manage -> Tags and Groups -> Groups tab.

  8. Optionally, you can add devices to the exception list to exclude executing the policy. Click on the “Select Devices” button and use “+/-” button to add the devices to the exception list.

  9. Define an action to perform on the selected group of devices.

  10. Select the alert severity between high, medium, and low.

  11. Select the action type:

    • Alert: generate an alert on detection of policy violation. The alert event appears in the user interface. You can pass the same to a SIEM through APIs.

    • Email: send email notifications to designated recipients.

    • NAC: blocking or segmenting the devices through Network Access Controllers (NAC). The NACs supported include Cisco ISE, Aruba Clearness, FortiNAC, Juniper ATP, Mist and Cisco Meraki.

  12. Save the policy.

5__Create_policy.png
Blocked devices dashboard

The Blocked Devices section lists all the blocked or segmented devices. The page allows admins to undo the current state of the devices - unblock them or remove them from the segmentation group or add the devices to the exception list for bypassing policy controls.