Security Cloud Platform Configuration

Security Cloud Platform Configuration

Netskope Secure Web Gateway provides the different global configuration settings below.

Dynamic URL Classification

Dynamic URL classification looks at the textual contents of a page and dynamically determines the category for the uncategorized URLs. This feature is turned off by default. After a page has been dynamically categorized, the classification applies to all of your tenant instances. The page classification to a category expires every 12 hours so that if any changes occur to the page, the content is re-evaluated so the chosen category matches the current page content.

To enable dynamic URL classification globally:

  1. Go to Settings > Security Cloud Platform > Configuration.
  2. Under Dynamic URL Classification, click Edit.
    The Dynamic Url Classification Section On The Configuration Page.
  3. In the Edit Dynamic URL Classification, click the toggle to enable or disable. If enabled and users browse an uncategorized URL, Netskope dynamically classifies it into a predefined category.
    The Edit Dynamic Url Classification Window.
  4. Click Save.
  5. Go to Policies > Web > URL Lookup to search for predefined and custom categories or report miscategorization.
    The Url Lookup Tab On The Web Page.

Note

If the URL is miscategorized, use custom categories to define a custom URL category or Report Miscategorization.

URL Case Insensitivity Match

URL lists allow you to compile lists of URLs to include or exclude in policy scans. To enable your URL lists to be treated as case insensitive:

  1. Go to Settings > Security Cloud Platform > Configuration.
  2. Under URL Case Insensitivity Match, click Edit.
  3. In the Edit URL Case Insensitivity Match window, click the toggle to enable or disable. If enabled, all URLs included in your URL lists are matched in a case-insensitive manner.
  4. Click Save.

Safe Search

To block porn and other explicit content in image format that violates your corporate policy, use the Safe Search feature. Supported search engines include Bing, DuckDuckGo, Google, and Yahoo.

To enable safe search globally:

  1. Go to Settings > Security Cloud Platform > Configuration.
  2. Under Safe Search, click Edit.
    The Safe Search Section On The Configuration Page.
  3. In the Edit Safe Search, click the toggle to enable or disable. If enabled, Netskope blocks the session when users browse any inappropriate URLs.
    The Edit Safe Search Window.
  4. Click Save.

Dynamic Trusted Store

To enable trusted store certificates globally:

  1. Go to Settings > Security Cloud Platform > Configuration.
  2. Under Dynamic Trusted Store, click Edit.
    The Dynamic Trusted Store Section On The Configuration Page.
  3. In the Edit Dynamic Trusted Store, click the toggle to enable or disable. If enabled, Netskope blocks the session when users browse any inappropriate URLs.
    The Edit Dynamic Trusted Store Window.
  4. Click Save.

X-Forwarded-For Header

An X-Forwarded-For (XFF) header is used to identify the originating IP address of a user connecting to a web server through an HTTP proxy. Without the XFF header, the proxy server will be identified as the originating IP address. Use this feature to trust IP addresses contained in the XFF header.

Note

For security, this feature is not supported for remote users when using explicit proxy steering methods.

To trust XFF headers globally:

  1. Go to Settings > Security Cloud Platform > Configuration.
  2. Under X-Forwarded-For Header, click Edit.
    The X Forwarded For Header Section On The Configuration Page.
  3. In the Edit X-Forwarded-For Header, click the toggle to enable or disable. If enabled globally, Netskope trusts XFF headers for all traffic in your organization and overrides your XFF configurations for your IPSec tunnels, GRE tunnels, and Explicit Proxy over Tunnel. If disabled, you can trust XFF headers for traffic going through specific tunnels.
    The Edit X Forwarded For Header Window.
  4. Click Save.

Dedicated Egress IP Footprint

Note

Contact Support to enable this feature in your account; additional licensing is required.

There are several auth-related services which may require configuration to allow Netskope Cloud IPs as the source address to these services.

For example, with active auth on the O365 Proxy, the local ADFS server may restrict auth from certain source IPs. Another case is when you want IdP providers to restrict auth requests from certain source IPs, or similarly restrict application access to a specific application. In these cases, you can use the Netskope Cloud IPs for these configurations.

Web and cloud apps that rely on source IP addresses as a form of identification and security can use the Netskope Dedicated Egress IP Footprint feature to help transition from on-premises security controls to a Security Service Edge (SSE) architecture. This provides admins with an additional option to enable access to these applications and minimize disruption to users.

Netskope’s Dedicated Egress IP Footprint feature allocates a minimum of two IP addresses from Netskope owned IP ranges per data plane that matches your accounts NewEdge traffic management zone/region. The dedicated IP ranges are completely separate from the shared IP ranges. Port exhaustion is monitored by the Netskope platform.

All traffic will use these IP addresses and is available for all steering methods and traffic except for Netskope Private Apps (NPA) traffic.

You can see the list of IPs assigned to your account by going to Settings > Security Cloud Platform > Enforcement > Netskope IP Ranges. The Dedicated IP Ranges tab lists the assigned dedicated IPs. You can copy the IP ranges to use for conditional access policies on the SaaS side.

The Netskope Ip Ranges On The Netskope Client Enforcement Page.

Important

Admins must update their IP restrictions for each application.

All Traffic Dedicated Egress IP

To enable dedicated egress IPs for user traffic hitting SaaS apps through the proxy:

  1. Go to Settings > Security Cloud Platform > Configuration.
  2. Under Dedicated egress IP Footprint, click Edit.
    The Dedicated Egress Ip Footprint Section On The Configuration Page.
  3. In the Edit Dedicated egress IP Footprint, click the toggle to enable or disable.
    The Edit Dedicated Egress Ip Footprint Window.
  4. Click Save.

After saving this configuration, Netskope sends all traffic through the dedicated egress IP.

Conditional Dedicated Egress IP

(Optional) You can specify Source and Destination criteria to route matching traffic through the dedicated egress IP. If no criteria is specified, dedicated egress IP applies to all traffic.

To enable dedicated egress IPs for a subset of traffic hitting SaaS apps through the proxy:

  1. Go to Settings > Security Cloud Platform > Configuration.
  2. Under Dedicated Egress IP Footprint, click Edit.
  3. Configure the Source and Destination specifications.
  4. Important

    When configuring a Conditional Dedicated Egress IP policy, keep the following in mind:

    • Any traffic matching the policy criteria uses the dedicated egress IP to egress. The remaining traffic uses a Netskope public IP to egress.
    • All Source and Destination conditions are OR conditions. That is, if any conditions are matched, then that traffic egresses out via the dedicated egress IP.
    • Due to the policy’s OR logic, if the policy excludes users and includes domains, then Netskope sends matching domain traffic from excluded users to the dedicated egress IP.
    • Netskope doesn’t support using the same network profile as match criteria for both Source IP and Destination IP.
    • To add an app belonging to a cloud app suite as a match condition, you must select its cloud app suite from the Cloud App Suite dropdown list. Individual apps belonging to cloud app suites are unavailable for selection from the Application dropdown list. For example, Box is unavailable for selection, but you can select its cloud app suite, Box App.
  5. Click Save.

Localization Zones

Note

Contact your Sales team or Netskope Support to enable this feature in your account.

Localization zones further extend NewEdge global coverage by providing the same experience as direct-to-net with native language and localized content support for all websites, even when there’s no in-country Data Plane (DP). This feature also addresses certain websites or SaaS applications that require users to be local (geo-blocking or geo-fencing). In addition, localization zones maintain users’ experiences during failover or maintenance situations, even when using an out-of-country DP. Localization zones don’t change or modify the traffic path, such as traffic backhauling that adds latency.

For example, when this feature is enabled, a user in Greece receives search results and websites relevant to Greece and in the Greek language, despite connecting via the NewEdge DP in Vienna, Austria. Similarly, in a failover situation for a user in Mexico (where there’s one single DP), the user can connect via the Dallas DP and continue to receive localized content in Spanish. In the case of Mexico, localization zones extend the resilience of NewEdge via six DPs to ensure both security coverage and digital experience remain intact at all times. These DPs include Atlanta, Dallas, Miami, Phoenix, and two in Los Angeles.

The following table lists the currently supported countries for this feature:

RegionSupported CountryIn-Country NewEdge DP
AmericasAnguillaNo
AmericasAntigua and BarbudaNo
AmericasArgentinaYes
AmericasArubaNo
AmericasBahamasNo
AmericasBarbadosNo
AmericasBelizeNo
AmericasBermudaNo
AmericasBoliviaNo
AmericasBonaireNo
AmericasCayman IslandsNo
AmericasChileYes
AmericasColombiaYes
AmericasCosta RicaNo
AmericasCote D'IvoireNo
AmericasCuraçaoNo
AmericasDominicaNo
AmericasDominican RepublicNo
AmericasEcuadorNo
AmericasEl SalvadorNo
AmericasFrench GuianaNo
AmericasGreenlandNo
AmericasGrenadaNo
AmericasGuadeloupeNo
AmericasGuatemalaNo
AmericasGuyanaNo
AmericasHaitiNo
AmericasHondurasNo
AmericasJamaicaNo
AmericasMartiniqueNo
AmericasMexicoYes
AmericasNicaraguaNo
AmericasPanamaNo
AmericasParaguayNo
AmericasPeruYes
AmericasSaint BarthélemyNo
AmericasSaint Kitts and NevisNo
AmericasSaint LuciaNo
AmericasSaint MartinNo
AmericasSaint Pierre and MiquelonNo
AmericasSaint Vincent and the GrenadinesNo
AmericasSurinameNo
AmericasTrinidad and TobagoNo
AmericasTurks and Caicos IslandsNo
AmericasUruguayNo
AmericasVenezuelaNo
APACAfghanistanNo
APACAmerican SamoaNo
APACBangladeshNo
APACBhutanNo
APACBritish Indian Ocean TerritoryNo
APACBrunei DarussalamNo
APACCambodiaNo
APACCook IslandsNo
APACFederated States of MicronesiaNo
APACFijiNo
APACFrench PolynesiaNo
APACHong KongYes
APACIndonesiaNo
APACKiribatiNo
APACLaosNo
APACMacauNo
APACMalaysiaNo
APACMaldivesNo
APACMarshall IslandsNo
APACMongoliaNo
APACMyanmarNo
APACNauruNo
APACNepalNo
APACNew CaledoniaNo
APACNew ZealandYes
APACNorfolk IslandNo
APACPalauNo
APACPapua New GuineaNo
APACPhilippinesYes
APACSamoaNo
APACSingaporeYes
APACSolomon IslandsNo
APACSouth KoreaYes
APACSri LankaNo
APACTaiwanYes
APACThailandYes
APACTimor-LesteNo
APACTongaNo
APACTuvaluNo
APACVanuatuNo
APACVietnamNo
APACWallis and FutunaNo
EMEAAland IslandsNo
EMEAAlbaniaNo
EMEAAlgeriaNo
EMEAAndorraNo
EMEAAngolaNo
EMEAArmeniaNo
EMEAAustriaNo
EMEAAzerbaijanNo
EMEABahrainNo
EMEABelarusNo
EMEABelgiumYes
EMEABeninNo
EMEABosnia and HerzegovinaNo
EMEABotswanaNo
EMEABulgariaNo
EMEABurkina FasoNo
EMEABurundiNo
EMEACameroonNo
EMEACape VerdeNo
EMEACentral African RepublicNo
EMEAChadNo
EMEAComorosNo
EMEACongoNo
EMEACroatiaNo
EMEACyprusNo
EMEACzech RepublicNo
EMEADemocratic Republic of the CongoNo
EMEADenmarkNo
EMEADjiboutiNo
EMEAEgyptNo
EMEAEquatorial GuineaNo
EMEAEritreaNo
EMEAEstoniaNo
EMEAEthiopiaNo
EMEAFinlandNo
EMEAGabonNo
EMEAGambiaNo
EMEAGeorgiaNo
EMEAGhanaNo
EMEAGibraltarNo
EMEAGreeceNo
EMEAGuernseyNo
EMEAGuineaNo
EMEAGuinea-BissauNo
EMEAHungaryNo
EMEAIcelandNo
EMEAIraqNo
EMEAIrelandYes
EMEAIsraelYes
EMEAIsle of ManNo
EMEAItalyYes
EMEAJerseyNo
EMEAJordanNo
EMEAKazakhstanNo
EMEAKenyaNo
EMEAKuwaitNo
EMEAKyrgyzstanNo
EMEALatviaNo
EMEALebanonNo
EMEALesothoNo
EMEALiberiaNo
EMEALibyaNo
EMEALiechtensteinNo
EMEALithuaniaNo
EMEALuxembourgNo
EMEAMacedoniaNo
EMEAMadagascarNo
EMEAMalawiNo
EMEAMaliNo
EMEAMaltaNo
EMEAMauritaniaNo
EMEAMauritiusNo
EMEAMayotteNo
EMEAMoldovaNo
EMEAMonacoNo
EMEAMontenegroNo
EMEAMoroccoNo
EMEAMozambiqueNo
EMEANamibiaNo
EMEANetherlandsYes
EMEANigerNo
EMEANigeriaYes
EMEANorwayNo
EMEAOmanNo
EMEAPakistanNo
EMEAPolandYes
EMEAPortugalNo
EMEAQatarNo
EMEAReunionNo
EMEARomaniaNo
EMEARussian FederationNo
EMEARwandaNo
EMEASan MarinoNo
EMEASão Tomé and PríncipeNo
EMEASenegalNo
EMEASerbiaNo
EMEASeychellesNo
EMEASierra LeoneNo
EMEASlovakiaNo
EMEASloveniaNo
EMEASomaliaNo
EMEASouth SudanNo
EMEASudanNo
EMEASwazilandNo
EMEASwedenYes
EMEATajikistanNo
EMEATanzaniaNo
EMEATogoNo
EMEATunisiaNo
EMEATurkeyNo
EMEATurkmenistanNo
EMEAUgandaNo
EMEAUkraineNo
EMEAUzbekistanNo
EMEAYemenNo
EMEAZambiaNo
EMEAZimbabweNo

To enable localization zones:

  1. Go to Settings > Security Cloud Platform > Configuration.
  2. Under Localization Zones, click Edit.
    Localization Zones Configuration.png
  3. In the Edit Localization Zones window, click the toggle to enable or disable. If enabled, your users receive content based on their geographic location.
    Edit Localization Zones Configuration.png
  4. Click Save.

Identify HTTP Traffic on Non-Standard Port

Note

Contact Support to enable this feature in your account; additional licensing is required.

By default, Cloud Firewall (CFW) inspects all traffic on standard and non-standard ports, but web policies are applied only on standard web ports. The “Identify HTTP Traffic on Non-Standard Port” feature allows you to inspect all web traffic on standard and non-standard ports. When enabled, the Netskope service applies web policies to all web traffic, even on non-standard ports, without the need to configure custom ports.

Note

This feature decrypts SSL on non-standard ports for all traffic, so you must install the root CA certificate on non-web client apps that use SSL. Otherwise, you must configure Do-Not-Decrypt SSL policies rules for these apps. To learn more, see Add a Policy for SSL Decryption.

(Optional) Network Events, Application Events, and Page Events can be configured to log all identified HTTP traffic on standard and non-standard ports.To enable this option in your account, contact Support.

To enable identification for HTTP(s) traffic on non-standard ports:

  1. Go to Settings > Security Cloud Platform > Configuration.
  2. Under Identity HTTP Traffic on Non-Standard Port, click Edit.
  3. In the Edit Identify HTTP Traffic on Non-Standard Port window, click the toggle to enable or disable. If enabled, the Netskope service applies configured Real-time Protection policies for cloud app, web access, and firewall policies on all identified HTTP traffic on non-standard ports. That is, the same policy that applies to HTTP traffic on standard ports also applies to traffic on non-standard ports.
  4. Click Save.
Share this Doc

Security Cloud Platform Configuration

Or copy link

In this topic ...