Skip to main content

Netskope Help

System Requirements

This section describes the system resources and software requirements required for Netskope CE installation. Please note that an installation using Amazon ECS is slightly different. For more information, refer to the Install Netskope Cloud Exchange with AWS ECS Fargate.

Netskope Cloud Exchange uses a setup script to verify that the host system is ready to run the Cloud Exchange platform. In addition to compute and storage size, permissions, and some software versioning on the host, Cloud Exchange needs access to GitHub, Docker Hub, a Netskope tenant, AWS, and other 3rd-party platforms you want to integrate. Evaluate your system readiness to help the setup complete successfully.

For Cloud Exchange containers on the same host to communicate with the RabbitMQ container, ensure that the host has port 15672 open for sessions originated from the same host.

  • 4 CPUs

  • 4 GB of Memory

  • 40 GB of Free Storage (recommend you provision at least 40GB of host storage). Refer to System Sizing Recommendations.

  • Ubuntu 20.04 LTS, CentOS 8, or Red Hat Enterprise Linux 7.9 and 8.0 (the only ones Netskope continuously qualifies)

  • Refer to System Sizing Recommendations for sizing requirements for different deployments.

The Netskope CE platform needs access to GitHub, Docker Hub, a Netskope tenant, partner's platforms, and the other 3rd-party platforms that you wish to integrate with. Do evaluate network configurations, like HTTP Proxy setup, Firewall rules, etc., to ensure the connectivity is available.

Here is the list of Public URLs that CE needs. While the setup script will check for all of these, it will not successfully complete installing CE unless these requirements are met. Firewalls, web proxies, gateways, and routers must be configured to allow CE to communicate with multiple services as described below.

For fetching third party plugins, confirm the system has access to:

  • https://github.com

For fetching alerts and events from Netskope tenant, confirm the system has access to:

  • https://*.goskope.com

Note

If conditional access is enabled with vendors or SaaS apps for Netskope solutions or need to SSL Allowlist by IP instead of domains, your systems will need to ensure reachability to this list of Netskope consolidated IP addresses (for tenant access from Cloud Exchange in case firewall does not support FQDN based rules). Subscribe to this link by clicking “Follow” icon on this page: https://support.netskope.com/s/article/NewEdge-Point-of-Presence-Data-Plane-and-Management-Plane-Global-Edge-Expansion-Status-and-IP-Range

For pulling docker images from Docker Hub (connectivity to additional hosts may be required since the docker images will be behind a CDN), confirm the system has access to:

  • https://hub.docker.com

  • https://auth.docker.io

  • https://registry-1.docker.io

  • https://index.docker.io/

  • https://dseasb33srnrn.cloudfront.net/

  • https://production.cloudflare.docker.com/

If you are behind an HTTP or HTTPS proxy server, for example in corporate settings, you need to add the proxy configuration in the Docker systemd service file. Refer https://docs.docker.com/config/daemon/systemd/#httphttps-proxy for details.

Refer to Required Network Connectivity for 3rd-Party Plugins for additional network connectivity requirements based on the plugins.

For extracting web transaction event streaming logs, confirm connectivity to us-west1-pubsublite.googleapis.com (for US customers) and europe-west3-pubsublite.googleapis.com (for EU customers). Alternatively, ensure Cloud Exchange can access *.googleapis.com (wildcard).

For CE usage reporting, confirm connectivity to reporting.netskope.tech.

For connectivity to Cloud Exchange, ensure that the administrator can access the command line interface for Cloud Exchange via SSH (port 22)

For browser and API-based connectivity to Cloud Exchange, ensure users have access to Cloud Exchange via port 80 or 443 (by default) or via any alternative, non-standard port (recommended) configured during the setup.

The user running the setup script should have at least the following permissions:

  • Either the user should be part of the docker group or should have permissions to run docker commands. (Ignore for installations on RHEL OS)

  • You need to have sudo permissions.

Below are the prerequisites required for setting up Cloud Exchange on Linux distributions other than Red Hat.

  • Linux System capable of supporting http://docker.io release of docker and docker-compose.

  • docker (minimum version 19.0.0): Refer to https://docs.docker.com/engine/install/#server for installation instructions. Verify the versions with this command. Setup script will confirm.

    $ docker version

  • docker-compose (minimum version 1.29.0): Refer to https://docs.docker.com/compose/install/other/#install-compose-standalone for installation instructions. Verify the version with this command. Setup script will confirm.

    $ docker-compose version

  • Python 3 (for the setup script): Refer to https://wiki.python.org/moin/BeginnersGuide/Download for installation instructions. Execute this command to ensure you have the 3.x version of python installed. Setup script will confirm.

    $ python3 --version

  • Zip (For the diagnose script): Execute this command to verify if the command is available. If available, the command execution will output the path where zip commands are available.

    $ which zip

  • Git: Refer to https://git-scm.com/download/linux for installation instructions. Execute this command to verify it is available.

    $ which git

Podman is a prerequisite to installing the Cloud Exchange platform on Red Hat Enterprise Linux (RHEL). Ensure these commands are available:

  • Zip (For the diagnose script): Execute this command to verify that the command is available. If available, the command execution will output the path where zip commands are available.

    $ which zip

  • Git: Refer https://git-scm.com/download/linux for installation instructions. Execute the command mentioned below to verify that the command is available.

    $ which git

This section provides recommendations and guidance for selecting the memory/storage/CPU based on the expected volume. Factors include:

  • Total number of Indicators expected to be stored in the database. This factor defines the storage requirements.

  • Netskope Cloud Exchange has a “worker-based” scheduling mechanism to cater to the data pull/push for multiple data sources. The number of workers determines how many data sources will be actively fetching data/sharing data concurrently. The total number of worker processes should be equal to the number of cores. If the expectation is to fetch data frequently with multiple data sources, consider increasing the number of cores.

The tables below provides recommendations for standard deployments:

Host Size

RAM (GBs)

Number of Cores

AWS Equivalent

EPM

Total Recommended Free Storage allocated to Cloud Exchange

Recommended Maximum Available Plugin Credits

Extra Small

4

4

C6AXL

20k

40

3

Small

8

6

C62XL

50k

40

5

Medium

16

8

C62XL

100k

80

10

Large

32

16

C64XL

200k

120

20

Credits Used

Plugin

3

Log Shipper

1

Ticket Orchestrator

3

Threat Exchange

2

User Risk Exchange

2

Application Risk Exchange

6

WebTx

Above Average Load Design Assumptions (Your numbers may differ)

Dimension

Modeled Load

Events Per Minute

.75 EPM/user

WebTx

Average 4 KB each. Compressed 7:1 in W3C format.

Event/Alert

Average 2 KB each

Assumed user load from events/alert logs

1 MB/user/day event/alert logs

Assumed user load from event streaming logs

4 MB/user/day WebTx (compressed) or 28MB/user/day WebTx (uncompressed)

Assumed user load from cloud firewall logs

14 MB/user/day Cloud Firewall logs