Using Netskope Client
Using Netskope Client
The end-user client provides the following options
-
For macOS
-
For Windows
-
For Linux
-
Services(Windows Only): Displays the Netskope services enabled at your endpoint. Services displays either one of the following or both options:
-
Internet Security
-
Private Access
In Windows, you can find the services displayed in the tooltip when you hover your mouse over the Netskope Client icon in the toolbar.
-
-
Enabling or Disabling: By default, for all AD users or devices the client is enabled. However, users can chose to disable the client by selecting the Disable Netskope Client option from the Netskope Client system tray icon.
-
Private Access On/Off: You can allow users to enable or disable the Client for Private Apps Access. Select the option Allow disabling of Private Apps Access from Client Configuration to view this option in the Netskope Client system tray icon.
-
Re-authenticate Private Access: Re-authentication for Private Apps option to force a user to re-authenticate into the Netskope Client if the user’s device restarts, periodically re-authenticate, or logs out of the PC and logs back into the device. Contact Support to enable this functionality in your tenant.
-
Configuration: During a troubleshooting scenario, user can click the Configuration option to view and share the following configuration details about the installed client.
-
Organization
-
Gateway (in FQDN format)
-
Gateway IP (IP address and POP name)
-
User Email (of the device user)
-
Client Configuration (name of the client configuration)
-
Steering Configuration (name of the steering configuration)
-
Device Classification (if the device is managed)
-
Tunnel Protocol
-
Private Access (status of private access)
-
Private Access Gateway
-
On-Premise check (displayed when dynamic steering is used)
-
Traffic Steering Type (all traffic, web traffic or cloud-app traffic)
-
Config Updated (date when the client configuration was last updated)
-
Configuration status.
Users can update Client configuration if an update is available.
See also: Netskope Client Command Reference for more options.
On Windows On macOS -
-
Save Logs: Use this option to save client logs that can be shared with support team for troubleshooting.
-
Advanced Debugging: Use this option to allow the Client to collect detailed log files like kernel driver logs, Inner packet capture, external packet capture without the need of a 3rd party software.
This option is visible only if the Enable advanced debug option is enabled in the client configuration. The logs collected by the Client will depend on the log level selected for the debug option.Setting log level to Debug may impact the performance due to high disk operations.In Windows, the Reveal Logs option in the Advanced Debugging window displays:
-
%appdata%/netskope/stagent/logs folder if Protect Client configuration and resources is enabled in Client Configuration > Tamperproof.
-
%programData%/netskope/stagent/logs folder if Protect Client configuration and resources is disabled in Client Configuration > Tamperproof.
The behavior is due to the access restriction on %ProgramData% folder when Protect Client configuration and resources is enabled. This update is available only for Client versions from 113.0.0 and prior to 113.0.0, it displayed the %PUBLIC%/netskope/log folder.
-
-
Block Events: To view the list of blocked events, right click on the client icon and select View Blocked Events. The resulting pop-up window displays the list of access attempts that are made to any certs pinned and which are configured as blocked by the admin. Use this option to view the list of blocked events relating to certificate pined apps. These are apps that are set to be blocked in the tenant.
Enabling or Disabling
Icon | Status | Description(Windows) | Description(Other OS) |
---|---|---|---|
Enabled | The Client icon is in full color when either one of the following services or both are enabled:
| The client is successfully connected to the Netskope Gateway and the client icon is in full color. | |
Disabled | The color here denotes that if all services are disabled and there is no Client Configuration download failure. Possible causes are:
| The Netskope client has failed to download the required configuration. The client will continue to be in this state until the configuration is downloaded. Possible causes are:
|
|
Disabled due to error | The icon is grayed out with a red circle and an exclamation. The tooltip displays the following when both services are disabled and one of the services are disabled due to an error:
Possible causes are:
| The Client is disabled and the icon is grayed out with an orange circle and an exclamation point. Possible causes are:
|
|
Disabled due to fail close. | The icon is in red color when:
Possible cause: Tunnel connection could not be established. | The Client is disabled and the icon is in red color. Possible causes:Tunnel connection could not be established. |
Client Service Status
The following table lists various client service statuses and their meaning. You can also query client status via the Get Client Data REST API.
Internet Security Service Status
This represents the status of the tunnel that forwards traffic to Cloud Apps, Proxy, and Firewall.
Event | Actor | Status | Meaning |
---|---|---|---|
Installed | System | Disabled | Via email invitation, distribution tool (i.e. SCCM, Altiris, JAMF etc) |
Tunnel Up | System | Enabled | ‘Auto’ enabled just after install, upgrade or later |
Tunnel Down | System | Disabled | disabled – default startup state of client i.e. after installation/upgrade/restart |
Tunnel down due to secure forwarder | System | Disabled | ‘Auto’ disabled due to Netskope Secure Forwarder found |
Tunnel down due to GRE | System | Disabled | ‘Auto’ Disabled due to GRE |
Tunnel down due to IPSec | System | Disabled | ‘Auto’ Disabled due to IPSec |
Tunnel down due to Data Plane on-premises | System | Disabled | ‘Auto’ Disabled due to on-premises DP |
Tunnel down due to config error | System | Disabled | ‘Auto’ disabled due to config errors/missing config |
Tunnel down due to error in Modern Standby mode | System | Disabled | Auto’ disabled due to device in modern standby mode (AOAC) |
Tunnel down due to error | System | Disabled | ‘Auto’ disabled due to (any other) error |
Change in network | System | Disabled | ‘Auto’ disabled due to change in network |
System shutdown | System | Disabled | ‘Auto’ disabled due to system restart/ power down |
System powerup | System | Disabled/Enabled | ‘Auto’ Tunnel status will be as per actual status |
Enrollment Token Error | System | Errored | Displayed when an invalid enrollment authentication token is used |
Enrolled | User | Disabled | Once the user enroll using IdP mode through the Netskope Client webUI. |
User Disabled | User | Disabled | User disabled the client from the system tray |
User Enabled | User | Enabled | User enabled the client from the system tray |
Admin Disabled | Admin | Disabled | Tenant admin disabled the client from the system tray |
Admin Disabled (This event is available only for tenants with Dynamic Steering(Beta)) | Admin | Enabled | Tenant admin disabled the Client from the webUI. Whenever the admin selects None steering option, the Netskope Client disables only traffic steering and sends “Admin Disable” event to the Device info. |
Admin Enabled | Admin | Enabled | Tenant admin enabled the client from the webUI |
Installed | System | Disabled | Via email invitation, distribution tool (i.e. SCCM, Altiris, JAMF etc) |
Uninstalled | System | Uninstalled | Uninstalled by end user, admin, SCCM admin etc |
Installation Failure | System | Disabled | Installation failed |
Uninstallation Failure | System | Disabled | Disabled Failed to uninstall the Client |
Upgrade Success | System | Disabled | Client upgraded successfully |
Upgrade Failure | System | Disabled | Client failed to upgrade |
Rollback Success | System | Enabled | Rolled back to client version ‘x’ |
Rollback Failure | System | Enabled | Failed to rollback to client version ‘x’ |
Device Posture Change | System | Enabled | To understand the events in your device. The following events trigger when device posture changes between managed, unmanaged, and unknown. |
CA Installation Change | System | Disabled/Enabled | CA rotation is detected and new CAs are installed to the system store. When the CA rotation is detected (the new downloaded CA is different from the existing CA and the subject name is the same), Netskope Client posts the “CA Installation Change” event for cert rotation monitoring. |
CA Installation Failure | System | Enabled | CA installation failed. This event is posted when the first attempt fails. Consecutive installation failures are not posted onto the webUI until the CA installation succeeds. Once the CA installation succeeds, it resets the status. |
CA Installation Success | System | Enabled | Successful CA installation after the failed CA installation attempts. No CA Installation Success event is posted on the webUI when there are no failed attempts. |
– If the CA rotation is detected and CA installation in the system store fails, the Netskope Client falls back to the older CA and user cert.
Network Private Access Status
This represents the status of the tunnel that forwards private application traffic to Netskope.
Event | Actor | Status | Meaning |
---|---|---|---|
Disabled | System | Disabled | NPA is not available for the customer. NPA status code is 0. |
Disabled | System | Disabled | NPA is available for the tenant but tunnel is not yet established. It should be transient state. NPA status code is 0. |
Disabled | System | Disabled | NPA is available, but not enabled from the tenant UI. NPA status code is 0. |
Enabled | System | Enabled | NPA tunnel is connected. NPA status code is 2. |
Disabled | System | Disabled | User disables the NPA Client. NPA status code is 0. |
Disabled | System | Disabled | Admin disables the NPA Client from the tenant UI. NPA status code is 0. |
Errored | System | Disabled | NPA tunnel is disconnected due to error. NPA status code is 11. |
Endpoint DLP Status
If Endpoint DLP is enabled, you can click View Details to see Endpoint DLP Service Details.
There are two Endpoint DLP statuses:
-
Config Status: The configuration state for the endpoint, which comes from the Client configurations applying to the endpoint. It displays Enabled or Disabled indicating if the endpoint should have Endpoint DLP enabled or not based on the Client configurations.
-
Service Status: The reported status of the Endpoint DLP software on the endpoint. This is the same status displayed in the Services table above, which is reported by epdlp.exe (Windows) on the endpoint. You can see one of the following states:
-
Enabled: The service is running, communicating correctly, and working properly.
-
Disabled: The service is not running.
-
Paused: The service is paused by clicking Pause Service. This action lasts for 30 minutes.
-
Device Control Error/Device Control Disabled: The driver for USB Device Control is unable to load correctly. This status might appear for machines that are turned off.
-
System Reboot Required: The endpoint needs a reboot so the USB device control functions properly. This occurs when the system has a non-resettable USB controller and an Endpoint DLP upgrade occurs. The new driver can’t be loaded until the reboot occurs.
-