Using Netskope Client
Using Netskope Client
The end-user client provides the following options
-
For macOS
-
For Windows
-
For Linux
-
Services(Windows and macOS Only): Displays the Netskope services enabled at your endpoint. Services displays either one of the following or both options:
-
Internet Security
-
Private Access
In Windows and macOS, you can find the services displayed in the tooltip when you hover your mouse over the Netskope Client icon in the toolbar.
Windows
macOS
-
-
Enabling or Disabling Client Services: By default, for all AD users or devices the client is enabled. However, users can choose to disable the client by selecting the Disable Netskope Client option from the Netskope Client system tray icon. For Windows and macOS, it displays the option Disable All Client Services.
In Windows and macOS devices, if the administrator configures the Master Password for a tenant, the end-user needs to provide a password shared by the IT administrator to disable the Netskope Client services that includes Internet Security and Netskope Private Access(NPA).
To disable Netskope Client services using Master Password:
-
Click Disable All Client Services.
-
This prompts another dialog box with the option to enter the master password shared by the IT administrator.
-
Enter the password.
-
Click Disable.
-
The webUI displays All Netskope Client Services are Disabled pop-up.
The webUI displays a warning “Error Message” if the end-user enters a wrong master password in the text box.
The steps to disable Client using Disable All Client Services in macOS remains the same.Netskope also provides the nsdiag option to disable Netskope Client: nsdiag -t disable.
After you run the command, it asks you to provide the master password shared by your IT administrator. Once the password is entered, it displays a successful message Enable/disable client successful.
The CLI displays Incorrect Password, Client cannot be disabled message if you enter an incorrect password.
-
-
Disable Internet Security: Use this option to disable Internet Security services on Windows platforms. With this feature:
-
The end-users can now easily disable Client while doing any specific tasks that require them to disable Netskope Client for Internet Security services.
-
Avoids uninstallation of Client and the end-user can disable Netskope Client using a one-time password(OTP); if enabled in the Client Configuration.
The end-user must contact their IT administrator to know the OTP that they can use to disable Internet Security services.Once the duration for the OTP expires, the Client re-enables automatically, eliminating the need for manual intervention by the admin.
To disable internet security services in Windows:
-
Click Disable Internet Security Services.
-
This prompts a dialog box with the option to enter the one-time password.
-
Enter the password.
-
Click Disable.
-
The webUI displays a pop-up Netskope Internet Security disabled for the configured time. For example, if it is configured to disable Internet Security for 10 hours, the pop-up displays a message as given in the following screenshot.
Post Disabling Internet Security: After disabling Internet Security from the Netskope Client icon, the Services section displays the following:
The Netskope Client tooltip displays the following:
-
-
Enable/Disable Private Access: You can allow users to enable or disable the Client for Private Apps Access. Select the option Allow disabling of Private Apps Access from Client Configuration to view this option in the Netskope Client system tray icon.
-
Re-authenticate Private Access: Re-authentication for Private Apps option to force Netskope client to re-authenticate the user. This will reset the time for the next periodic re-authentication. Contact Support to enable this functionality in your tenant.
In Windows and macOS:
If Re-authentication is enabled with Grace Period configured under Tunnel Settings on the Client Configuration UI, the Client UI displays a message with the time remaining before the private access disconnects.The message displays the total time in Hours: Minutes: Seconds left to re-authenticate to Netskope Client.
For example, in Windows, you have configured 24 hours in the Re-Authentication Interval on the Client Configuration webUI and 30 minutes as Grace Period, then the Private Access section under Services on the Client UI displays a warning message for 24:0:0.
Once the 24 hour is completed, the webUI then displays another 30 minutes as the grace period.You can also notice the Warning icon beside the text displayed that indicates that the time left for re-authentication is going to expire soon.
Once the re-authentication window expires, the Private Access status gets disabled with a proper error message.
-
Configuration: During a troubleshooting scenario, user can click the Configuration option to view and share the following configuration details about the installed client.
-
Organization
-
Gateway (in FQDN format)
-
Gateway IP (IP address and POP name)
-
User Email (of the device user)
-
Client Configuration (name of the client configuration)
-
Steering Configuration (name of the steering configuration)
-
Device Classification (if the device is managed)
-
Tunnel Protocol
-
Private Access (status of private access)
-
Private Access Gateway
-
On-Premise check (displayed when dynamic steering is used)
-
Traffic Steering Type (all traffic, web traffic or cloud-app traffic)
-
Config Updated (date when the client configuration was last updated)
-
Configuration status.
Users can update Client configuration if an update is available.
See also: Netskope Client Command Reference for more options.
On Windows On macOS -
-
Save Logs: Use this option to save client logs that can be shared with support team for troubleshooting.
-
Advanced Debugging: Use this option to allow the Client to collect detailed log files like kernel driver logs, Inner packet capture, external packet capture without the need of a third-party software.
This option is visible only if the Enable advanced debug option is enabled in the Client configuration. The logs collected by the Client will depend on the log level selected for the debug option.
Setting log level to Debug may impact the performance due to high disk operations.-
Packet Capture: Allows you to capture the packets traversing through Netskope data center and later use the logs for debugging purposes.
-
Inner packet capture: This refers to the packets going through the Netskope data center. All packets captured are stored in the filename nspktdump.pcap in your local device.
-
Outer packet capture: Refers to the packets going through the physical network.
The following table refers to the files available in the Netskope Client log bundle:
Operating System Filename Windows
nspktdump.pcap – Only after starting the inner packet capture.
nsouterpktdump.etl – Only after starting the outer packet capture.macOS nspktdump.pcap – Only after starting the inner packet capture.
nsouterpktdump.pcap – Only after starting the outer packet capture.Linux nspktdump.pcap – Only after starting the inner packet capture.
nsouterpktdump.pcap – Only after starting the outer packet capture.Steps to perform inner and outer packet captures:
-
Click the Netskope Client icon in the system tray and choose Advanced Debugging. This displays the Advanced Debugging window.
-
Click the Packet Capture tab.
-
Click the Start buttons for Inner Packet Capture and Outer Packet Capture.
The buttons change to Stop with In Progress status displayed below.
-
After recreating the issue, it is necessary to click the Stop buttons for Inner Packet Capture and Outer Packet Capture.
The packet capture is mainly used to get the network packets for troubleshooting by replicating the issue. However, if you run the packet capture for a longer period, it can flood your machine disk space. As a workaround, limit the size of the outer packet capture to a maximum of 99MB in the Size text box. However, the inner packet capture keeps on accumulating indefinitely. Stopping and restarting the packet captures causes the previously captured files to be overwritten( and not appended ).
As soon as the issue is replicated, the inner and outer packet capture stops and collects the Client log bundle.
-
-
Log management: Using Log Management, it helps end-users to gather better insights for troubleshooting, and monitoring.
-
Set Log Level: You can set proper log levels to filter logs according to their severity. The default log level is Info. The Netskope Client uses log level received from the webUI.
Select any one of the following options in Set Log Level:
-
Dump
-
Debug
-
Info
-
Warning
-
Error
-
Critical
Setting to Dump level generates more logs to files. The Netskope Client keeps two log files (fixed file size 10M) for rotation. The Dump level can expedite the rotation that may incur useful logs being overwritten. The log files are stored by default in the following location:
-
Windows Devices: %ProgramData%/Netskope/stagent/Logs/nsdebug.log
-
macOS Devices: /Library/Logs/Netskope/nsdebug.log
-
Linux Devices: /opt/netskope/stagent/logs/nsdebug.log
-
Android: Perform the following instructions:
-
Go to the Netskope Client app.
-
Click the three dots.
-
Select Send Logs.
-
You can download it to the desired location.
-
-
iOS Devices: Users cannot read Netskope logs on iOS devices, but you can download Netskope logs zip files and share them through AirDrop and email.
-
-
Save Driver Logs: After you set the log level, click Start and Stop to collect the logs.
-
Revel Logs: Click Reveal Logs to view the downloaded logs in your local device.
In Windows, the Reveal Logs option in the Advanced Debugging window displays:
-
%appdata%/netskope/stagent/logs folder if Protect Client configuration and resources is enabled in Client Configuration > Tamperproof.
-
%programData%/netskope/stagent/logs folder if Protect Client configuration and resources is disabled in Client Configuration > Tamperproof.
The behavior is due to the access restriction on %ProgramData% folder when Protect Client configuration and resources is enabled. This update is available only for Client versions from 113.0.0. Prior to 113.0.0, it displayed the %PUBLIC%/netskope/log folder.
-
-
Speed Test: Use this option to test the Upload and Download speed of log files. Click Start to initiate the testing.
Wait until both packet capture stops before collecting Netskope Client Logs.
-
-
-
Block Events: To view the list of blocked events, right click on the client icon and select View Blocked Events. The resulting pop-up window displays the list of access attempts that are made to any certs pinned and which are configured as blocked by the admin. Use this option to view the list of blocked events relating to certificate pined apps. These are apps that are set to be blocked in the tenant.
Enabling or Disabling
The following table describes various Netskope Client status icons that are displayed on the user interface, according to the operating system that you use.
Netskope Client Icon Status For Platforms Except Windows and macOS
Icon | Status | Description |
---|---|---|
Enabled | The client is successfully connected to the Netskope Gateway and the client icon is in full color. | |
Disabled | The Netskope client has failed to download the required configuration. The client will continue to be in this state until the configuration is downloaded. Possible causes are:
|
|
Disabled due to error | The Client is disabled and the icon is grayed out with an orange circle and an exclamation point. Possible causes are:
|
|
Disabled due to fail close. | The Client is disabled and the icon is in red color. Possible causes:Tunnel connection could not be established. |
Netskope Client Icon Status For Windows and macOS
Client Service Status
The following table lists various client service statuses and their meaning. You can also query client status via the Get Client Data REST API.
Internet Security Service Status
This represents the status of the tunnel that forwards traffic to Cloud Apps, Proxy, and Firewall.
Event | Actor | Status | Meaning |
---|---|---|---|
Installed | System | Disabled | Via email invitation, distribution tool (i.e. SCCM, Altiris, JAMF etc) |
Tunnel Up | System | Enabled | ‘Auto’ enabled just after install, upgrade or later |
Tunnel Down | System | Disabled | disabled – default startup state of client i.e. after installation/upgrade/restart |
Tunnel down due to secure forwarder | System | Backed Off | ‘Auto’ disabled due to Netskope Secure Forwarder found |
Tunnel down due to GRE | System | Backed Off | ‘Auto’ Disabled due to GRE |
Tunnel down due to IPSec | System | Backed Off | ‘Auto’ Disabled due to IPSec |
Tunnel down due to Data Plane on-premises | System | Backed Off | ‘Auto’ Disabled due to on-premises DP |
Tunnel down due to config error | System | Errored | ‘Auto’ disabled due to config errors/missing config |
Tunnel down due to error in Modern Standby mode | System | Disabled | Auto’ disabled due to device in modern standby mode (AOAC) |
Tunnel down due to error | System | Disabled | ‘Auto’ disabled due to (any other) error |
Change in network | System | Disabled | ‘Auto’ disabled due to change in network |
System shutdown | System | Disabled | ‘Auto’ disabled due to system restart/ power down |
System powerup | System | Disabled/Enabled | ‘Auto’ Tunnel status will be as per actual status |
Enrollment Token Error | System | Errored | Displayed when an invalid enrollment authentication token is used |
Enrolled | User | Disabled | Once the user enroll using IdP mode through the Netskope Client webUI. |
User Disabled | User | Disabled | User disabled the client from the system tray |
User Enabled | User | Enabled | User enabled the client from the system tray |
Admin Disabled | Admin | Disabled | Tenant admin disabled the client from the system tray |
Admin Disabled (This event is available only for tenants with Dynamic Steering) | Admin | Backed Off | Tenant admin disabled the Client from the webUI. Whenever the admin selects None steering option, the Netskope Client disables only traffic steering and sends “Admin Disabled” event to the Device info. |
Admin Enabled | Admin | Enabled | Tenant admin enabled the client from the webUI |
Installed | System | Disabled | Via email invitation, distribution tool (i.e. SCCM, Altiris, JAMF etc) |
Uninstalled | System | Uninstalled | Uninstalled by end user, admin, SCCM admin etc |
Installation Failure | System | Disabled | Installation failed |
Uninstallation Failure | System | Disabled | Disabled Failed to uninstall the Client |
Upgrade Success | System | Disabled | Client upgraded successfully |
Upgrade Failure | System | Disabled | Client failed to upgrade |
Rollback Success | System | Enabled | Rolled back to client version ‘x’ |
Rollback Failure | System | Enabled | Failed to rollback to client version ‘x’ |
Device Posture Change | System | Managed | Whenever the Client is in compliance with the device classification rules configured for an OS platform, the Managed status is displayed in the Device Posture Change event. |
Device Posture Change | System | Unmanaged | Whenever the Client is not in compliance with the device classification rules configured for an OS platform, the Unmanaged status is displayed in the Device Posture Change event. |
Device Posture Change | System | Unknown | The Client sends Unknown status before the Client downloads the device classification rules. |
CA Installation Change | System | Disabled/Enabled | CA rotation is detected and new CAs are installed to the system store. When the CA rotation is detected (the new downloaded CA is different from the existing CA and the subject name is the same), Netskope Client posts the “CA Installation Change” event for cert rotation monitoring. |
CA Installation Failure | System | Enabled | CA installation failed. This event is posted when the first attempt fails. Consecutive installation failures are not posted onto the webUI until the CA installation succeeds. Once the CA installation succeeds, it resets the status. |
CA Installation Success | System | Enabled | Successful CA installation after the failed CA installation attempts. No CA Installation Success event is posted on the webUI when there are no failed attempts. |
– If the CA rotation is detected and CA installation in the system store fails, the Netskope Client falls back to the older CA and user cert.
Network Private Access Status
This represents the status of the tunnel that forwards private application traffic to Netskope.
Event | Actor | Status | Meaning |
---|---|---|---|
Disabled | System | Disabled | NPA is not available for the customer. NPA status code is 0. |
Disabled | System | Disabled | NPA is available for the tenant but tunnel is not yet established. It should be transient state. NPA status code is 0. |
Disabled | System | Disabled | NPA is available, but not enabled from the tenant UI. NPA status code is 0. |
Enabled | System | Enabled | NPA tunnel is connected. NPA status code is 2. |
Disabled | System | Disabled | User disables the NPA Client. NPA status code is 0. |
Disabled | System | Disabled | Admin disables the NPA Client from the tenant UI. NPA status code is 0. |
Errored | System | Disabled | NPA tunnel is disconnected due to error. NPA status code is 11. |
Endpoint DLP Status
If Endpoint DLP is enabled, you can click View Details to see Endpoint DLP Service Details.
There are two Endpoint DLP statuses:
-
Config Status: The configuration state for the endpoint, which comes from the Client configurations applying to the endpoint. It displays Enabled or Disabled indicating if the endpoint should have Endpoint DLP enabled or not based on the Client configurations.
-
Service Status: The reported status of the Endpoint DLP software on the endpoint. This is the same status displayed in the Services table above, which is reported by epdlp.exe (Windows) on the endpoint. You can see one of the following states:
-
Enabled: The service is running, communicating correctly, and working properly.
-
Disabled: The service is not running.
-
Paused: The service is paused by clicking Pause Service. This action lasts for 30 minutes.
-
Device Control Error/Device Control Disabled: The driver for USB Device Control is unable to load correctly. This status might appear for machines that are turned off.
-
System Reboot Required: The endpoint needs a reboot so the USB device control functions properly. This occurs when the system has a non-resettable USB controller and an Endpoint DLP upgrade occurs. The new driver can’t be loaded until the reboot occurs.
-