NSK101 Netskope Certified Cloud Security Administrator (NCCSA) Questions and Answers

The Cloud Confidence Index (CCI) page in Netskope provides various metrics and information about an application. Among these, the two relevant pieces of information displayed are:

Top users by sessions: This metric provides insights into which users are most active within the application, giving a view of user engagement and activity levels.

GDPR readiness: This metric indicates how well the application complies with GDPR regulations, providing a readiness score or status based on the app's handling of personal data.

These metrics help administrators and security professionals to evaluate the usage and compliance status of cloud applications.

References:

Using the REST API v2 UCI Impact Endpoints​​.

Netskope Knowledge Portal: Dataexport Iterator Endpoints​​.

In this scenario, there are three probable causes for the issue of users not being able to access external websites from their browsers after attempting to steer traffic to Netskope using GRE tunnels. One cause is that the configured GRE peer in the Netskope platform is incorrect, which means that the Netskope POP that is supposed to receive the GRE traffic from the customer’s network is not matching the IP address of the customer’s router that is sending the GRE traffic. This will result in a failure to establish a GRE tunnel between the customer and Netskope. Another cause is that the corporate firewall might be blocking GRE traffic, which means that the firewall rules are not allowing the GRE protocol (IP protocol number 47) or the UDP port 4789 (for VXLAN encapsulation) to pass through. This will result in a failure to send or receive GRE packets between the customer and Netskope. A third cause is that the route map was applied to the wrong router interface, which means that the configuration that specifies which traffic should be steered to Netskope using GRE tunnels was not applied to the correct interface on the customer’s router. This will result in a failure to steer the desired traffic to Netskope. The pre-shared key for the GRE tunnel is incorrect is not a probable cause for this issue, as GRE tunnels do not use pre-shared keys for authentication or encryption. Netskope does support GRE tunnels, so this is not a cause for this issue either. References: [Netskope Secure Forwarder], Netskope Security Cloud Operation & Administration (NSCO&A) - Classroom Course, Module 3: Steering Configuration, Lesson 3: Secure Forwarder.

NewEdge is Netskope's security private cloud, offering high-performance, low-latency access to the internet and cloud services. For a customer concerned about performance, especially with respect to Microsoft 365, NewEdge provides significant benefits:

Direct Peering with Microsoft: NewEdge establishes direct peering connections with Microsoft in every data center. This ensures optimal routing and performance for Microsoft 365 services, which is crucial for customers with a global, mobile workforce​​​​.

Unified Global Network: NewEdge delivers a single, unified network with all security services available in all locations worldwide. This ensures consistent security policies and performance regardless of where users are located, providing seamless access and reducing latency​​​​.

To deploy Netskope’s zero trust network access (ZTNA) solution, NPA, you need to enable Steer all Private Apps in your existing steering configuration(s) from the admin console. This will allow you to create private app profiles and assign them to your applications. NPA will then provide secure and granular access to your applications without exposing them to the internet or requiring VPNs. References: [Netskope Private Access (NPA) Deployment Guide]

When accessing an encrypted website (HTTPS), a "certificate not trusted" message in the browser usually occurs because the certificate presented by the website is not issued by a trusted Certificate Authority (CA). A common scenario for this is when a self-signed certificate is installed on the server. Self-signed certificates are not signed by a CA that is recognized by the browser, so the browser cannot verify the authenticity of the certificate, leading to the "certificate not trusted" message.

References:

"If the SSL certificate is self-signed, the browser will not trust the certificate because it has not been issued by a trusted CA."​​​​.

The CCI scoring is a way to measure the security posture of cloud applications based on a set of criteria and weights. The default objective score is calculated by Netskope using industry best practices and standards. However, customers can change the CCI scoring to suit their own business needs and risk appetite. For example, a customer may want to place a higher business risk weight on vendors that claim ownership of their data, as this may affect their data sovereignty and privacy rights. Changing the CCI scoring for this reason would be valid, as it reflects the customer’s own security requirements and preferences. Changing the CCI scoring for other reasons, such as discovering a new SaaS application, punishing an application vendor, or using an application under research, would not be valid, as they do not align with the purpose and methodology of the CCI scoring. References: Netskope Security Cloud Operation & Administration (NSCO&A) - Classroom Course, Module 7: Cloud Confidence Index (CCI), Lesson 1: CCI Overview and Lesson 2: CCI Scoring.

Add the specific IP addresses on the IP Allow List (A):To restrict access to the Netskope Admin UI to specific IP addresses, administrators need to add these IP addresses to the IP Allow List. This ensures that only connections from these specified IP addresses are allowed access to the Admin UI. This configuration is crucial for enhancing security by limiting access to trusted IP addresses only.

Enable and set the User Notification Template to display the custom message (D):To display a custom message to admin users after they have authenticated, administrators need to enable and configure the User Notification Template. This template allows the customization of messages that are shown to users, including after login. This feature is useful for displaying privacy notices, welcome messages, or other important information to users upon successful authentication.

These steps are verified based on the configuration options available within the Netskope Admin UI settings. For more detailed steps and configuration, you can refer to the respective sections in the Netskope documentation.

When reviewing files affected by malware in the Netskope UI under Incidents -> Malware, you have the following options:

Identify the exposure of the file identified as malware: This allows you to see where the malware has spread within the organization, which users or systems are affected, and any potential data exposure resulting from the malware.

Determine the Detection Engine used to identify the malware: Netskope provides details on which detection engine (such as AV, sandboxing, or other heuristic engines) identified the malware. This helps in understanding the threat vector and the reliability of the detection.

Downloading the original malware file (option A) is generally not recommended for security reasons and may not be supported directly from the Netskope UI. Remediation of compromised devices (option C) would typically be handled through endpoint security solutions rather than directly from the Netskope UI.

References:

Netskope documentation on malware detection and incident response.

Best practices for handling malware incidents and using the Netskope UI for threat analysis.

=================

A Netskope Virtual Appliance is a software-based appliance that can be deployed on-premises or in the cloud to provide various functions and features for the Netskope Security Cloud platform. One use for deploying a Netskope Virtual Appliance is as an endpoint for Netskope Private Access (NPA), which is a service that allows users to securely access private applications without exposing them to the internet or using VPNs. Another use for deploying a Netskope Virtual Appliance is as a Secure Forwarder to steer traffic from on-premises devices or networks to the Netskope platform for inspection and policy enforcement. Using a Netskope Virtual Appliance as a local reverse-proxy to secure a SaaS application or as a log parser to discover in-use cloud applications are not valid uses, as these functions are performed by other components of the Netskope Security Cloud platform, such as the Cloud Access Security Broker (CASB) or the Cloud XD engine. References: Netskope Security Cloud Operation & Administration (NSCO&A) - Classroom Course, Module 2: Architecture Overview; [Netskope Private Access]; [Netskope Secure Forwarder].

 AD Connector:

The AD Connector is used to integrate your Netskope tenant with Active Directory (AD) to provision and synchronize user accounts.

It ensures that user information in Netskope is always up-to-date by periodically synchronizing with AD.

To set up the AD Connector:

Navigate to Settings > Tools > Directory Importer.

Configure the AD Connector with your AD details.

Set the synchronization schedule.

This method is commonly used in enterprise environments where AD is the primary user directory.

 SCIM (System for Cross-domain Identity Management):

SCIM is an open standard for automating the exchange of user identity information between identity domains or IT systems.

Netskope supports SCIM for provisioning users from identity providers like Okta, Azure AD, and others.

To configure SCIM:

Go to Settings > Tools > SCIM.

Follow the instructions to set up SCIM with your identity provider.

SCIM is beneficial for environments using modern identity management solutions.

 References:

For detailed configuration steps and additional information, refer to the Netskope documentation on provisioning users using the AD Connector and SCIM​​​​.

Creating a policy group as a logical collection of Real-time Protection policies provides several benefits:

To split up policies by region or business unit: This allows for more granular control and management of policies based on organizational structure. Each region or business unit can have its own set of policies tailored to its specific needs and compliance requirements.

To simplify workflow, allowing exact access to a specific set of policies: Policy groups help streamline the management process by grouping related policies together. This simplifies the workflow for administrators by providing them with access to only the relevant policies they need to manage, reducing complexity and potential for errors.

References:

Netskope documentation on creating and managing policy groups.

Best practices for organizing policies to enhance manageability and operational efficiency.

=================

To obtain and export a list of all hosts including domains and IP addresses that a user accessed through Netskope Private Access for the past seven days, you can follow these steps:

Access the Netskope Web UI: Log in to your Netskope admin console.

Navigate to SkopeIT:

Go to the SkopeIT section in the Netskope admin console.

Private Apps page in SkopeIT:

In the SkopeIT section, navigate to the "Private Apps" page.

Here, you can find detailed information about the private applications accessed by users, including the domains and IP addresses.

Use the filter options to specify the user and the time range (past seven days).

Export the data as needed for your investigation.

Network Events page in SkopeIT:

In the SkopeIT section, navigate to the "Network Events" page.

This page provides a comprehensive list of network events, including details about the hosts accessed through Netskope Private Access.

Again, use the filter options to specify the user and the time range.

Export the data for reporting purposes.

These two locations within the SkopeIT section of the Netskope Web UI will provide you with the necessary data to meet your security team's requirements.

References:

Netskope Knowledge Portal: Using SkopeIT for Network and Private Apps Analysis​​​​​​​​.

When comparing data in motion with data at rest, the following statements are correct:

Data in motion requires the Netskope client: To inspect and enforce policies on data as it is being transmitted across the network (data in motion), the Netskope client is required. The client steers the traffic through the Netskope cloud where it is analyzed and policies are applied in real-time.

Data at rest requires API integration: To scan and enforce policies on data stored in cloud applications (data at rest), API integration is required. This allows Netskope to directly interact with cloud services and perform actions such as scanning for malware, applying DLP policies, and ensuring compliance.

References:

Netskope documentation on data protection strategies, including data in motion and data at rest.

Best practices for implementing API integrations for data at rest and using the Netskope client for data in motion.

To mitigate malicious scripts from being downloaded into your corporate devices every time a user goes to a website, you need to use Netskope’s threat protection features to block or isolate potentially harmful web traffic. Two actions that would help you accomplish this task while allowing the user to work are: block malware detected on download activity for all remaining categories and block known bad websites and enable RBI to uncategorized domains. The first action will prevent any files that contain malware from being downloaded to your devices from any website category, except those that are explicitly allowed or excluded by your policies. The second action will prevent any websites that are classified as malicious or phishing by Netskope from being accessed by your users and enable Remote Browser Isolation (RBI) to uncategorized domains, which are domains that have not been assigned a category by Netskope. RBI is a feature that allows users to browse websites in a virtual browser hosted in the cloud, without exposing their devices to any scripts or content from the website. Allowing the user to browse uncategorized domains but restrict edit activities or allowing a limited amount of domains and block everything else are not effective actions, as they may either limit the user’s productivity or expose them to unknown risks. References: [Netskope Threat Protection], [Netskope Remote Browser Isolation].

The portion of the interface shown in the exhibit that allows an administrator to set severity, assign ownership, track progress, and perform forensic analysis with excerpts of violating content is Incidents -> DLP. The Incidents dashboard provides a comprehensive view of all the incidents that have occurred in your cloud environment, such as DLP violations, malware infections, anomalous activities, etc. You can filter the incidents by various criteria, such as app name, incident type, severity, user name, etc. You can also drill down into each incident to see more details, such as file name, file path, file owner, file size, file type, etc. You can also assign an owner to an incident, change its status and severity, add notes or comments, and view the excerpts of the violating content that triggered the DLP policy. References: Netskope Incidents Dashboard

In the Skope IT interface, which is a feature in the Netskope platform that allows you to view and analyze all the activities performed by users on cloud applications, there are two event tables that would be used to label a cloud application instance: Page Events and Application Events. Page Events are events that capture the URL and category of the web pages visited by users, as well as the time spent and the bytes transferred on each page. Application Events are events that capture the details of the actions performed by users on cloud applications, such as upload, download, share, edit, delete, etc. You can use these event tables to label a cloud application instance by applying filters based on the domain name or URL of the instance, such as drive.google.com/a/yourcompany.com or slack.com/yourteam. You can then assign a custom label to the filtered events and use it for reporting or policy enforcement. Network Events and Alerts are not event tables that would be used to label a cloud application instance, as they are more related to network traffic or policy violations, rather than cloud application activities. References: [Netskope Skope IT], Netskope Security Cloud Operation & Administration (NSCO&A) - Classroom Course, Module 8: Skope IT.

From the Netskope Console in the device detail view, select Collect Log:

Step 1: Access the Netskope Admin Console.

Step 2: Navigate to the specific device detail view.

Step 3: Locate and select the "Collect Log" option.

The given exhibit shows an inline policy blocking the predefined webmail category via an explicit proxy. However, the user can still access Yahoo Mail, indicating that Yahoo Mail is not included in the webmail category when using an explicit proxy.

Policy Configuration:

The policy is set to block access to the webmail category through an explicit proxy.

The action for this policy is 'Block'.

Understanding the Webmail Category:

Netskope's predefined categories may not always cover all services under a category, especially when it comes to specific configurations like explicit proxy.

The webmail category in the policy might not have included Yahoo Mail when using explicit proxy configurations.

Checking the Category Definitions:

It is important to verify what URLs or services are included under the "webmail" category in the Netskope administration console.

Administrators can check the category definitions and manually add Yahoo Mail if it's not included by default.

References:

REST API v2 Overview - Netskope Knowledge Portal

Using the REST API v2 dataexport Iterator Endpoints - Netskope Knowledge Portal

Using the REST API v2 UCI Impact Endpoints - Netskope Knowledge Portal

netskopesdk · PyPI

Netskope Rest APIv2(OAS 3.1) - Postman Collection

 If you are deploying TLS support for real-time Web and SaaS transactions, then you need to use secure implementation methods that ensure the highest level of encryption and security for your traffic. Two secure implementation methods in this scenario are: support TLS 1.2 only when 1.3 is not supported by the server and require TLS 1.3 for every server that accepts it. TLS stands for Transport Layer Security, which is a protocol that provides secure communication over the internet by encrypting and authenticating data exchanged between two parties. TLS 1.3 is the latest version of TLS, which offers several improvements over TLS 1.2, such as faster handshake, stronger encryption algorithms, better forward secrecy, and reduced attack surface. Therefore, it is recommended to use TLS 1.3 whenever possible for real-time Web and SaaS transactions, as it provides better security and performance than TLS 1.2. However, some servers may not support TLS 1.3 yet, so in those cases, it is acceptable to use TLS 1.2 as a fallback option, as it is still considered secure and widely adopted. Bypassing TLS 1.3 because it is not widely adopted or downgrading to TLS 1.2 whenever possible are not secure implementation methods in this scenario, as they would compromise the security and performance of your traffic by using an older or weaker version of TLS than necessary. References: [TLS], [TLS 1.3].

To discover GDPR data publicly exposed in Microsoft 365, Salesforce, and Slack-sanctioned cloud applications, you need to use a deployment model that allows Netskope to access and scan the data stored in these applications using out-of-band API connections. The deployment model that would match this requirement is API-enabled protection, which is a feature in the Netskope platform that allows you to connect your sanctioned cloud applications to Netskope using API connectors. This enables you to discover sensitive data, enforce near real-time policy controls, and quarantine malware in your cloud applications without affecting user experience or performance. You can use Netskope’s data loss prevention (DLP) engine to scan for GDPR data in your cloud applications and identify any public exposure or sharing settings that may violate the regulation. A reverse proxy, an on-premises appliance, or an inline protection are not deployment models that would help you discover GDPR data publicly exposed in your sanctioned cloud applications, as they are more suitable for inline modes that rely on intercepting traffic to and from these applications in real time, rather than accessing data stored in these applications using APIs. References: [Netskope SaaS API-enabled Protection], [Netskope Data Loss Prevention].

In this scenario, you have deployed the Netskope client in Web mode, which is a feature that allows you to steer your users’ web traffic to Netskope for inspection and policy enforcement. However, some users report that their messenger application is no longer working, even though you have a specific real-time policy that allows this application. Upon further investigation, you discover that the messenger application is using proprietary encryption, which means that Netskope cannot decrypt or inspect the traffic from this application. To resolve this issue, you need to permit access to all the users and maintain some visibility. The configuration change that would accomplish this task is to add a policy in the SSL decryption section to bypass the messenger domain(s). This will allow Netskope to skip the decryption process for the traffic from the messenger application and pass it through without any modification. However, Netskope will still be able to log some basic information about the traffic, such as source, destination, bytes, etc., for visibility purposes. Changing the real-time policy to block the messenger application, creating a new custom cloud application using the custom connector, or editing the steering configuration and adding a steering exception for the messenger application are not configuration changes that would accomplish this task, as they would either prevent access to the application, require additional steps or resources, or reduce visibility. References: [Netskope Client], Netskope Security Cloud Operation & Administration (NSCO&A) - Classroom Course, Module 4: Decryption Policy.

Netskope’s DLP solution is a powerful tool that can help customers protect their sensitive data from unauthorized access, exposure, or loss. One use case for Netskope’s DLP solution is to stop unintentional data movement, such as accidental uploads, downloads, or sharing of confidential files or information to or from cloud applications. Another use case for Netskope’s DLP solution is to ensure regulatory compliance, such as GDPR, HIPAA, PCI-DSS, or other industry-specific standards that require data protection and privacy measures. Netskope’s DLP solution can help customers comply with these regulations by detecting and preventing data breaches, enforcing encryption policies, applying data retention rules, and generating audit reports. Detecting malware in files before they are uploaded to a cloud application or detecting sensitive data in password protected files are not use cases for Netskope’s DLP solution, as they are more related to threat protection or file inspection capabilities. References: Netskope Security Cloud Operation & Administration (NSCO&A) - Classroom Course, Module 6: Data Loss Prevention, Lesson 1: DLP Overview.

A tombstone file is a placeholder file that replaces the original file when it is moved to quarantine by a Netskope policy. The tombstone file contains information about the original file, such as its name, size, type, owner, and the reason why it was quarantined. The tombstone file also provides a link to the Netskope UI where the administrator or the file owner can view more details about the incident and take appropriate actions, such as restoring or deleting the file. The purpose of using a tombstone file is to preserve the metadata and location of the original file, as well as to notify the users about the quarantine action and how to access the file if needed. References: Threat Protection - Netskope Knowledge PortalNetskope threat protection - Netskope

CASB inline interception use cases are scenarios where you need to apply real-time policies and actions on the traffic between users and cloud applications. For example, you may want to block file uploads to a personal Box account to prevent data leakage or exfiltration. You can use Netskope’s inline proxy mode to intercept and inspect the traffic between users and Box, and apply granular policies based on user identity, device type, app instance, file metadata, etc. You can also use Netskope’s inline proxy mode to provide user alerts when sensitive information is posted in Slack. For example, you may want to warn users when they share credit card numbers or social security numbers in Slack channels or messages. You can use Netskope’s steering client to redirect the traffic between users and Slack to Netskope’s inline proxy for inspection and enforcement. You can also use Netskope’s DLP engine to detect sensitive data patterns and apply actions such as alerting or blocking. References: Netskope Inline Proxy ModeNetskope Steering Client [Netskope DLP Engine]

When an administrator suspects that a DLP rule is generating false positives, the Forensic feature within the Netskope tenant allows for reviewing the data that was matched by the DLP rule. This feature provides detailed logs and insights into why a specific piece of data was flagged, enabling the administrator to analyze and adjust the rule as needed.

To access and use the Forensic feature:

Navigate to the Forensic section in the Netskope UI.

Review the detailed logs and matched data to understand the context and reason behind each match.

Adjust the DLP rules if necessary to reduce false positives and improve accuracy.

References:

Netskope REST API Overview​​.

Netskope SDK Documentation​​.

Secure Access Service Edge (SASE) is a cloud-based architecture that combines various cloud security and infrastructure enablement technologies into a unified platform that delivers security and networking services from the edge of the network. Two of these technologies are Zero Trust Network Access (ZTNA) and Cloud Access Security Broker (CASB). ZTNA is a technology that provides secure access to private applications without exposing them to the internet or using VPNs. It uses identity-based policies and encryption to grant granular access to authorized users and devices, regardless of their location or network. CASB is a technology that provides visibility and control over cloud applications (SaaS) used by users and devices. It uses API connections or inline proxies to inspect and enforce policies on data and activities in cloud applications, such as data loss prevention, threat protection, or compliance. Distributed Denial of Service Protection (DDoS) and Unified Threat Management (UTM) are not technologies that SASE combines into its unified platform, although they may be related or integrated with some of its components. References: [SASE], [ZTNA], [CASB].

The statement that is true in this scenario is: Certificate-related settings apply to each individual steering configuration level. Certificate-related settings are the options that allow you to configure how Netskope handles SSL/TLS certificates for encrypted web traffic. For example, you can choose whether to allow or block self-signed certificates, expired certificates, revoked certificates, etc. You can also choose whether to enable SSL decryption for specific domains or categories. Certificate-related settings apply to each individual steering configuration level, which means that you can have different settings for different types of traffic or devices. For example, you can have one steering configuration for managed devices and another one for unmanaged devices, and apply different certificate-related settings for each one. This allows you to customize your security policies based on your needs and preferences. References: Netskope SSL DecryptionNetskope Steering Configuration

Steering Configuration page under Settings (A):The Steering Configuration page under Settings is used to configure and manage the steering policies, including IPsec and GRE tunnels. This section provides the necessary tools to configure the network traffic routing and ensures that the configurations are set according to the organization's requirements.

IPsec Site and GRE Site pages under Settings (D):These specific pages under the Settings section allow administrators to monitor and manage the status of IPsec and GRE tunnels. They provide detailed information about the tunnel configurations, status, and other metrics that are essential for maintaining the health and performance of the network connections.

These details are confirmed based on the features and configurations available within the Netskope Admin UI settings, as documented in the Netskope Knowledge Portal.

PCI-DSS stands for Payment Card Industry Data Security Standard, which is a set of security requirements for organizations that handle credit card data. It aims to protect cardholder data from unauthorized access, disclosure, or theft, both in transit and at rest. PCI-DSS covers various aspects of security, such as encryption, authentication, firewall, logging, monitoring, and incident response. If you are working with a large retail chain and have concerns about their customer data, you should use PCI-DSS as the regulatory compliance standard to govern this data. SOC 3, AES-256, and ISO 27001 are not specific to credit card data protection, although they may have some relevance to general security practices. References: [PCI-DSS], [SOC 3], [AES-256], [ISO 27001].

To determine which data plane a user is traversing, an administrator can use the following methods:

Settings -> Security Cloud Platform -> Client Configuration: This section provides details about the client configurations and the data planes assigned to different users or groups. By reviewing the client configuration, administrators can determine the data plane a user is connected to.

SkopeIT -> Alerts -> View Details: In the SkopeIT alerts, administrators can view detailed information about user activities, including the data plane through which the user traffic is being routed. This provides real-time insights into the user's path through the Netskope infrastructure.

References:

Netskope documentation on configuring and managing the Security Cloud Platform and client configurations.

Guides on using SkopeIT to monitor user activities and view detailed alert information.

The Building Security in Maturity Model (BSIMM) is a framework that measures and compares the security activities of different organizations. It helps organizations to assess their current security practices and identify areas for improvement. ISO 27001 is an international standard that specifies the requirements for establishing, implementing, maintaining, and improving an information security management system. It helps organizations to manage their information security risks and demonstrate their compliance with best practices. Data Science Council of America (DASCA) is not a security framework, but a credentialing body for data science professionals. NIST Cybersecurity Framework (NIST CSF) is a security framework, but it is not commonly used to assess and validate a vendor’s security practices, as it is more focused on improving the cybersecurity of critical infrastructure sectors in the United States. References: [BSIMM], [ISO 27001], [DASCA], [NIST CSF].

To locate information pertaining to a DLP violation on a file in your sanctioned Google Drive instance, you can use the Incidents dashboard in Netskope. The Incidents dashboard provides a comprehensive view of all the incidents that have occurred in your cloud environment, such as DLP violations, malware infections, anomalous activities, etc. You can filter the incidents by various criteria, such as app name, incident type, severity, user name, etc. You can also drill down into each incident to see more details, such as file name, file path, file owner, file size, file type, etc. The Incidents dashboard can show DLP violations for files that are in a deleted state, as long as they are still recoverable from the trash bin of the app. If the file is permanently deleted from the app, then the incident will not be visible in the dashboard. References: Netskope Incidents Dashboard

 TLS/SSL Inspection:

Cloud security solutions achieve visibility into TLS/SSL-protected web traffic through a process known as TLS/SSL interception or inspection.

 How It Works:

The security solution acts as an intermediary (man-in-the-middle) during the TLS handshake.

When a user initiates a connection to a TLS/SSL-protected website, the security solution intercepts this connection.

It completes the TLS handshake with the user's device using its own certificate, and simultaneously performs the handshake with the destination website.

 Certificate Replacement:

The security solution decrypts the traffic, inspects it, and then re-encrypts it before forwarding it to the destination website.

The user’s browser trusts the security solution’s certificate, which replaces the original website's certificate.

 Security Implications:

This method allows the security solution to inspect encrypted traffic for threats or policy violations while maintaining secure communication.

 References:

Detailed explanations and implementation steps can be found in Netskope documentation on SSL/TLS inspection​​​​​​.

To review the category of a website and understand how the rules are applied, the following action can be taken:

Use the URL Lookup page in the dashboard: The URL Lookup page in the Netskope dashboard allows administrators to enter a URL and view its categorization. This tool provides information on how the website is classified and which policies apply to it. It helps in troubleshooting why a user might be unable to access a specific site, even if the category is generally allowed.

References:

Netskope documentation on using the URL Lookup tool to review website categories and policy applications.

Guidelines for troubleshooting web access issues using the Netskope dashboard tools.

When working with traffic from applications with pinned certificates, you should add an exception to the steering configuration to bypass them. Pinned certificates are a security technique that prevents man-in-the-middle attacks by validating the server certificates against a hardcoded list of certificates in the application. If you try to intercept or inspect the traffic from such applications, they will reject the connection or display an error message. Therefore, you should add the domains used by certificate-pinned applications as exceptions in your steering configuration, so that they are not steered to Netskope for analysis and enforcement. References: Certificate Pinned ApplicationsCreating a Steering Configuration