Skip to main content

Netskope Help

Add a Policy for SSL Decryption

SSL decryption policies allow you to specify the traffic you want to leave encrypted and not further analyzed by Netskope via the Real-time Protection policies.

Note

Netskope continues to match against Real-time Protection policies when a connection is matched with a SSL Do Not Decrypt policy. As a part of the SSL decryption policy lookup, when traffic is dropped due to a Real-time Protection policy match, a Skope IT event alert is generated. A user alert or block notification isn't sent to the user.

To configure a SSL decryption policy:

  1. Navigate to Policies > SSL Decryption.

  2. Click Add Policy. The New SSL Decryption Policy page appears.

  3. For Match Criteria, specify the match criteria for the traffic. You must specify at least one match criteria from the Add Criteria dropdown to create a policy. The system applies the ‘AND’ operator among multiple criteria groups (e.g. user, domain, and category), and the ‘OR’ operator among multiple match criteria values (e.g. Category 1, Category 2, Category 3).

    The following table lists the match criteria options.

    Criteria

    Options

    Source Network Location

    Search and add a source network location (select all that apply) and match against User IP and Source IP addresses. Click +New to add a new network location. See Add New Network Location for SSL Decryption for details.

    Match Against Field

    User IP Address - This is the user’s internal / private IP address (RFC 1918).

    Egress Source IP Address - This is the user’s external NAT (Public) IP address.

    Traffic that runs through the Netskope gateway, including both the User IP and Egress Source IP addresses are viewable by the system. The distinction is helpful so admins can make selective decisions for internal hosts (user IPs) versus all hosts in a given network (egress IPs).

    Destination Network Location

    Search and add a destination network location, select all that apply. Click +New to add a new network location. See Add New Network Location for SSL Decryption for details.

    Category

    Lists all categories

    Domains

    List domains as comma separated values.

    Netskope supports domain names based on server name indication (SNI) and not certificate name (CN) or subject alternative name (SAN). Wildcard search is supported.

    User

    Lists all users

    User Group

    Lists all user groups

    Organizational Unit

    Lists all organizational units

    App Suite

    List of app suites specified with table shown in the App Suite Details topic.

    Each app suite name is mapped to a list of defined domains, and the domain list gets updated for new / changes periodically.

    App

    Lists apps that are uniquely identifiable based on a single domain name.

    There are no overlapping domains to apps. You can select one or more predefined or custom apps and custom apps have higher priority over predefined apps.

  4. For Action, you can select one of the following options:

    • Do Not Decrypt: Traffic will not go through deep analysis.

    • Decrypt: Traffic will move to deep analysis via the Real-time Protection policies.

  5. For Set Policy, enter a Policy Name. Optionally, you can enter a Policy Description.

  6. Click Save.

Tip

By default, the policy is disabled; you must enable it after you are done configuring it.

Once you create a policy, you can perform the following actions described in the table below.

Action

Description

Edit

Click the policy name or edit via the ellipses at the end of the policy row.

Disable

Click the policy name or disable via the ellipses at the end of the policy row.

Move to Position

Access the Move to Position dialog via the ellipses at the end of the policy row. You can select to move the policy to: Top of policy list, Bottom of policy list, Before policy, or After policy. Click Move to apply your change. Note, if you select before or after policy, a dropdown displays in which you must select a policy from the list.

Delete

Select the policy name and click Delete button or delete via the ellipses at the end of the policy row. Deleting a policy means that the corresponding traffic will be decrypted and sent for deep analysis. If you change your mind, click the ellipses to access the Revert Deletion button.

View Pending Changes

View a list of policies that are new or have changed and click Apply Changes to save and implement the policy. 

Filters

Use the filters at the top of the list page to quickly access or filter out policies by name or criteria added. Click +Add Filter to apply multiple match criteria to the filter. You can save the filter and access it via the carrot, above the Filters search bar. To delete any criteria, click the red X in the upper right corner of the filter label.