Skip to main content

Netskope Help

Security Cloud Platform Configuration

Netskope Secure Web Gateway provides the different global configuration settings below.

Dynamic URL Classification

Dynamic URL classification looks at the textual contents of a page and dynamically determines the category for the uncategorized URLs. This feature is turned off by default. After a page has been dynamically categorized, the classification applies to all of your tenant instances. The page classification to a category expires every 12 hours so that if any changes occur to the page, the content is re-evaluated so the chosen category matches the current page content.

To enable dynamic URL classification globally:

  1. Go to Settings > Security Cloud Platform > Configuration.

  2. Under Dynamic URL Classification, click Edit.

    The Dynamic URL Classification section on the Configuration page.
  3. In the Edit Dynamic URL Classification, click the toggle to enable or disable. If enabled and users browse an uncategorized URL, Netskope dynamically classifies it into a predefined category.

    The Edit Dynamic URL Classification window.
  4. Click Save.

  5. Go to Policies > Web > URL Lookup to search for predefined and custom categories or report miscategorization.

    The URL Lookup tab on the Web page.

    Note

    If the URL is miscategorized, use custom categories to define a custom URL category or Report Miscategorization.

Safe Search

To block porn and other explicit content in image format that violates your corporate policy, use the Safe Search feature. Supported search engines include Bing, DuckDuckGo, Google, and Yahoo.

To enable safe search globally:

  1. Go to Settings > Security Cloud Platform > Configuration.

  2. Under Safe Search, click Edit.

    The Safe Search section on the Configuration page.
  3. In the Edit Safe Search, click the toggle to enable or disable. If enabled, Netskope blocks the session when users browse any inappropriate URLs.

    The Edit Safe Search window.
  4. Click Save.

Dynamic Trusted Store

To enable trusted store certificates globally:

  1. Go to Settings > Security Cloud Platform > Configuration.

  2. Under Dynamic Trusted Store, click Edit.

    The Dynamic Trusted Store section on the Configuration page.
  3. In the Edit Dynamic Trusted Store, click the toggle to enable or disable. If enabled, Netskope blocks the session when users browse any inappropriate URLs.

    The Edit Dynamic Trusted Store window.
  4. Click Save.

X-Forwarded-For Header

An X-Forwarded-For (XFF) header is used to identify the originating IP address of a user connecting to a web server through an HTTP proxy. Without the XFF header, the proxy server will be identified as the originating IP address. Use this feature to trust IP addresses contained in the XFF header.

Note

For security, this feature is not supported for remote users when using explicit proxy steering methods.

To trust XFF headers globally:

  1. Go to Settings > Security Cloud Platform > Configuration.

  2. Under X-Forwarded-For Header, click Edit.

    The X-Forwarded-For Header section on the Configuration page.
  3. In the Edit X-Forwarded-For Header, click the toggle to enable or disable. If enabled globally, Netskope trusts XFF headers for all traffic in your organization and overrides your XFF configurations for your IPSec and GRE tunnels. If disabled, you can trust XFF headers for traffic going through specific tunnels.

    The Edit X-Forwarded-For Header window.
  4. Click Save.

Dedicated Egress IP Footprint

Note

Contact Support to enable this feature in your account; additional licensing is required.

There are several auth related services which may require configuration to allow Netskope Cloud IPs as the source address to these services.

For example, with active auth on the O3654 Proxy, the local ADFS server may restrict auth from certain source IPs. Another case is when you want IdP providers to restrict auth requests from certain source IPs, or similarly restrict application access to a specific application. In these cases, you can use the Netskope Cloud IPs for these configurations.

Web and cloud apps that rely on source IP addresses as a form of identification and security can use the Netskope egress IP feature to help transition from on-premises security controls to a Security Service Edge (SSE) architecture. This provides admins with an additional option to enable access to these applications and minimize disruption to users.

Netskope's Dedicated Egress IP Footprint feature allocates a minimum of two IP addresses from Netskope owned IP ranges per data plane that matches your accounts NewEdge traffic management zone/region. The dedicated IP ranges are completely separate from the shared IP ranges. Port exhaustion is monitored by the Netskope platform.

All traffic will use these IP addresses and is available for all steering methods and traffic except for Netskope Private Apps (NPA) traffic.

You can see the list of IPs assigned to your account by going to Settings > Security Cloud Platform > Enforcement > Netskope IP Ranges. The Dedicated IP Ranges tab lists the assigned dedicated IPs. You can copy the IP ranges to use for conditional access policies on the SaaS side.

The Netskope IP Ranges on the Netskope Client Enforcement page.

To enable dedicated egress IPs for user traffic hitting SaaS apps through the proxy:

  1. Go to Settings > Security Cloud Platform > Configuration.

  2. Under Dedicated egress IP Footprint, click Edit.

    The Dedicated egress IP Footprint section on the Configuration page.
  3. In the Edit Dedicated egress IP Footprint, click the toggle to enable or disable.

    The Edit Dedicated egress IP Footprint window.
  4. Click Save.

Important

Admins must update their IP restrictions for each application.

Localization Zones

Note

Contact your Sales team or Netskope Support to enable this feature in your account.

Localization zones further extend NewEdge global coverage by providing the same experience as direct-to-net with native language and localized content support for all websites, even when there’s no in-country Data Plane (DP). This feature also addresses certain websites or SaaS applications that require users to be local (geo-blocking or geo-fencing). In addition, localization zones maintain users’ experiences during failover or maintenance situations, even when using an out-of-country DP. Localization zones don’t change or modify the traffic path, such as traffic backhauling that adds latency.

For example, when this feature is enabled, a user in Greece receives search results and websites relevant to Greece and in the Greek language, despite connecting via the NewEdge DP in Vienna, Austria. Similarly, in a failover situation for a user in Mexico (where there’s one single DP), the user can connect via the Dallas DP and continue to receive localized content in Spanish. In the case of Mexico, localization zones extend the resilience of NewEdge via six DPs to ensure both security coverage and digital experience remain intact at all times. These DPs include Atlanta, Dallas, Miami, Phoenix, and two in Los Angeles.

The following table lists the currently suppored countries for this feature:

The bolded regions have single, in-region NewEdge DPs where localization zones provide additional resilience.

Table 5. Supported Countries

Argentina

Albania

Algeria

Armenia

Aruba

Austria

Azerbaijan

Bahrain

Bangladesh

Barbados

Belarus

Belgium

Bolivia

Bosnia and Herzegovina

Botswana

Bulgaria

Cambodia

Cameroon

Cayman Islands

Chile

Colombia

Congo

Costa Rica

Cote D'Ivoire

Croatia

Cyprus

Czech Republic

Denmark

Dominican Republic

Ecuador

Egypt

El Salvador

Estonia

Ethiopia

Fiji

Finland

French Polynesia

Georgia

Ghana

Greece

Guadeloupe

Guatemala

Guernsey

Honduras

Hong Kong

Hungary

Indonesia

Ireland

Isle of Man

Israel

Italy

Jamaica

Jersey

Jordan

Kazakhstan

Kenya

Kuwait

Latvia

Lebanon

Lithuania

Luxembourg

Macedonia

Malaysia

Maldives

Malta

Martinique

Mexico

Moldova

Montenegro

Morocco

Mozambique

Namibia

Nepal

Netherlands

New Zealand

Nicaragua

Nigeria

Norfolk Island

Norway

Oman

Pakistan

Panama

Papua New Guinea

Paraguay

Peru

Philippines

Poland

Portugal

Qatar

Reunion

Romania

Russian Federation

Rwanda

Saint Martin

Senegal

Serbia

Singapore

Slovakia

Slovenia

South Korea

Sri Lanka

Swaziland

Sweden

Taiwan

Tanzania

Thailand

Tunisia

Turkey

Uganda

Ukraine

Uruguay

Uzbekistan

Venezuela

Vietnam

Zambia

Zimbabwe



To enable localization zones:

  1. Go to Settings > Security Cloud Platform > Configuration.

  2. Under Localization Zones, click Edit.

    localization-zones-configuration.png
  3. In the Edit Localization Zones window, click the toggle to enable or disable. If enabled, your users receive content based on their geographic location.

    edit-localization-zones-configuration.png
  4. Click Save.