Skip to main content

Netskope Help

SSL Inspection

Your perimeter device is expected to already be inspecting SSL traffic for client connections. This document does not cover how to steer traffic from clients to your firewall/proxy, or how to make clients trust the certs presented by it. This is assumed to be solved and working correctly.

At a bare minimum, SSL traffic destined for cloud apps must be intercepted. The list of domains associated with apps managed by Netskope can be downloaded from the UI using the Export button on the Settings > Manage > Applications > Predefined page.

Server side certificates are required to enable SSL inspection. You can use either a self-signed certificate or a CA certificate preferably signed by the enterprise's root or intermediate CA.

Make sure that the server certificate uses a fully qualified domain name as the common name.

To configure certificates:

  1. Enter the command:

    set dataplane forward-proxy server-cert

    Copy and paste your CA certificate in the buffer, press the Enter key, and then enter Ctrl-D to exit.

  2. Enter the command:

    set dataplane forward-proxy server-key

    Copy and paste your private key into the buffer, press the Enter key, and then enter Ctrl-D to exit.

  3. Enter the command:

    set dataplane forward-proxy server-intermediate-ca-chain

    Copy and paste any intermediate certs, press the Enter key, then enter Ctrl-D to exit.

  4. If you are not using CA and want appliance to generate a self-signed certificate, enter this command while in configuration mode:

    run request certificate generate forward-proxy self-signed city
    <city> common-name <common-name> country <country> 
    days <days> email-address <email-address> organization 
    <organization> organization-unit <organization-unit> state <state>

Here is an example of the above command that generates a self-signed certificate:

run request certificate generate forward-proxy
self-signed city "Los Altos" common-name "sforwarder.netskope.com"
organization "netskope" organization-unit "netskope cert authority"
state "CA" country "US" email-address "admin@netskope.com"