Link Search Menu Expand Document

Netskope

Configuration > Cloud Services > Netskope

Netskope is a cloud security service. EdgeConnect traffic can be chained to Netskope for additional security inspection. Orchestrator supports IPSec tunnel mode for Netskope.

NOTE: Be aware that design changes that occur in the Netskope application (especially the user interface) could affect instructions provided in this topic. Therefore, these instructions are provided as guidelines rather than precise steps.

IMPORTANT: If you have Netskope running through Service Orchestration, you must take down the manual tunnels before enabling the API through the Configuration > Cloud Services > Netskope feature.

The following table describes the fields on the Netskope tab.

Field Description
Appliance Name of the appliance to connect to Netskope.
Interface Label Interface label for the interfaces you want to connect to Netskope.
Mode Tunnel mode (IPSec) for Netskope.
Netskope Deployment Status Status of the Netskope deployment (Creating, Pending, or Deployed). Deployed indicates successful deployment.
Netskope Service Edges These are the Netskope endpoints to which the tunnels connect. This field is populated with discovered Public Service Edges based on the appliance’s geographical location.
Connection Status Status of the Netskope connection based on tunnel and IP SLA statuses.

Configure Netskope

Before you configure Netskope, you must create a Netskope account and ensure that you have an established connection with Netskope.

Subscription

  1. Go to https://docs.netskope.com/en/rest-api-v2-overview-312207.html and follow the steps to configure your Netskope account.

    When you create your REST API token in the steps, add the following endpoints and assign the indicated privileges.

    Endpoint Privileges
    /api/v2/steering/ipsec/pops Read
    /api/v2/steering/ipsec/tunnels Read + Write
  2. After configuring your Netskope account, navigate to Configuration > Cloud Services > Netskope.

  3. Click Subscription.

    The Subscription dialog box opens.

  4. Enter the appropriate information to reflect your Netskope account.

    The following table describes the fields.

    Field Description
    Netskope Indicates whether you are connected to your Netskope account.
    API Token Name The API Token name you created when configuring Netskope.
    API Token Key The API Token key you created when configuring your Netskope account.
    Domain Domain provisioned in Netskope for your enterprise.
    Configuration Polling Interval Indicates how often Orchestrator should check for configuration changes in Netskope. The default polling interval is ten minutes.
  5. Click Save. The Netskope field should indicate Connected.

Interface Labels

Select the WAN interfaces you want to use for Netskope internet traffic. You can specify primary and backup interfaces as described below. If a primary interface is unavailable, Orchestrator will use a backup interface if specified. Optionally, you can specify secondary interfaces as well. In this case, the fallback order is primary, secondary, and then backup.

NOTE: When two or more labels are configured and active at the same level (primary, secondary, or backup) new flows will be load balanced across the Netskope tunnels based on current available bandwidth for the label. Labels with more available bandwidth will receive more flows than labels with less available bandwidth.

  1. On the Netskope tab, click Interface Labels.

    The Build Tunnels Using These Interfaces dialog box opens.

  2. Drag the interfaces you want to use from the right side of the dialog box to the Primary and Backup areas. The interfaces are grayed out until you move them into the areas.

  3. If you want to specify secondary interfaces, click Show Secondary to display the Secondary area, and then drag the appropriate interfaces to this area.

  4. Click Save.

WARNING: This is service affecting. Any changes to the interface selection can cause previously built tunnels to be deleted and rebuilt.

Tunnel Settings

The Tunnel Settings button opens the Netskope Tunnel Setting dialog box, enabling you to define the tunnels associated with Netskope and EdgeConnect. Use Netskope defaults for tunnel settings defined by the system.

NOTE: You can configure General, IKE, and IPSec tunnel settings. Settings are automatically generated, but you can change them if you want to.

IP SLA

Configure IP SLA for Netskope tunnels. This configuration ensures tunnel connectivity and internet availability between Netskope and Orchestrator. If the tunnel cannot reach Netskope, the tunnel is considered DOWN.

  1. On the Netskope tab, click IP SLA.

    The Netskope IP SLA Configuration dialog box opens.

  2. If all fields are dimmed, click Enable IP SLA rule orchestration.

  3. Select an orchestrated loopback label from the Source Interface field.

    Note: When IP SLA is enabled for Netskope, Orchestrator automatically sets the Monitor field to Ping and uses the IP SLA targets specified by Netkope in the RESTv2 API response. Each Netskope POP uses a unique IP SLA target. The auto-IP SLA target typically ends in .216. For example, 10.162.6.216 (LON1) and 10.177.6.216 (LON2).

  4. Accept the default values for the remaining fields and click Save.

    Orchestrator builds the tunnels.

Netskope Association

The final step to configure the integration in Orchestrator is to associate EdgeConnect appliances to Netskope.

  1. In the Orchestrator appliance tree, select one or more appliances to associate with Netskope.

  2. On the Netskope tab, click Netskope Association.

    The Netskope Appliance Association dialog box opens.

  3. In the table, select one or more appliances you want to associate with Netskope, and then select the Add check box.

    Select the Remove check box to remove Netskope association from selected appliances in the table.

  4. Verify the changes, and then click Save.

Pause Orchestration

When troubleshooting, you can click Pause Orchestration and then click Save to pause orchestration. To restart, click Resume Orchestration.

Using Netskope for Breakout Traffic

Finally, you need to select the Netskope service in at least one Business Intent Overlay Breakout Traffic Policy to steer traffic to it.

  1. Navigate to the Business Intent Overlays tab in Orchestrator (Configuration > Overlays & Security > Business Intent Overlays).

  2. Click the overlay that breaks out traffic to Netskope.

    The Overlay Configuration dialog box opens.

  3. Click the Breakout Traffic to Internet & Cloud Services tab.

  4. Drag Netskope from the Available Policies column to the Preferred Policy Order column.

Verify Netskope Deployment

After Netskope is configured, deployment will begin automatically. Navigate to the Netskope tab to verify successful deployment. The Netskope Deployment Status column should have a green status of Deployed, and the Connection status column should have a green status of Up. The Connection Status column indicates the status of the Netskope connection based on tunnel and IP SLA statuses.

NOTE: Netskope is deployed and orchestrated for an appliance based on the Netskope Appliance Association dialog box. Business Intent Overlays (BIOs) are used to configure breakout internet policies to Netskope. This is used for automatic load distribution and failover.

You can also verify that your Netskope tunnels have been successfully deployed on the Tunnels tab. The Passthrough Tunnel column should list your Netskope tunnels, and the Status column should have a green status of up – active.

You can view the Audit Log to check for orchestration errors. Navigate to Orchestrator > Audit Logs and enter Netskope in the search field above the table.


Back to top

© Copyright 2024 Hewlett Packard Enterprise Development LP.

For third-party trademark acknowledgements, go to Trademark Acknowledgements. All third-party marks are property of their respective owners.

To view the end-user software agreement, go to HPE Aruba Networking EULA.

Open Source Code:

This product includes code licensed under certain open source licenses which require source compliance. The corresponding source for these components is available upon request. This offer is valid to anyone in receipt of this information and shall expire three years following the date of the final distribution of this product version by Hewlett Packard Enterprise Company. To obtain such source code, please check if the code is available in the HPE Software Center at https://myenterpriselicense.hpe.com/cwp-ui/software but, if not, send a written request for specific software version and product for which you want the open source code. Along with the request, please send a check or money order in the amount of US $10.00 to:

Hewlett Packard Enterprise Company
Attn: General Counsel
WW Corporate Headquarters
1701 E Mossy Oaks Rd Spring, TX 77389
United States of America