Netskope Security Cloud

Operation and Administration

Lab Guide

NETSKOPE CONFIDENTIAL

Version 24.02
 Disclaimer

The contents of this course and each of the lessons and related materials, including handouts to participants,
are subject to Netskope Copyright 2024.

This instructional program, including all materials provided herein, is provided without any guarantees from
Netskope.

Netskope assumes no liability or legal action arising from the use or misuse of content or details contained
herein.

This content may not be reproduced without the permission of Netskope.

2024 © Netskope. All Rights Reserved 2

Table of Contents
Before You Begin .................................................................................................................................................... 5

Log in to Amazon WorkSpaces........................................................................................................................... 5

Download lab files ............................................................................................................................................... 6

Lab A: Metadata DLP Policy ................................................................................................................................... 7

Part 1 – Set up API-enabled protection for the Dropbox application ................................................................. 7

Part 2 – Create a DLP policy ............................................................................................................................ 13

Lab B: Netskope Client ......................................................................................................................................... 21

Part 1 – Provision users with Directory Importer .............................................................................................. 21

Part 2 – Provision the Netskope Client ............................................................................................................. 24

Part 3 – Configure policy actions based on device classification ..................................................................... 27

Part 4 – Restrict activities based on the login user .......................................................................................... 32

Lab C: SaaS threat protection .............................................................................................................................. 36

Part 1 – Enable API-enabled threat protection for your Dropbox instance ...................................................... 36

Part 2 – Configure a real-time threat protection policy with hash-based allowlists and blocklists................... 41

Lab D: Netskope Advanced Analytics .................................................................................................................. 46

Lab E: IaaS – Block bucket uploads..................................................................................................................... 58

Part 1 – Create a policy to restrict uploads to a specific S3 bucket ................................................................. 58

Part 2 – Test uploading a file to different S3 buckets ....................................................................................... 60

Lab F: SSL decryption bypass.............................................................................................................................. 62

Part 1 – Block web uploads to selected URLs.................................................................................................. 62

Part 2 – Bypass SSL inspection for selected URLs ......................................................................................... 65

Lab G: Web Security ............................................................................................................................................. 67

Lab H: Netskope Cloud Firewall ........................................................................................................................... 70

Part 1 – Configure the default action for non-web traffic .................................................................................. 70

Part 2 – Create a new steering configuration to manage all traffic .................................................................. 71

2024 © Netskope. All Rights Reserved 3

Part 3 – Test non-HTTP(S) traffic steered to Netskope Cloud Firewall ........................................................... 73

Part 4 – Allow access through Netskope Cloud Web Firewall ......................................................................... 76

Part 5 – Verify that the traffic to the configured apps is allowed ...................................................................... 79

Part 6 – Create an Advanced Analytics Report for CFW activities .................................................................. 80

2024 © Netskope. All Rights Reserved 4

Before You Begin
Log in to Amazon WorkSpaces

1. Browse to https://clients.amazonworkspaces.com/ and download and install the latest client for your OS or
device if you haven’t done so already.

 Make sure the ports 4195 TCP and 4195 UDP are open for outside connections from your device. These
ports are required by both the Amazon WorkSpaces client and Amazon WorkSpaces Web Access.

2. Open the Amazon WorkSpaces client and enter the registration code provided by your instructor and click
Register.

3. Once registered, click the Network test icon in the top right of the application and view the results. Confirm
that green checkmarks are displayed for all tests.

 On a Mac computer, use the Network command in the Connections menu to run the test.

4. If the results show all green, you can now connect to a remote desktop with Amazon WorkSpaces client.

2024 © Netskope. All Rights Reserved 5

5. Close the Network window, then enter the WorkSpaces credentials provided by your instructor and click
Sign In.

Download lab files

1. In your Amazon WorkSpace, open a web browser and navigate to the Netskope learning management
system. Click one of the following URLs based on your role:
• Customer: https://netskopeclient.learnupon.com/
• Partner: https://netskopepartners.learnupon.com/
• Employee: https://netskopeacademy.learnupon.com/

2. Log in with your Netskope Academy credentials.

3. On the My Courses page, click the Start button on the Netskope Security Cloud Operation &
Administration (NSCO&A) course.

4. In the left navigation pane under Course Contents, select Lab Guide and Lab Files.

5. At the top of the page, click Download Lab Files to download the files to your Amazon WorkSpace. The
files will download as a zip file.
You can now begin working on the labs.

 We highly recommend that you perform all labs in Amazon WorkSpaces. Your instructor can more easily
provide assistance when needed, and some of the labs involve files that look like malware or Data Loss
Protection (DLP) violations that may set off alerts within your company’s cybersecurity department.

2024 © Netskope. All Rights Reserved 6

Lab A: Metadata DLP Policy
This lab introduces you to Netskope API-enabled protection policies. By completing this lab, you will perform
the following tasks:
• Set up API-enabled protection for the Dropbox application.
• Create a custom metadata DLP rule and profile.
• Assign the profile to a policy.
• Validate that your rule is working.

Estimated time: 45 minutes

Part 1 – Set up API-enabled protection for the Dropbox application

In this part, you will set up Netskope to access an instance of Dropbox via API. Use your training Dropbox
instance that you were asked to create in the prerequisites to this course.

Task 1.1 – Access your training Netskope tenant

1. In your Amazon WorkSpace, run a web browser and navigate to the Netskope tenant URL provided by the
instructor.

2. Log in to the tenant with the credentials provided by the instructor.

2024 © Netskope. All Rights Reserved 7

3. Change your initial password to:
Netskope1!

4. Accept the Netskope Service Operational Policy and click Continue.

Task 1.2 – Configure API-enabled protection for a Dropbox account

1. Open a new browser tab and navigate to www.dropbox.com.

2. Log in to your training Dropbox account you created as a part of the prerequisites for this training.

 If Dropbox asks for a verification code, find the code in your training Google mailbox and complete the
challenge.

3. Open the folder named after your Dropbox user. Throughout the rest of this lab guide, this folder will be
referred to as your personal folder.

2024 © Netskope. All Rights Reserved 8

4. Upload hello.txt from the IaaSLab folder in your lab files folder to your personal folder of your Dropbox
account.

5. If you don’t remember your Dropbox Team name, the following steps will walk you through finding your
Dropbox Team name. You will need this information to configure API-enabled protection for your Dropbox
instance in your Netskope tenant.
a. Click your Dropbox user icon and select Settings.

2024 © Netskope. All Rights Reserved 9

 b. Click the Plan tab and scroll down till you see your Dropbox Team name. Note your Dropbox Team
name.

6. Select the browser tab where the Netskope tenant UI is loaded.

7. In the Netskope tenant UI, click Settings in the bottom-left corner.

The Settings page opens in a new browser tab.

8. On the Settings page, use the left menu to navigate to Configure App Access > Classic and verify that
the SaaS tab is selected.

2024 © Netskope. All Rights Reserved 10

9. Select the Dropbox icon and click Setup Instance.

10. In the Instance Name field, type your Dropbox Team name. (If you followed the naming convention in the
pre-requisites document, your Dropbox Team name is: Dropbox-{your initials})

 The Instance Name must match exactly (case-sensitive) with the Team name of your training Dropbox
account.

11. Under Instance Type, select all options.

12. In the Admin Email field, enter the email address you used to sign up for your Dropbox account (your
training Google account, if you followed the instructions in the prerequisites to this training).

13. Click Save.

2024 © Netskope. All Rights Reserved 11

14. Click Grant Access to allow Netskope to access your Dropbox instance.

 You should still be logged in to Dropbox, so no additional authentication should be required. However, if
you are prompted to sign in to Dropbox, please do so.

15. When a new browser window pops up, click Allow to link with Netskope Active Platform.

16. When a confirmation message is displayed, click Close.

2024 © Netskope. All Rights Reserved 12

 Your Netskope tenant now has access to your Dropbox instance via the Dropbox API. Notice the green
checkmark before the instance entry (you may have to refresh the page.)

Part 2 – Create a DLP policy

Next, you will create a DLP policy with a custom DLP profile to match the metadata of APIProtectionLab.docx.

 This file is located inside the labfiles.zip provided to you.

Task 2.1 – Create a custom DLP rule

1. Select the browser tab with the main Netskope tenant UI.

2. Navigate to Policies > Profiles > DLP.

2024 © Netskope. All Rights Reserved 13

3. Click Edit Rules and select Data Loss Prevention.

4. Click New Rule.

5. In the New DLP Rule wizard, click Next to skip Predefined options.

6. On the Custom page, select Case Insensitive from the dropdown menu.

7. In the text field below the dropdown menu, type the following:
internal template

 It is a best practice to type case-insensitive match patterns all in one case, usually in lower case.

2024 © Netskope. All Rights Reserved 14

8. Click the plus button to add the new identifier, then click Next.

9. Click Next on the Exact Match and Advanced Options pages to skip over them.

10. Under Content, only select Metadata, then click Next.

11. On the Security Threshold page, in the Low Severity field, type:
1

2024 © Netskope. All Rights Reserved 15

12. Ensure that Take policy action at is set to Low severity, then click Next.

13. In the Rule name field, type the following and click Save:
DLP-APIProtectionLab-{Initials}

14. Click Apply Changes, then click Apply to confirm.

Task 2.2 – Create a DLP profile

1. Navigate to Policies > Profiles > DLP again, then click New Profile.

2. Click Next to skip the File Profiles options.

2024 © Netskope. All Rights Reserved 16

3. On the Rule | Classification page, click in the DLP Rule field to see a list of available DLP rules.

4. From the All Rule Types dropdown menu, select Custom.

5. Select your DLP-APIProtectionLab-{Initials} rule and click Next.

6. In the Profile name field, type the following and click Save:
APIProtectionLab-Profile-{Initials}

7. Click Apply Changes, then click Apply to confirm.

Task 2.3 – Create a DLP policy

1. Navigate to Policies > API Data Protection.

2. Verify that the SaaS tab is selected, and that the Classic/Next Gen switch is set to Classic.

3. Click New Policy and select Dropbox.

2024 © Netskope. All Rights Reserved 17

4. Complete the policy wizard using the following values:

Application > Application Dropbox

Application > Instance Your Dropbox instance Dropbox-{Initials} configured earlier
Users All Users
Content > File sharing All Sharing Options
options to scan
Content > File types to scan Specific File Types > Microsoft Word Documents
DLP DLP
DLP > DLP profile Your DLP profile created earlier: APIProtectionLab-Profile-
{Initials}
Action Delete (In the warning message, select Keep Going)
Notification None
Set Policy > Policy Name APIProtectionLab-DLP-{Initials}

5. Click Save, then click Apply Changes and Apply to confirm.

Task 2.4 – Validate the policy

You will now validate that your policy is working by uploading APIProtectionLab.docx to your Dropbox instance.

 Locate the APIProtectionLab.docx in the APIProtectionLab subfolder of your Lab Files folder. The file type
may appear as Office Open XML Document in Windows Explorer.

1. Navigate to http://www.dropbox.com/ and log in to your training Dropbox account.

2. Open your personal folder named after your Dropbox user.

2024 © Netskope. All Rights Reserved 18

3. Upload APIProtectionLab.docx to your personal folder of your Dropbox account.

4. Wait a few minutes, refresh your page, and try to click the file. The file will no longer be available.

 While it usually takes up to 10 minutes to scan and delete the file, system load and queuing could delay
this for some time.

5. In the Netskope tenant, navigate to Skope IT™ > Application Events.

 To navigate back to the main menu, click the Netskope logo in the upper-left corner.

 It can take up to 20 minutes for the events to display in Skope IT™ > Application Events.

6. Click Add Filter above the table and select Instance ID from the list.

7. In the Instance ID field, type your Dropbox Instance ID and press Enter.

2024 © Netskope. All Rights Reserved 19

8. Click View details to the left of any of the new Dropbox events to view more information.

9. In the main menu on the left, navigate to Incidents > DLP.

The event triggered as expected and deleted the file.

 The file doesn’t show in Dropbox Deleted files in the user’s interface because the action is performed by
Netskope Active Platform, rather than the user. You can find this information in the activity log by
navigating to Admin console > Activity.

Lab complete

2024 © Netskope. All Rights Reserved 20

Lab B: Netskope Client
In this lab, you will install and configure the Netskope Directory Importer to import users to the Netskope
tenant. You will then deploy the Netskope Client on your Amazon WorkSpace for use in policies. Users and
groups are managed by the Amazon AD service.

Part 1 – Provision users with Directory Importer

Task 1.1 – Install Directory Importer

1. In your Amazon WorkSpace, open a browser window and log in to the Netskope tenant.

2. Navigate to Settings > Tools > Directory Tools.

3. Under On-prem integration, click Download tools. Downloading of NSAdapters.msi starts automatically.

4. Run NSAdapters.msi in the Downloads folder.

5. In the Netskope Adapters Setup wizard, leave the Username and Password fields blank.

6. Only select Directory Importer and click Install.

7. Click Yes in any pop-up messages that are displayed, then click Finish to exit the Setup Wizard.

2024 © Netskope. All Rights Reserved 21

Task 1.2 – Import Active Directory groups and users

1. Double-click the Netskope Adapters Configuration Utility icon on the desktop.

2. Click Yes in any pop-up messages that are displayed.

 Check that the OK button is visible at the bottom of the utility window. If it is not, close the utility, increase
the window size of the WorkSpaces client, and run the utility again. If it is not possible to increase the
window size any further, enable the full screen mode through the client menu. Similarly, switch to the full
screen mode if you are accessing your WorkSpace in a web browser.

3. On the Netskope tenant, navigate to Settings > Tools > Directory Tools.

4. Copy the value of User Info Post URL.

5. Paste the URL into the Netskope Adapters Configuration Utility UserInfo URL field.

6. From the Directory Service dropdown menu, select Active Directory.

7. In the Filter Options section, select Groups. A new window is displayed with all available Active Directory
groups.

8. In the Group / Organization field, type group{X}, where {X} is your student number.

9. Select only your group from the list (for example: Student1 = Group1, Student2 = Group2, and so on).

2024 © Netskope. All Rights Reserved 22

10. Click the button to move your group to the right pane.

 Ensure that only YOUR group appears in the right pane. If more than one group is displayed in the right
pane, you must move the excess group(s) back to the left pane BEFORE continuing.

11. Click Apply and then click Close.

12. Click OK.

 If you don’t see the OK button, read the note after step 2 and repeat steps 1–12.

13. In the Netskope tenant, navigate to Settings > Security Cloud Platform > Netskope Client > Groups.
Your group should now be available.

 It may take a few minutes for your group to display.

2024 © Netskope. All Rights Reserved 23

14. Click the ellipsis button ( ) to the right of your group name and select View Details to verify that your
user is a member.

15. Click Cancel.

Part 2 – Provision the Netskope Client

Task 2.1 – Install the Netskope Client

You will now install the Netskope Client on your Amazon WorkSpace.

1. In your Amazon WorkSpace, open a browser window and navigate to:

https://download.goskope.com/dlr/win/get/

2. Download NSClient.msi.

 Do NOT click the downloaded file. If you accidentally start the installer, close it immediately.

3. In the Netskope tenant, navigate to Settings > Security Cloud Platform > Netskope Client > MDM
Distribution.

4. Scroll down to the Create VPN Configuration section and copy the Organization ID (token).

5. In your Amazon WorkSpace, click the Windows Start button, type cmd, then right-click the Command
Prompt search result and select Run as administrator.

2024 © Netskope. All Rights Reserved 24

6. In the Command Prompt window, type the following command and press Enter:
D:

7. Type the following command (where {X} is your student number), then press Enter:
cd \Users\student{X}\Downloads

8. Run the following command, observing these conventions:

• Replace {token} with the Organization ID value you copied in step 4.
• Replace {tenant FQDN} with the full domain name of your training tenant that you can see in the
browser address bar, for example: academy-training.goskope.com
msiexec.exe /i NSClient.msi token={token} host=addon-{tenant FQDN} mode=peruserconfig

 The Netskope Client is installed, its icon appears in the system tray, and its icon changes from gray to blue
and orange after a few seconds.

9. Right-click the Netskope Client icon in the system tray and click Configuration.

10. If you see a link to update the configuration, please do so.

 Both the Client Configuration and Steering Configuration should display Default tenant config.

2024 © Netskope. All Rights Reserved 25

Task 2.2 – Verify that the Netskope Client is tunnelling traffic

1. Open a browser window and navigate to www.pastebin.com.

2. Click the padlock button to the left of the website URL in the browser address bar and then click
Connection is secure.

3. Ensure the web site certificate is signed by Netskope. This means that Netskope is intercepting the traffic.

 The steps and screenshots above are specific to Mozilla Firefox. Each browser presents site certificate
information differently.

4. Scroll down the page and click Create New Paste.

2024 © Netskope. All Rights Reserved 26

5. Confirm that the block page notification is displayed.

6. In the tenant portal, navigate to Skope IT™ > Application Events.

7. Click Add filter and select User.

8. In the User field, type the following (where {X} is your student number):
student{X}

9. Select the matching student name from the list.

10. Look for your corresponding event.

11. Click View details next to your event to review the details.

 This verifies that the Pastebin application is being steered through Netskope and events are being
recorded.

Part 3 – Configure policy actions based on device classification

For the next section, you will be working with the following scenario: In order to protect sensitive GDPR data,
all GDPR data downloaded by managed devices will receive a GDPR user alert. All GDPR data downloaded
by unmanaged devices will receive a GDPR block page.

To fulfil this need, you will use two Netskope features:

• A real-time protection policy with a DLP profile will be used to detect the GDPR data.
• Device classification will be used to determine the managed devices that have the rights to download
GDPR data.

Task 3.1 – Examine device classification

You will use device classification rules to determine a managed device.

2024 © Netskope. All Rights Reserved 27

1. In the Netskope tenant, navigate to Settings > Manage > Device Classification.

2. Click the Managed Check device classification rule to view its settings.

The rule checks for the presence of a C:\Users\NetskopeManaged.txt file. If the Netskope Client detects
the file, it will classify the device as “managed.” Your instructor has created this file in advance on your
Amazon WorkSpace.

3. Click Cancel.

 Do not change the device classification rules.

4. Right-click the Netskope Client in the taskbar of your Amazon WorkSpace and select Configuration.

2024 © Netskope. All Rights Reserved 28

5. If your client requires an update, click the blue link provided.

6. As displayed in the screenshot above, confirm that the status in Device Classification field says
managed.

 Until the Device Classification status displays managed, do not continue to the next task. If the problem
persists, restart the Netskope Client Service from Windows Services.

Task 3.2 – Create a real-time protection DLP policy to alert users of managed devices

1. Navigate to Policies > Real-time Protection.

2. Click New Policy > DLP.

 If the DLP option is not visible, use the scroll in the drop-down menu.

3. Complete the policy wizard using the following information:

Field Value
Source > User Your Student{X} user
Source > Add Criteria Device Classifications = Managed
Destination > Category Application = Dropbox

2024 © Netskope. All Rights Reserved 29

 Destination > Activities Download
Profile & Action > DLP Profile EU General Data Protection Regulation (GDPR)
(predefined)
Profile & Action > Action User Alert
Profile & Action > Template Default Template
Policy Name Student{X}-GDPR-Managed
Group Students
Status Enabled

4. Click Save in the top-right corner.

5. In the Policy Position window, select To the bottom for Position Inside Group, then click Save again.

 The preceding policy will allow managed devices to continue with the download.

Task 3.3 – Create a real-time protection DLP policy to block downloads to unmanaged devices

1. Click New Policy > DLP.

2. Complete the policy wizard using the following information:

Field Value
Source > User Your Student{X} user
Source > Add Criteria Device Classifications = Unmanaged
Destination > Category Application = Dropbox
Destination > Activities Download
Profile & Action > DLP Profile DLP Profile = EU General Data Protection Regulation
(GDPR) (predefined)
Profile & Action > Action Action = Block
Profile & Action > Template Default Template
Policy Name Student{X}-GDPR-Unmanaged
Group Students
Status Enabled

3. Click Save.

4. In the Policy Position window, select To the bottom for Position Inside Group, then click Save again.

2024 © Netskope. All Rights Reserved 30

5. Click Apply Changes and click Apply to confirm.

Task 3.4 – Verify the policies

1. Locate the Hilton document.doc file in the Misc\GDPR subfolder of your Lab Files extracted from the lab
files zip archive.

2. Upload the Hilton document.doc from your Amazon WorkSpace to your training Dropbox account.
This should be allowed.

3. Attempt to download the Hilton document.doc file from your Dropbox account to your Amazon
WorkSpace.
You will see a message like the one in the following image. Enter something unique for the justification text
— something that you will be able to find later, such as including your last name or an uncommon word in
the explanation text.

 You are provided with a Proceed button because you are using a managed device. If your client pop-up is
not similar to the preceding example, or if you are unable to enter justification text, please ask your
instructor for assistance.

4. Click Proceed to begin downloading the file.

5. Delete or re-name the file C:\Users\NetskopeManaged.txt within your Amazon WorkSpace.

 If you don’t see the C: drive in File Explorer, type C: in the address bar and press Enter.

6. Restart the Netskope Client Service from the Windows Services applet.

2024 © Netskope. All Rights Reserved 31

7. After the service restarts, right-click the Netskope client in the taskbar and select Configuration.

 If your client requires an update, click the blue link provided.

8. Confirm that the status in the Device Classification field says unmanaged.

 Until the Device Classification status displays unmanaged, do not continue to the next step. If the
managed classification persists, restart the Netskope Client Service from Windows Services one more
time.

9. Attempt to download the Hilton document.doc file from your Dropbox account.
You will see a message like the one in the following image.

 If your client pop-up is not like the preceding example, please ask your instructor for assistance.

10. Sign out of your Dropbox account.

Part 4 – Restrict activities based on the login user

In this section, you will follow the steps of using a constraint to enforce the use of the sanctioned Dropbox
account only and block access to users’ personal Dropbox accounts.

Task 4.1 – Configure a user constraint profile

1. In your Netskope tenant, navigate to Policies > Profiles > Constraint.

2. Under Users, click New user constraint profile.

3. In the Constraint profile name field, type: Dropbox-{Initials}

4. Under Users, select Does not match.

5. Type: *@netskope.com

2024 © Netskope. All Rights Reserved 32

6. Click Save and Apply Changes, then click Apply to confirm.

Task 4.2 – Create a cloud app access policy with a constraint on login usernames

1. Navigate to Policies > Real-time Protection.

2. Click New Policy > Cloud App Access.

3. Complete the policy wizard using the following information:

Source > User Your Student{X} user

Destination Application = Dropbox
Destination > Activities Activities = Login Attempt
Add Criteria & Constraints Activity Constraints > From User = Dropbox-{Initials}
Profile & Action Action = Block
Template = Default Template
Policy Name Student{X}-Dropbox
Group Students
Status Enabled

 Ensure you select your constraint profile from the list.

4. Click Save.

5. In the Policy Position window, select To the bottom for Position Inside Group, then click Save again.

6. Click Apply Changes, then click Apply to confirm.

2024 © Netskope. All Rights Reserved 33

Task 4.3 – Verify the constraint

1. Attempt to log in to your Dropbox account from your Amazon WorkSpace.

You should see a block page.

2. Navigate to Skope IT™ > Alerts.

3. Click View details next to your alert to investigate further.

Task 4.4 – Modify the constraint to allow yourself access

1. In the Netskope tenant, navigate to Policies > Profiles > Constraint.

2. Click the name of your constraint: Dropbox-{initials}.

3. Click Add another to add a second condition.

4. Select Does not match and type the email you used to register your training Dropbox account.

5. Click Save.

6. Click Apply changes and then click Apply to confirm.

7. Try again to log in to your training Dropbox account. This time you should succeed.

2024 © Netskope. All Rights Reserved 34

Lab complete

2024 © Netskope. All Rights Reserved 35

Lab C: SaaS threat protection
In this lab, you will enable threat protection for the application instances registered for API-enabled protection.

 Remember that API-enabled protection is an out-of-band protection for data at rest.

Part 1 – Enable API-enabled threat protection for your Dropbox instance

Task 1.1 – Enable quarantine settings

1. Navigate to Policies > Profiles > Quarantine.

2. Click the profile name to examine it.

3. Append your Dropbox instance’s email account to the Notification emails list, after a comma.

 The profile determines where the quarantine action will move malware to and what it will replace the
original file with (the tombstone file). The quarantine folder location and threat protection tombstone text
can be customized.

4. Click Save and Apply Changes, then click Apply to confirm.

Task 1.2 – Enable malware detection for your Dropbox instance

1. Navigate to Settings > Configure App Access > Classic and verify that the SaaS tab is selected.

2. Select the Dropbox icon and click the name of your Dropbox-{initials} instance in the list.

2024 © Netskope. All Rights Reserved 36

3. Under Instance type, select the Malware option if it is not already selected.

4. Click Save.

5. Navigate to Settings > Threat Protection > API-enabled Protection.

6. Inspect the Settings tile at the top of the page.

 The tenant has already been configured to quarantine malware.

Task 1.3 – Verify threat protection settings by uploading a sample malware file

1. Browse to https://www.dropbox.com/ from your Amazon WorkSpace.

2. Log in with your training Dropbox account credentials.

 If you are blocked by the Netskope client, make sure you successfully completed Task 4.4 of the previous
lab.

3. Open your personal folder in your Dropbox account.

2024 © Netskope. All Rights Reserved 37

4. Upload the malware test file High_Severity_Heuristic_Sandbox_Threat.docx located in the
ThreatProtectionLab folder in your lab files to your personal folder of your Dropbox account.

5. Wait 2 to 3 minutes.

6. Select the uploaded file, then click the ellipsis menu and select Activity > Version history.

7. Notice that the API app has replaced the file with a much smaller version.

2024 © Netskope. All Rights Reserved 38

8. Click the current version of the file. Dropbox preview will tell you that this is not a .docx file anymore.

9. Click Download.

10. Open the downloaded file in a text editor.

You should see a quarantine message similar to the preceding screenshot depending on how your
instructor configured the quarantine message.

 The instructor’s Dropbox account hosts the quarantine folder; therefore, the original file will be placed there
rather than in your Dropbox account. The following screenshot illustrates how such a file might look if you
had access to the quarantine folder.

Task 1.4 – Examine malware alerts and incidents

1. In your Netskope tenant, navigate to Skope IT™ > Alerts.

2. Click Add filter and select User.

3. In the user field type the email address of your Dropbox user and press Enter.

2024 © Netskope. All Rights Reserved 39

 Notice that the quarantine action belongs to the policy alert type and doesn’t belong to the Malware alert
type.

4. Click View details next to an alert to view more details.

5. Navigate to Incidents > Malware to examine the malware detection statistics.

6. Click High_Severity_Heuristic_Sandbox_Threat.docx in the Files table.

 In the following screenshot, the Detection Engine section displays options for results detected by
Netskope engines.

2024 © Netskope. All Rights Reserved 40

7. Click Netskope Cloud Sandbox and examine the additional details provided.

Part 2 – Configure a real-time threat protection policy with hash-based allowlists and blocklists

In this part, you will calculate hashes of an unwanted file and a benign file, adding the hashes to two separate
file profiles and using these profiles as a blocklist and an allowlist in the real-time protection policy configured
for malware detection.

Task 2.1 – Calculate hashes of the lab sample files

You will use Windows PowerShell to calculate the file hashes for both the unwanted file nc.exe and the benign
file Allowlist.txt.

Outside this class, if you want to calculate file hashes on a Mac, use the shasum command from the Terminal:
shasum -a 256 nc.exe

1. In your Amazon WorkSpace, use File Explorer to navigate to your Labfiles\ThreatProtectionLab folder.

2. Click in the address bar of File Explorer, then type the following and press Enter:
powershell

A new Windows PowerShell window opens with the ThreatProtectionLab folder as the current folder.

2024 © Netskope. All Rights Reserved 41

3. Run the following command to calculate the SHA256 hash of the file unwanted file nc.exe:
Get-FileHash nc.exe | Format-List

4. Run the following command to calculate the SHA256 hash of the benign file Allowlist.txt:
Get-FileHash Allowlist.txt | Format-List

 DO NOT CLOSE the PowerShell window because you will need to copy both hashes in the next task.

Task 2.2 – Create file profiles with an allowlist and a blocklist

Next, you will create two file profiles to be used as an allowlist and blocklist, respectively, and populate them
with the calculated hashes.

1. In your Netskope tenant, navigate to Policies > Profiles > File and click New File Profile.

2. Under File attributes, select File Hash.

3. Click Add file hash by type and select SHA256.

2024 © Netskope. All Rights Reserved 42

4. Copy the Allowlist.txt hash from the PowerShell window and paste it into the SHA256 text field, then click
Next.

5. Name your file profile ThreatProtection-AllowList-{initials} and click Save.

6. Repeat steps 1–5 for the nc.exe file hash, and create a blocklist profile with the following name and
SHA256 hash value:
ThreatProtection-BlockList-{initials}

7. Click Apply Changes and click Apply to confirm. You should now have the following:

Task 2.3 – Create a threat protection profile

1. Navigate to Policies > Profiles > Threat Protection, then click New Malware Detection Profile.

2. Under Threat Scan, Default Malware Scan is always enabled. Click Next.

3. Under Allowlist, select your ThreatProtection-AllowList-{Initials} profile from the list and click Next.

4. Under Blocklist, select your ThreatProtection-BlockList-{Initials} profile from the list and click Next.

5. Name your malware detection profile ThreatProtection-Malware-{Initials} and click Save Malware
Detection Profile.

6. Click Apply Changes, then click Apply to confirm.

Task 2.4 – Create a real-time threat protection policy

You will now create a policy which blocks uploading or downloading the nc.exe Trojan using the Dropbox
application.
2024 © Netskope. All Rights Reserved 43
1. Navigate to Policies > Real-time Protection.

2. Click New Policy > Threat Protection.

 Scroll down in the drop-down menu to find the Threat Protection option.

3. Complete the policy wizard using the following information:

Field Value
Source > User Your Student{X} user
Destination > Category Application = Dropbox

Destination > Activities Activities = Download, Upload

Profile & Action Threat Protection Profile = your profile ThreatProtection-Malware-

{Initials}
Profile & Action > Low Severity Block: Default Malware Template,
Severity-based actions Remediation: none
Medium Severity Block: Default Malware Template,
Remediation: none
High Severity Block: Default Malware Template,
Remediation: none
Policy Name ThreatProtection-Malware-{Initials}
Group Students
Status Enabled

4. Click Save.

5. In the Policy Position window, select To the top for Position Inside Group, then click Save again.

6. Click Apply Changes and Apply to confirm.

Task 2.5 – Verify the policy with the allowlist and blocklist

 Wait about 30-60 seconds to let the new policy take effect. Alternatively, you can force the client to
download the policy by right-clicking the Netskope icon in the system tray and selecting Configuration.

1. From your Amazon WorkSpace, navigate to http://www.dropbox.com and log into your training account.

2. Attempt to upload nc.exe to your training Dropbox account.

2024 © Netskope. All Rights Reserved 44

 You should see a message from the Netskope Client stating that the action was blocked.

3. Attempt to upload Allowlist.txt to your training Dropbox account. This should be allowed. No block page
should be displayed.

4. In your Netskope tenant, navigate to Skope IT™ > Alerts.

5. Click Add filter and select Alert Type.

6. Click the Alert Type drop-down list, select Malware and Policy, and click Apply.

7. Click Add filter and select User.

8. Click the User field and start typing your WorkSpace username (for example:
student1@netskopetraining.com), then select the username from the list.
You should see alerts, related to your attempt to upload a blocklisted file.

9. Click View details to inspect the alerts.

Lab complete

2024 © Netskope. All Rights Reserved 45

Lab D: Netskope Advanced Analytics
This lab will familiarize you with report options in Advanced Analytics to create and customize reports. You can
create different reports depending on who is viewing the reports.

During this lab, you will complete the following tasks:

• Create a new report in Advanced Analytics.
• Add different reporting widgets to your report.

Estimated time: 35 minutes.

Task 1.1 – Create a new report

1. Navigate to Advanced Analytics > Folders > Personal.

 Make sure you create the Advanced Analytics reports in your Personal folder because each report requires
a unique name.

2. Click the New dropdown menu and select New Report.

3. Click Edit Dashboard.

4. Name the report CCL Low and Poor.

2024 © Netskope. All Rights Reserved 46

Task 1.2 – Add a single value widget

1. Click Add, then select Visualization. (You can also click Add right above the report name to add a new
widget.)

2. Under Choose an Explore, click Application Events.

3. Expand the Filters section and change the Event Date to 30 days.

4. In the left menu, expand Application Events and then expand Application.

2024 © Netskope. All Rights Reserved 47

5. Find the CCL attribute and click Filter by field to the right of CCL.

 Do NOT click the attribute itself, only the Filter by field icon.

6. Click the value field in the Application Events CCL filter and wait until the dropdown menu is populated
with CCL values.

7. Select low and poor.

The Application Events CCL filter is now set to is equal to, and the parameters are set to low and poor.

2024 © Netskope. All Rights Reserved 48

8. In the left menu, scroll down to Measures, then click the # Applications line. The selected measure will
appear under the Data section.

9. In the Visualization section, select the Single Value option. The icon should change from gray to white.

10. Rename the widget CCL Low and Poor, then click Save.

 After a few moments, the widget will calculate and display the number of low and poor CCL application
events in your tenant.

11. Click Save again to save the report.

 The report title showing in the breadcrumb trail (Reports > Folders > Personal) does not change from
New Report 1 to CCL Low and Poor until you click out of report mode and then navigate back to your
report.

2024 © Netskope. All Rights Reserved 49

Task 1.3 – Add a graph widget

1. Click Dashboard actions in the top right and select Edit dashboard.

2. Hover over the CCL Low and Poor widget and click Widget actions when it appears, then select
Duplicate widget.

3. Hover over the duplicated widget, click Widget actions and select Edit.

4. Rename the widget CCL Graph.

2024 © Netskope. All Rights Reserved 50

5. Expand the Data section, then click the gear icon and select Remove to switch off the # Applications
measure. It will be removed from the Data section.

6. In the left menu, navigate to Application Events > Application, then click Application. The selected
dimension will appear under the Data section.

7. Click Run. A list of applications should be displayed in the Data Results section.

8. In the Visualization section, select Bar. Since this chart requires more than one dimension, you’ll need to
add another field to display a dimensional graph.

2024 © Netskope. All Rights Reserved 51

9. In the left menu, scroll down to Measures, then click # Events. The selected measure will appear in the
Data section.

10. Click Run to run the report again. After a few moments, the Visualization section will update with the bar
graph.

11. Click Save in the upper right to save the new widget.

12. Hover over the CCL Graph widget until you see the Hold and drag to reorder option ( ) in the upper left.
Place your mouse over this option, and your cursor turns into a four-way arrow. Rearrange the widgets in
your report.

2024 © Netskope. All Rights Reserved 52

Task 1.4 – Add a pivot graph widget

1. Click Widget actions on the CCL Graph widget, then select Duplicate widget.

2. Click Widget actions on the duplicated widget and select Edit.

3. Rename the widget: CCL Activity Pivot

4. Expand the Data section, then click the gear icon in the Application Events Application column and
select Remove to switch off this dimension.

5. In the left menu, navigate to Application Events > General.

6. Click Activity, then click the Filter by field next to it. The selected dimension will appear in both the Data
and Filters sections.

2024 © Netskope. All Rights Reserved 53

7. Click Run. A list and count of activities should be displayed in the Data Results table. However, you’ll need
to exclude the general Browse count from the activities.

8. In the Filters section, change the Application Events Activity to is not equal to and select Browse.

9. Click Run in the upper right.

10. You can add a pivot to the table as well. Under Applications Events > General, click Pivot data next
to Activity. Granular columns for specific event activities will be displayed under the Data section.

11. Click Run.

12. To make the data more readable, change the Visualization from Bar to Column format.

 The legend may not appear until after you save this widget.

13. Click Save in the upper right to save the new widget.

2024 © Netskope. All Rights Reserved 54

14. Use the Hold and drag to reorder option ( ) in the upper right of the widget to move the newest widget
next to CCL Graph.

15. Click Save to save your changes to the report before continuing to the next task.

Task 1.5 – Add a Sankey widget

1. Click Dashboard actions and select Edit dashboard.

2. Click Widget actions on the CCL Low and Poor widget, then select Duplicate widget.

3. Grab the resize handle in the lower right of the duplicated widget and stretch it to the full width of the
dashboard canvas.

4. Click Widget actions on the CCL Low and Poor (Copy) widget and select Edit.

5. Rename the widget: Flow

6. Add the following dimensions from the left menu:

• Application Events > Application > Application
• Application Events > User > User

2024 © Netskope. All Rights Reserved 55

 • Application Events > Destination > Destination Country

7. Under Application Events > General, click the Filter by field icon next to Activity, but do NOT select the
Activity dimension itself (it should NOT appear in the data table).

8. Under the Filters section, for Application Events Activity is equal to, select Download.

9. In the Visualization section, click the ellipsis and select Sankey in the dropdown menu.

10. Click Run in the upper right to update the Sankey.

11. In the Data section, click and hold the Application Events User field and drag it to the left of the
Application Events Application column. This makes the data in the Sankey more readable.

12. Click Run to update the graph.

2024 © Netskope. All Rights Reserved 56

13. Click Save to commit all edits on this widget, then click Save again to save the changes to the report.

Lab complete

2024 © Netskope. All Rights Reserved 57

Lab E: IaaS – Block bucket uploads

 Python version 3.9 and all other requirements for this lab are already installed on your Amazon
WorkSpace.

Estimated time: 30 minutes

Part 1 – Create a policy to restrict uploads to a specific S3 bucket

Task 1.1 – Create a storage constraint for your S3 bucket

You will create a constraint using the Does not match option to detect uploads to any bucket other than your
own. Next, you will add this constraint to a real-time protection policy to block such uploads.

1. In your Netskope tenant, navigate to Policies > Profile > Constraint.

2. Select the Storage tab and click New Storage Constraint Profile.

3. Name the profile Not-Student{X}, where {X} is your student number.

 If you are student1, you will block every bucket that does not match student1.

4. Under Match type, click Does Not Match and Select by Buckets.

2024 © Netskope. All Rights Reserved 58

5. Select the nscoa{X} bucket from the list, where {X} is your student number.

6. Click Save Constraint Profile to save changes.

7. Click Apply Changes.

8. In the confirmation message, click Apply to confirm.

Task 1.2 – Create a policy with a storage constraint

1. Navigate to Policies > Real-time Protection.

2. Click New Policy > Cloud App Access.

3. Complete the policy wizard with the following information:

Source User: Your Student{X} user
Destination Application = Amazon S3
Destination > Activities Activities = Upload
Add Criteria & Constraints Activity Constraints > To Storage = Not-Student{X}
Profile & Action Action = Block
Template = Block S3
Policy Name Not-Student{X}-S3
Group Students
Status Enabled

2024 © Netskope. All Rights Reserved 59

4. Click Save.

5. In the Policy Position window, select To the top for Position In Group, then click Save again.

6. Click Apply Changes and click Apply to confirm.

Part 2 – Test uploading a file to different S3 buckets

You will now attempt to upload a file to your S3 bucket and then to another student’s S3 bucket.

1. In your Amazon WorkSpace, open File Explorer and navigate to the Labfiles\IaaSLab folder.

2. Click in File Explorer’s address bar, then type the following command and press Enter:
cmd

3. In the new command prompt window that opens in the current folder, type the following command:
s3upload.py -h

2024 © Netskope. All Rights Reserved 60

 The script needs a -b option, which is the bucket number from 1–N, where N is total number of students.

4. Run the script again, this time testing uploads to your S3 bucket.
s3upload.py -b {your student number}

 If your username is student4@..., the command is: s3upload.py -b 4

5. Run the script again, this time choosing another student’s S3 bucket.
s3upload.py -b {another student’s number}

Uploading to another student’s S3 bucket is denied.

6. Examine Skope IT™ > Alerts.

Lab complete

2024 © Netskope. All Rights Reserved 61

Lab F: SSL decryption bypass
During this lab, you will complete the following tasks:

• Block web uploads to selected URLs.

• Bypass SSL inspection for selected URLs.

Part 1 – Block web uploads to selected URLs

You will start by ensuring you can identify and block file uploads over HTTPS to a specific web domain.

Task 1.1 – Create a URL list

1. In your Amazon WorkSpace, locate the Netskope client icon in your taskbar and verify it is enabled.

2. In the Netskope tenant, navigate to Policies > Profiles > Web.

3. Select the URL lists tab, then click New URL list.

4. In the URL list name field, enter Student{X}-Bypass where {X} is your student number.

5. In the URLs field, enter:

netskopetraining.co.uk
www.netskopetraining.co.uk

6. Click Save, click Apply changes, then click Apply to confirm.

Task 1.2 – Create a custom category

1. Select the Custom categories tab, then click New custom category.

2. Name the custom category Student{X}-Bypass.

2024 © Netskope. All Rights Reserved 62

3. Click in the URL List (Include) field, then select your Student{X}-Bypass list.

4. Click Save, then Apply Changes, and Apply to confirm.

Task 1.3 – Create a real-time protection policy

1. Navigate to Policies > Real-time Protection.

2. In the New Policy dropdown menu, select Web Access.

3. Complete the policy wizard with the following information:

Source User: Your Student{X} user

Destination Category = StudentX-Bypass
Destination > Activities Activities = Upload
Profile & Action Action = Block
Template = Default Template
Policy Name Student{X}-SSLDecrypt (where X is your student number)
Group Students
Status Enabled

4. Click Save.

5. For Policy Position, select To the bottom for Position Inside Group, then click Save again.

6. Click Apply changes, then click Apply to confirm.

2024 © Netskope. All Rights Reserved 63

Task 1.4 – Verify SSL inspection

1. In your Amazon WorkSpace, navigate to https://www.netskopetraining.co.uk/posttest.php.

2. In your browser, verify that you are securely connected to the site, then validate that the SSL certificate is
verified by or issued by Netskope or the Netskope tenant name.

3. Click Choose File and select a random file and attempt to upload it to the website.

4. Click Upload. Your upload attempt should be blocked by the real-time protection policy.

2024 © Netskope. All Rights Reserved 64

Part 2 – Bypass SSL inspection for selected URLs

You will bypass SSL decryption for netskopetraining.co.uk using an SSL Decryption policy.

Task 2.1 – Create an SSL decryption policy

1. In your Netskope tenant, navigate to Policies > SSL Decryption.

2. Click Add policy.

3. In the Add criteria dropdown menu, select Category.

4. Click in the box and enter student, then select Student{X}-Bypass where {X} is your student number.

5. Press Escape on your keyboard or click on any white space within the page.

6. In the Add criteria dropdown menu, select User.

7. Click in the box and enter student{X}, where {X} is your student number, then select your username from
the list.

8. Press Escape on your keyboard.

9. Select Do Not Decrypt as the Action.

10. Enter Student{X}-SSLDecrypt for the Set Policy name where {X} is your student number.

11. Toggle the Status to Enabled and click Save.

12. Click Apply changes, then click Apply to confirm.

2024 © Netskope. All Rights Reserved 65

Task 2.2 – Validate your SSL decryption policy

Validate that SSL decryption is bypassed for this domain and that the real-time protection policy will not be
triggered, as the traffic is no longer diverted for decryption and deep analysis and the user’s activity cannot be
identified.

1. In your Amazon WorkSpace ensure your Netskope client configuration is up to date.

2. Navigate to https://www.netskopetraining.co.uk/posttest.php.

3. In your browser, validate that the SSL certificate is no longer verified by or issued by Netskope or the
Netskope tenant name.

4. Select a random file and attempt to upload it to the website. Your upload should be permitted.

5. Navigate to Skope IT > Events & Alerts > Page Events to view the details of the SSL bypass policy
match.

Lab complete
2024 © Netskope. All Rights Reserved 66
Lab G: Web Security
In this lab, you will use Netskope Secure Web Gateway to block gambling sites for specific users.

Task 1.1 – Create a web access policy

1. In your Netskope tenant, navigate to Policies > Real-time Protection.

2. Click New Policy > Web Access.

3. Complete the policy wizard using the following options:

Field Value
Source > User Select only your user
Destination > Category Category = Gambling, Games
Destination > Activities Browse
Profile & Action > Action Block
Profile & Action > Template Web – Block Page
Policy Name NSWG-Student{X}
Group Students
Status Enabled

4. Click Save.

5. In the Policy Position window, select To the top for Positions Inside Group, then click Save again.

6. Click Apply Changes, then click Apply.

Task 1.2 – Enable and update the Netskope Client

1. In your Amazon WorkSpace, ensure your Netskope client is enabled.

2. Right-click the client icon and select Configuration.

2024 © Netskope. All Rights Reserved 67

 Update your Netskope Client configuration if prompted.

Task 1.3 – Validate the policy

1. In your Amazon WorkSpace, open a new tab in your web browser and perform an internet search for:
gambling and game sites

2. When the search results are displayed, click a link to a gambling or game web site.
The Netskope client blocks the gambling or game web site connection.

3. From the web browser’s address bar on the blocked page, copy the main part of the gambling or game
site’s URL.

4. Switch to the web browser tab where the Netskope tenant UI is loaded and navigate to Policies > Profiles
> Web.

5. Click the URL Lookup tab.

6. In the Search URL field, paste the URL of the gambling/game web site you copied earlier, and press Enter.

2024 © Netskope. All Rights Reserved 68

 The URL Lookup service displays the Netskope category classification(s) and type for the URL, as well as
the name and type of the policy that blocked the URL.

7. Navigate to Skope IT™ > Alerts.

8. Customize the Alerts table by adding the URL column so you can see exactly which gambling/game web
site was blocked.

Lab complete

2024 © Netskope. All Rights Reserved 69

Lab H: Netskope Cloud Firewall
This lab introduces you to Netskope Cloud Firewall (CFW). During this lab, you will complete the following
tasks:
• Configure the default action for non-web traffic.
• Create a new steering configuration to manage all traffic.
• Test non-HTTP(S) traffic forwarded to Netskope Cloud Firewall and verify that network events are
generated.
• Configure Firewall App Definitions for selected non-web apps and create CFW policies.
• Test non-HTTP(S) traffic forwarded to Netskope Cloud Firewall with CFW policies configured and verify the
network events generated.
• Create an Advanced Analytics report for CFW activities.

Estimated time: 30 minutes

Part 1 – Configure the default action for non-web traffic

The Non-Web traffic setting allows or blocks traffic when a user tries to access any resource using a protocol
other than HTTP or HTTPS. In this section, you will select Block for the Default Action for Non-Web Traffic
setting. Since this is a per-tenant configuration, you can complete this only if another student has not already
set this configuration.

 Best practice when deploying Netskope CFW is to first set the Default Action for Non-Web Traffic setting to
Allow. This allows the Netskope tenant to discover the non-web traffic before an organization decides what
risky non-web traffic to block.

1. In your Netskope tenant, navigate to Policies > Real-time Protection.

2. At the bottom of the Policies table, verify that Default Action: Non-Web traffic is set to Block.

3. If the Default Action for Non-Web traffic is set to Allow, then change the action to Block using the edit
icon ( ) and click Save and Apply.

2024 © Netskope. All Rights Reserved 70

Part 2 – Create a new steering configuration to manage all traffic

Task 2.1 – Create a custom steering configuration

In this task, you will clone the Default tenant config and create a steering configuration specifically for your
group. You can create different steering configurations per group or per Organization Unit (OU).

1. Navigate to Settings > Security Cloud Platform > Traffic Steering > Steering Configuration.

2. To the right of the Default tenant config, click the ellipsis menu and select Clone.

3. If the Apply To pop-up window appears, select User Group and click Save.

 What steering configurations apply to is also a per-tenant setting. If somebody else has set it, you won’t
see the request. Instead, you will see the indication of what the configurations apply to above the list of
configurations.

4. Name the new configuration Group{X} config, where {X} is your student number.

5. From the User Group drop-down list, select your Group{X}, where {X} is your student number.

2024 © Netskope. All Rights Reserved 71

6. Under What kind of traffic do you want to steer to Netskope? (and below the warning message), select All
Traffic.

7. Ensure the Status is Enabled and click Save.

Task 2.2 – Update the Netskope Client

You will need to force an update of your Netskope Client to receive the steering configuration change you
made. To make this update, use the command line interface instead of the Netskope Client configuration.

1. In your Amazon WorkSpace, right-click the Windows Start menu icon and select Command Prompt
(Admin), then click Yes in the security warning.

2. Navigate to C:\Program Files (x86)\Netskope\STAgent

cd "C:\Program Files (x86)\Netskope\STAgent"

 This folder contains the NSDIAG diagnostic tool, among other utilities.

3. To update the steering configuration for the Netskope Client, run the command:
nsdiag.exe -u

4. Right-click the Netskope Client icon in the system tray and select Configuration.

2024 © Netskope. All Rights Reserved 72

5. If your Netskope Client was successfully updated with the new steering configuration, the following
information should be displayed:
• Steering Configuration: Group{X} config
• Traffic Steering Type: All Traffic

Part 3 – Test non-HTTP(S) traffic steered to Netskope Cloud Firewall

In this section, you will access a few applications using ICMP, FTP, and SSH and verify the events captured in
Network Events.

Task 3.1 – Test ICMP access

1. In your Amazon WorkSpace, open a Windows command prompt and enter:

ping 8.8.8.8
Is the host reachable?

2. Navigate to Skope IT™ > Network Events.

3. Click the gear icon , then under Destination, select IP Protocol and click the close button

2024 © Netskope. All Rights Reserved 73

4. Find the events generated from your Ping test.
What is showing in the Action and Policy Name columns?

 The network events show as blocked because all non-web traffic is currently being blocked by the Default
Action setting in the policies list.

Task 3.2 – Test FTP access

1. Open a web browser, navigate to https://dlptest.com/ftp-test/, and record the FTP URL, FTP User, and
Password.

2. Open WinSCP (the shortcut is on the Desktop) and log in to the FTP Test server using the host name and
credentials recorded in the previous step.

 Make sure to select the FTP protocol.

3. Click Login. Were you able to successfully log in to the FTP Test server?

2024 © Netskope. All Rights Reserved 74

4. Close the Error window. Do not leave WinSCP in a reconnect loop.

5. Navigate to Skope IT™ > Network Events and find the events generated by your attempt to log in to the
FTP Test server.
Do the FTP login attempts show as blocked?

Task 3.3 – Test SSH access

1. Open PuTTY (available in the Start menu).

2. In the Host Name (or IP address) field, paste the public IP address of the OPLP appliance provided by
your instructor.

3. Make sure the Port field is 22.

4. Click Open. Were you able to log in to the OPLP appliance?

2024 © Netskope. All Rights Reserved 75

5. Navigate to Skope IT™ > Network Events and verify your SSH activity.
Does the SSH activity show as blocked?

Part 4 – Allow access through Netskope Cloud Web Firewall

To allow non-web traffic through Netskope CFW, you will define traffic destinations as firewall apps in the
tenant settings and create a policy to allow access to these firewall apps.

Task 4.1 – Configure traffic destinations as firewall apps

You will create three firewall app definitions to be included in CFW policies to allow for specific ICMP, FTP, and
SSH traffic.

1. Navigate to Settings > Security Cloud Platform > Traffic Steering > App Definition.

2. Click New app definition rule, then select Firewall App.

3. For the first firewall app, enter the following, then click Save:
Field Value
Application Name Student{X}-Ping
Destination IP 8.8.8.8
Protocol ICMP

2024 © Netskope. All Rights Reserved 76

4. For the second firewall app, click New App Definition Rule, then select Firewall App.

5. Enter the following information, then click Save:

Field Value
Application Name Student{X}-FTP
Destination IP ftp.dlptest.com
Protocol TCP
Port 21

6. For the third firewall app, click New App Definition Rule, then select Firewall App.

7. Enter the following, then click Save:

Field Value
Application Name Student{X}-SSH
Destination IP The public IP address of your assigned OPLP, as provided by your
instructor
Protocol TCP
Port 22

8. Click Apply Changes.

You should now have three new Firewall App Definitions to be included in the CFW policies.

2024 © Netskope. All Rights Reserved 77

Task 4.2 – Create CFW policy

In this task, create a CFW policy that allows traffic for the three firewall apps created in the previous task.

1. Navigate to Policies > Real-time Protection.

2. Click New Policy and select Firewall.

3. For the CFW policy settings, enter the following:

Field Value
Source User: Your Student{X} user
Destination Application: [Student{X}-Ping], [Student{X}-FTP], [Student0-SSH]

A confirmation dialog box is displayed. Click Proceed to continue.

Profile & Action Action: Allow
Policy Name CFW-Student{X}
Group Students
Status Enabled

4. Click Save.

5. In the Policy Position window, select To the top for Position Inside Group, then click Save again.

2024 © Netskope. All Rights Reserved 78

6. Click Apply Changes, then click Apply to confirm.

Part 5 – Verify that the traffic to the configured apps is allowed

In this part, you will run the previous ICMP, FTP, and SSH tests and verify whether non-web traffic is allowed.

1. In your Amazon WorkSpace, open a Windows command prompt and enter:

ping 8.8.8.8
Is the host reachable?

2. Navigate to https://dlptest.com/ftp-test/ and record the FTP URL, FTP User, and Password.

3. Open WinSCP and log in to the FTP Test server using the credentials from dlptest.com.

Were you able to successfully log in to the FTP Test server?

If you were able to successfully log in, select Session and Disconnect Session.

4. Open PuTTY and attempt to start an SSH session to the public IP address of the OPLP appliance, as
provided by your instructor. If you see a PuTTY Security Alert window, click Yes.
Do you see a login prompt?

2024 © Netskope. All Rights Reserved 79

5. In your Netskope tenant, navigate to Skope IT™ > Network Events and verify that the non-web traffic you
generated was allowed by the specific CFW policies you created in previous steps.

Part 6 – Create an Advanced Analytics Report for CFW activities

1. In the Netskope tenant, navigate to Advanced Analytics > Library > Netskope Library.

2. In the Dashboard Name field, type the following and press Enter:
Firewall

3. Click the Cloud Firewall Discovery dashboard tile.

2024 © Netskope. All Rights Reserved 80

4. Review the results from this report.
For example, you can scroll down to the Hosts & Ports Discovered widget, which shows the CFW policies
you created, IP protocol/destination port used and accessed, and the number of users accessing these
ports.

 It may take 30–60 minutes before Skope IT™ data is reflected in the report.

5. Click Copy in the upper right.

6. Rename the report CFW-Discovery-Student{X} and click Copy Here.

7. Navigate to Advanced Analytics > Folders > Personal and make sure your CFW-Discovery-Student{X}
report is there.

Lab complete

2024 © Netskope. All Rights Reserved 81