Adding Bypasses in Netskope
How to Configure SSL and Steering Bypasses for Secure and Flexible Traffic Management
Netskope allows administrators to configure two types of bypasses to manage traffic flow and inspection: SSL Decryption Bypasses and Steering Bypasses. Here's how each works and how to configure them.
SSL Decryption Bypass
Purpose:
Used for web and SSL/TLS encrypted traffic. The traffic is sent to the Netskope Cloud but bypasses SSL inspection. This is ideal for certificate-pinned applications that break under inspection but still require filtering and scanning.
Used for web and SSL/TLS encrypted traffic. The traffic is sent to the Netskope Cloud but bypasses SSL inspection. This is ideal for certificate-pinned applications that break under inspection but still require filtering and scanning.
Steps to Add an SSL Bypass:
- Navigate to:
Policies > SSL Decryption - Click Add Policy.
- On the New SSL Decryption Policy page, click Add Criteria.
- Choose from the following criteria:
- Source Network Location (e.g.,
10.0.10.5/32) - Destination Network Location (e.g.,
1.2.3.4) - Category (e.g.,
Finance) - User (e.g.,
user@company.com) - User Group (e.g.,
SSLBypassGroup) - Organisational Unit (e.g.,
Marketing) - App Suite (e.g.,
Amazon) - Application (e.g.,
Microsoft Teams)
- Source Network Location (e.g.,
- Set the action to Do Not Decrypt.
- Name the policy, ensure it is Enabled, and click Save.
- Go to
Policy > SSL Decryptionand click Apply Changes to activate the bypass.
Note: Netskope maintains an automatic list of certificate-pinned apps (e.g., Crowdstrike, Dropbox, iCloud) that are bypassed by default.
Steering Bypass
Purpose:
Bypasses traffic entirely from Netskope at the device level. The traffic is sent directly to the destination and never reaches the Netskope Cloud.
Bypasses traffic entirely from Netskope at the device level. The traffic is sent directly to the destination and never reaches the Netskope Cloud.
Steps to Add a Steering Bypass:
- Navigate to:
Settings > Cloud Security Platform > Steering Configuration - Select the relevant steering configuration profile.
- Go to the Exceptions tab and click New Exception.
- Choose from the following criteria:
- Application (e.g.,
Microsoft Teams) - Category (e.g.,
Finance) - Certificate-Pinned Applications
- Application (e.g.,
Important: Use SSL Bypasses over Steering Bypasses where possible to reduce risk exposure.