NSK200 Sample Questions Answers

Deploying the Netskope client using an email invitation allows smaller companies to onboard users easily without relying on integration with AD, LDAP, or an IdP. This method is efficient for smaller teams that need a quick deployment without complex setup​.

To deploy Netskope using IPSec tunnels for security in this scenario, two considerations to make a successful connection are C. redundant POPs and D. number of hosts. Redundant POPs are Points of Presence that are geographically distributed data centers that host the Netskope cloud platform. You need to consider redundant POPs to ensure high availability and resiliency of your IPSec tunnels in case of a failure or outage in one of the POPs. You can configure multiple IPSec tunnels from your network to different POPs and use dynamic routing protocols such as BGP to load balance and failover the traffic1. Number of hosts is the number of devices or endpoints that will use the IPSec tunnels to access the cloud services. You need to consider the number of hosts to estimate the bandwidth and throughput requirements of your IPSec tunnels and choose the appropriate POPs that can handle the traffic volume. You can use the Netskope Bandwidth Calculator tool to estimate the bandwidth and throughput based on the number of hosts, locations, and cloud services2. Therefore, options C and D are correct and the other options are incorrect. References: IPSec - Netskope Knowledge Portal, Netskope Bandwidth Calculator

To implement tenant access security and governance controls for privileged users, you can use the following access controls that are natively available within the Netskope Cloud Security Platform and do not require external or third-party integration:

IP allowlisting to control access based upon source IP addresses. This allows you to specify the IP addresses that are allowed to access your Netskope tenant2. This can prevent unauthorized access from unknown or malicious sources.

Login attempts to set the number of failed attempts before the admin user is locked out of the UI. This allows you to configure how many times an admin can enter an incorrect password before being locked out for a specified period of time3. This can prevent brute-force attacks or password guessing attempts.

Applying predefined or custom roles to limit the admin’s access to only those functions required for their job. This allows you to assign different levels of permissions and access rights to different admins based on their roles and responsibilities4. This can enforce the principle of least privilege and reduce the risk of misuse or abuse of admin privileges. Therefore, options A, B, and C are correct and the other options are incorrect. References: Secure Tenant Configuration and Hardening - Netskope Knowledge Portal, Admin Settings - Netskope Knowledge Portal, Create Roles - Netskope Knowledge Portal

Creating a real-time threat protection policy specifically targeting the "Cloud Storage" category ensures that all supported cloud storage applications are covered by malware protection. This approach allows real-time scanning and response to malware threats within cloud storage environments​​.

The correct practice is to place high-priority rules, such as those with specific scanning actions, at the top of the Real-time Protection policy rule list. Placing the rule at the top ensures it is applied before other less restrictive rules, like those configured only for browsing activities​​.

Netskope SaaS Security Posture Management (SSPM) is designed to automate the detection and remediation of security misconfigurations across SaaS applications, including GitHub, Microsoft 365, Salesforce, ServiceNow, and Zoom. SSPM provides visibility into and correction of misconfigurations to protect corporate data in cloud applications​.

To reduce false positives by only triggering policies when contents of your customer database are uploaded to Dropbox, you can use two methods: Upload the .csv export to the Netskope tenant DLP rules section to create an exact match hash. This is a method that allows you to upload a file containing structured data, such as a customer database, to the Netskope tenant and generate a hash of the data. The hash is then used to match the data in the cloud traffic and trigger DLP policies. This method is suitable for files that are less than 10 MB in size. To upload the file, you need to go to Policies > Data Protection > DLP Rules and click on Exact Match Hashes. Then you can select the file from your local system and upload it. Use a Netskope virtual appliance to create an exact match hash. This is a method that allows you to create a file containing structured data, such as a customer database, and upload it to the Netskope cloud using a virtual appliance. The virtual appliance encrypts the file before uploading it and generates a hash of the data. The hash is then used to match the data in the cloud traffic and trigger DLP policies. This method is suitable for files that are larger than 10 MB in size. To create the file, you need to follow a specific format and save it as a .csv file. To upload the file, you need to use the request dlp-pdd upload command on the virtual appliance CLI. The other options are not valid methods for this task. You cannot use the Netskope client to upload the .csv export to the Netskope management plane DLP container, as this is not a supported feature of the client. You cannot send the .csv export to Netskope using a support ticket with the subject, “create exact match hash”, as this is not a secure or efficient way of creating an exact match hash. References: Create an Exact Match Hash from the UI1, Create an Exact Match Hash from a Virtual Appliance2

To prevent a document stored in Google Drive from being shared externally with a public link, you need to configure an API Data Protection policy in Netskope. An API Data Protection policy allows you to discover, classify, and protect data that is already resident in your cloud services, such as Google Drive1. You can create a policy that matches the documents you want to protect based on criteria such as users, content, activity, or DLP profiles. Then, you can choose an action to prevent the documents from being shared externally, such as remove external collaborators, remove public links, or quarantine2. Therefore, option B is correct and the other options are incorrect. References: API Data Protection - Netskope Knowledge Portal, Add a Policy for API Data Protection - Netskope Knowledge Portal

To allow the security team to use the test data file that was detected as a virus by the Netskope Heuristics Engine, the following two steps are correct:

Click the “Add To File Filter” button to add the IOC to a file list. This will exclude the file from future malware scans and prevent false positive alerts. The file list can be managed in the Settings > File Filter page1.

Click the “Lookup VirusTotal” button to verify if this IOC is a false positive. This will open a new tab with the VirusTotal report for the file hash. VirusTotal is a service that analyzes files and URLs for viruses, worms, trojans, and other kinds of malicious content. The report will show how many antivirus engines detected the file as malicious and provide additional information about the file2.

https://docs.netskope.com/en/netskope-help/admin-console/incidents/

The problem in this scenario is that the Netskope client connection is being decrypted by a network security device. This is evident from the log message “ERROR SSL certificate verification failed: self signed certificate in certificate chain”. This means that the Netskope client is receiving a certificate that is not issued by Netskope, but by a device that is intercepting and decrypting the traffic between the client and the Netskope cloud. This can cause the client to fail to download the required configuration and remain in a disabled state1. Therefore, option B is correct and the other options are incorrect. References: Troubleshooting Netskope Client - Netskope Knowledge Portal, Using Netskope Client - Netskope Knowledge Portal

In order to restrict users from logging into their personal Google accounts, the policy should include a user constraint. This will ensure that only users with corporate accounts can access the corporate collaboration suite. The user constraint can be added by selecting the “User” option in the “Source” field and then choosing the appropriate user group or identity provider. The other options are not relevant for this scenario. References: [Creating a Policy to Block Personal Google Services], [Policy Creation], [User Constraint]

Creating a steering exception for the host is the appropriate action to prevent SSL decryption on specific network traffic. Steering exceptions allow you to bypass decryption for designated hosts, which is useful for privacy-sensitive scenarios​​.

The Directory Importer is a component of the Netskope Adapters that connects to the domain controller and periodically fetches user and group information to post that info to your tenant instance in the Netskope cloud1. If you are having issues with this process, the first thing you should investigate is the Directory Importer itself. You can check the status of the Directory Importer service, the configuration file, the logs, and the connectivity to the domain controller and the Netskope cloud2. Therefore, option B is correct and the other options are incorrect. References: Configure Directory Importer - Netskope Knowledge Portal, Troubleshooting Directory Importer - Netskope Knowledge Portal

To prevent traffic from the sales team to a custom Web application from being inspected by Netskope, you need to create a Do Not Decrypt Policy using User Group and Domain in the policy page. A Do Not Decrypt Policy allows you to specify the traffic you want to leave encrypted and not further analyzed by Netskope via the Real-time Protection policies3. You can use the User Group criteria to match the sales team members and the Domain criteria to match the custom Web application. This way, only the traffic from the sales team to the custom Web application will be exempted from decryption, while all other traffic to the Web application will continue to be inspected. 

The error message in the exhibit represents that there is an upstream device trying to intercept the NPA TLS connection. The error message is “ERROR SSL certificate verification failed: self signed certificate in certificate chain”. This means that the Netskope client is receiving a certificate that is not issued by Netskope, but by a device that is intercepting and decrypting the traffic between the client and the Netskope cloud. This can cause the client to fail to establish a secure connection to the NPA service and access the private applications4. To solve this problem, you need to either bypass or trust the upstream device that is performing SSL decryption, such as a firewall or proxy5. Therefore, option D is correct and the other options are incorrect. References: Troubleshooting Netskope Client - Netskope Knowledge Portal, Netskope Client Troubleshooting Guide - The Netskope Community

Three methods to deploy a Netskope client are A. Deploy Netskope client using SCCM, C. Deploy Netskope client using email invite, and E. Deploy Netskope client using IdP. These are some of the methods that Netskope supports for packaging and installing the Netskope client on the user’s device1. SCCM is a Microsoft tool that allows you to push the Netskope client silently to the user’s device without requiring user intervention or local admin privileges2. Email invite is a method that sends an email to the user with a unique link to download and install the Netskope client. This method is quick and easy, but requires the user to initiate the installation and have local admin privileges3. IdP is a method that uses an identity provider (such as Azure AD or Okta) to authenticate the user and enroll the Netskope client. This method requires the UPN of the logged in user to match the directory, or use SAML/SSO as an alternative4. Therefore, options A, C, and E are correct and the other options are incorrect. References: Deploy the Netskope Client - Netskope Knowledge Portal, Deploying with Microsoft Endpoint Configuration Manager / SCCM - Netskope Knowledge Portal, Deploying with Email Invite - Netskope Knowledge Portal, Deploying with IdP - Netskope Knowledge Portal

To disable inspection for all users accessing Microsoft 365, you need to create a Do Not Decrypt SSL policy for the Microsoft 365 App Suite. This policy will prevent Netskope from decrypting and analyzing the traffic for any Microsoft 365 app, regardless of the access method (Netskope client or GRE tunnel)3. This policy will also allow SNI-based policies to apply, but no deep analysis performed via Real-time Protection policies4. Therefore, option B is correct and the other options are incorrect. References: Add a Policy for SSL Decryption - Netskope Knowledge Portal, Default Microsoft appsuite SSL do not decrypt rule - Netskope Community

Adding a Skope IT query to a custom watchlist allows the query to be saved and easily accessed. Saving the watchlist and managing filters also lets you customize it further and share it with others in your organization if needed​​.

 A file profile is an object that contains a list of file hashes that can be used to create a malware detection profile. A file profile can be configured as an allowlist or a blocklist, depending on whether the files are known to be benign or malicious. A file profile can be created in the Settings > File Profile page1. A malware detection profile is a set of rules that define how Netskope handles malware incidents. A malware detection profile can be created in the Policies > Threat Protection > Malware Detection Profiles page2. To create a malware detection profile, one needs to select a file profile as an allowlist or a blocklist, along with the Netskope malware scan option. The other options are not objects that can be selected when creating a malware detection profile.

To ensure user privacy in the Events and Reports view, obfuscate sensitive information like User IPs, User names, and Source location information. This helps protect identities and prevent location tracking of users while allowing visibility into activity details​​.

The problem is B. The Active Directory user is not synchronized to the Netskope tenant. This is evident from the log message “WARNING No mail ID for the user: Clarke, Daxmeifield, DC=local, skipping use”. This means that the user Clarke does not have a valid email address in the Active Directory, which is required for the Netskope client to work. The Netskope client uses the email address of the user to authenticate and enable the client. Therefore, option B is correct and the other options are incorrect.

For DLP policies to detect sensitive data like credit card numbers, the data must contain valid credit card numbers as defined by the DLP pattern. Invalid or incorrectly formatted numbers will not trigger DLP policy hits​​.

To enable your users access to the application using NPA, you need to complete these two steps: B. Enable traffic steering for private applications and C. Create a Real-time Protection policy that allows your users to access the application. Traffic steering is the process of directing the user’s traffic to the Netskope cloud platform for inspection and policy enforcement. You need to enable traffic steering for private applications in your traffic steering profile to allow the Netskope client to tunnel the traffic to the private application through the Netskope cloud1. A Real-time Protection policy is a rule that specifies the actions and notifications that Netskope applies to the user’s traffic based on various criteria. You need to create a Real-time Protection policy that allows your users to access the private application by selecting the application name, the user group, and the allow action in the policy page2. Therefore, options B and C are correct and the other options are incorrect. References: Traffic Steering Profile - Netskope Knowledge Portal, Add a Policy for Real-time Protection - Netskope Knowledge Portal

The correct solution is to use IPsec and GRE tunnels with Cloud Firewall. Netskope Cloud Firewall supports secure tunneling methods such as IPsec and GRE, enabling companies to steer traffic to the Netskope Security Cloud without requiring the Netskope client. This is particularly useful when endpoint installation of the client is not feasible, such as in remote offices where network infrastructure like routers and firewalls are available​​.