Netskope Integration Overview
Netskope Integration Overview
Netskope delivers a modem cloud security stack with unifies capabilities for data and threat protection. Nextskope can act as a secure web gateway where 0.0.0.0/0 traffic will be routed for inspection and enforcement prior to internet termination.
This document describes how to configure Netskope IPsec peers with the Meraki security appliance (MX/Z platforms).
Prerequisites
-
Netskope account
-
Meraki MX/Z device (running MX17+ firmware)
-
Meraki MX/Z Site-to-site VPN enabled
Netskope Configuration
-
Log into your Netskope tenant
-
Click on Setting at the bottom left corner of the page.
-
Click on Security Cloud Platform on the left pane, then IPsec
-
Add New Tunnel
Below I have added the User FQDN for our Atlanta Office as the Source Identity. We also selected a POP in Atlanta as primary and Miami as Backup
Note: Netskope preconfigures ciphers and supports a variety of Crypto ciphers linked on the IPsec configuration page. All that is needed is to ensure our Meraki site configuration aligns with supported cipher defaults on Netskope.
-
Save your configuration
Enable Meraki site-to-site VPN
On the Meraki Network, Navigate to Site-to-site VPN settings through the Security & SD-WAN > Configure > Site-to-site VPN page.
There are three options for configuring the MX-Z's role in the Auto VPN topology:
-
Off: The MX-Z device will not participate in site-to-site VPN.
-
Hub (Mesh): The MX-Z device will establish VPN tunnels to all remote Meraki VPN peers that are also configured in this mode, as well as any MX-Z appliances in hub-and-spoke mode that have the MX-Z device configured as a hub.
-
Spoke: This MX-Z device (spoke) will establish direct tunnels only to the specified remote MX-Z devices (hubs). Other spokes will be reachable via their respective hubs unless blocked by site-to-site firewall rules.
Select Hub (Mesh) to enable AutoVPN as this is recommended for the MX peering with the non-Meraki/Netskope.
Gather details from Netskope
1. You need the Primary Netskope POP IP Address. Example shown below:
2. You also need the Pre-shared key (use your preferred secret) and Phase 1 & Phase 2 IPsec crypto settings. Netskope supports a variety of Crypto ciphers linked on the IPsec configuration page (screenshot shown below).
Configuration
You can create Site-to-site VPN tunnels between a Security Appliance or a Teleworker Gateway and Netskope under the Non-Meraki VPN peers section on the Security & SD-WAN > Configure > Site-to-site VPN page. Simply click "Add a peer" and enter the following information:
-
Name - A name for the remote device or VPN tunnel
-
Public IP - Netskope POP IP
-
IKE Version - KEv2
-
IKEv2 enables the Local ID field (optional), if used, it must match "Source identity” field on Netskope Dashboard tunnel settings"
-
IPSec policies, must match IKE and IPsec option on supported by Netskope
Per configured IKE and IPSec policy settings configured in Netskope. Please note policies must match on the Meraki and Netskope end for the tunnel to come up.
6. Our configuration looks like this on for our Atlanta Office once completed
7. Once the tunnel is up and running, you will see a green up arrow for the configured tunnel on the IPsec settings page.
8. Ensure Netskope policies are set correctly to permit traffic expected from the branch.
Primary and backup Netskope
Meraki MX/Z platforms do not support native primary and backup peering at this time, but we have created an API configuration guide as a workaround. For more information, read here.
Non-Meraki VPN firewall
You can add firewall rules to control what traffic is allowed to pass through the VPN tunnel. These rules will apply to outbound VPN traffic to/from all MX-Z appliances in the Organization that participate in site-to-site VPN. These rules are configured in the same manner as the Layer 3 firewall rules described on the Firewall Settings page of this documentation. Note that VPN Firewall rules will not apply to inbound traffic or to traffic that is not passing through the VPN.
Serviceability
Event Logs
If you have any issues or would like to know more about the Netskope peering details, navigate to Network-wide > Monitor > Event log
Packet Captures
The following options are available for a packet capture on MX/Z platforms:
-
Appliance: The appliance the capture will run on.
-
Interface: Select the interface to run the capture on; the interface names will vary depending on the appliance configuration. A few examples of interfaces you may see are:
-
Internet 1 or Internet 2 - Capture traffic on one active WAN uplink. Internet 2 will only appear if there is a second WAN link.
-
LAN - Captures traffic from all LAN ports
-
Cellular - Captures cellular traffic from the integrated cellular interface. This does not apply to USB modems.
-
Site-to-Site VPN - Captures AutoVPN traffic (MX/Z to MX/Z only). This does not apply to Non-Meraki VPN peers.
-
-
Output: Select how the capture should be displayed; view output or download .pcap.
-
Verbosity: Select the level of the packet capture (only available when viewing the output directly to Dashboard).
-
Ignore: Optionally ignore capturing broadcast/multicast traffic.
-
Filter expressions: Apply a capture filter.
To capture packets, select the WAN interface and use the filter expressions for UDP 500 for Phase 1 or UDP 4500 for Phase 2.
API
The Meraki dashboard API is an interface for software to interact directly with the Meraki cloud platform and Meraki-managed devices. The API contains a set of tools known as endpoints for building software and applications that communicate with the Meraki dashboard for use cases such as provisioning, bulk configuration changes, monitoring, and role-based access controls. The dashboard API is a modern, RESTful API using HTTPS requests to a URL and JSON as a human-readable format. The dashboard API is an open-ended tool that can be used for many purposes.
For more information, read here.
24/7 Support
Cisco Meraki Support is available 24/7 to Enterprise customers for assistance with resolving network issues and providing answers to questions not covered by the documentation. For more information, read here.