Instance Awareness in Netskope provides visibility and control over instances of applications used by the organization. Specifically, it helps in differentiating between corporate and personal instances of the same application. This feature is particularly crucial in ensuring that corporate data is not uploaded to personal instances of applications and vice versa.

For example, it can identify that a form hosted in Microsoft Forms belongs to the corporate Microsoft 365 tenant, thereby preventing data from being mistakenly or maliciously sent to a third-party tenant. This ensures that only authorized instances of applications are used for corporate data, maintaining data security and compliance.

Using the REST API v2 UCI Impact Endpoints - Netskope Knowledge Portal

REST API v2 Overview - Netskope Knowledge Portal

Using the REST API v2 dataexport Iterator Endpoints - Netskope Knowledge Portal

Shadow IT is the term for the unauthorized use of IT resources and functions by employees within an organization. It can include cloud services, software, and hardware that are not approved or managed by the IT department. Two use cases that would be considered examples of shadow IT within an organization are: an unsanctioned Microsoft 365 OneDrive account being used by a corporate user to upload sensitive data and an unsanctioned Google Drive account used by a corporate user to upload non-sensitive data. In both cases, the corporate user is using a personal cloud storage service that is not sanctioned by the organization to store work-related data. This can introduce security risks, such as data leakage, data loss, compliance violations, malware infections, etc. The IT department may not have visibility or control over these cloud services or the data stored in them.Reference:What is shadow IT? | CloudflareWhat is Shadow IT? | IBM

The exhibit shows that Group A is allowed only SSH traffic, while Group B is allowed both SSH and RDP traffic. Since users in Group A need access to a third-party server using TCP port 3389 (RDP), you need to create a specific policy to allow this traffic without granting unnecessary access.

Creating an Allow policy using a custom application that includes the destination IP and TCP port 3389 will precisely target the required traffic and ensure that only the necessary connections are permitted. This method avoids broader policy changes that could introduce unnecessary access.

Netskope documentation on creating and managing Cloud Firewall policies.

Best practices for configuring application-specific policies to control network traffic effectively.

In this scenario, there are three probable causes for the issue of users not being able to access external websites from their browsers after attempting to steer traffic to Netskope using GRE tunnels. One cause is that the configured GRE peer in the Netskope platform is incorrect, which means that the Netskope POP that is supposed to receive the GRE traffic from the customer's network is not matching the IP address of the customer's router that is sending the GRE traffic. This will result in a failure to establish a GRE tunnel between the customer and Netskope. Another cause is that the corporate firewall might be blocking GRE traffic, which means that the firewall rules are not allowing the GRE protocol (IP protocol number 47) or the UDP port 4789 (for VXLAN encapsulation) to pass through. This will result in a failure to send or receive GRE packets between the customer and Netskope. A third cause is that the route map was applied to the wrong router interface, which means that the configuration that specifies which traffic should be steered to Netskope using GRE tunnels was not applied to the correct interface on the customer's router. This will result in a failure to steer the desired traffic to Netskope. The pre-shared key for the GRE tunnel is incorrect is not a probable cause for this issue, as GRE tunnels do not use pre-shared keys for authentication or encryption. Netskope does support GRE tunnels, so this is not a cause for this issue either.Reference:[Netskope Secure Forwarder],Netskope Security Cloud Operation & Administration (NSCO&A) - Classroom Course, Module 3: Steering Configuration, Lesson 3: Secure Forwarder.

The following statements about Netskope Private Access Publishers are correct:

Publishers can run on Windows or Linux servers:

Publishers are versatile and can be installed on both Windows and Linux operating systems.

Publishers can be deployed in both private data centers and public cloud providers to provide access to applications across disparate locations:

This flexibility allows organizations to use Publishers to connect applications hosted in various environments, ensuring seamless access across locations.

Publishers only make outbound connections to the Netskope Security Cloud which reduces the amount of public exposure:

By making only outbound connections, Publishers minimize the attack surface, enhancing security by reducing public exposure.

Netskope Private Access Deployment Guide

Netskope REST API v2 Overview