Question 1

A company's architecture includes a server subnet that is logically isolated from the rest of the
network with no Internet access, no default gateway, and no access to DNS. New resources can only
be provisioned on virtual resources in that segment and there is a firewall that is tunnel-capable
securing the perimeter of the segment. The only requirement is to have content filtering for any
server that might access the Internet using a browser.
Which two Netskope deployment methods would achieve this requirement? (Choose two.)

Accepted Answer

Explanation: For a server subnet that is isolated and requires content filtering for any server that might access the Internet using a browser, the two Netskope deployment methods that would meet this requirement are: B . Deploy Data Plane on Premises (DPoP) with a proxy configuration on the servers: Deploying DPoP would allow the isolated servers to connect to the Netskope cloud for content filtering through a proxy configuration. This setup would enable the servers to have controlled access to the Internet for content filtering purposes without requiring direct Internet access1. C . Deploy IPsec or GRE tunnels in the segment to steer traffic from the servers to Netskope: By deploying IPsec or GRE tunnels, the traffic from the servers can be securely directed to Netskope for content filtering. This method is suitable for environments where servers do not have direct Internet access, as the tunnel provides a secure path for traffic to reach Netskope’s cloud services1. These deployment methods are designed to work in environments with strict network isolation and provide the necessary content filtering capabilities for servers accessing the Internet. Reference: The deployment methods and their suitability for isolated server subnets are based on Netskope’s documentation and resources, which detail various deployment options and their use cases21.

Question 2

Review the exhibit. https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/Netskope_NSK300/page_5_img_1.jpg You are the proxy administrator for a medical devices company. You recently changed a pilot group of users from cloud app steering to all Web traffic. Pilot group users have started to report that they receive the error shown in the exhibit when attempting to access the company intranet site that is publicly available. During troubleshooting, you realize that this site uses your company's internal certificate authority for SSL certificates. Which three statements describe ways to solve this issue? (Choose three.)

Accepted Answer

Explanation: A . Import the root certificate for your internal certificate authority into Netskope: This step ensures that Netskope recognizes and trusts SSL certificates issued by your company’s internal certificate authority. By importing the root certificate, you enable proper SSL inspection and validation for internal sites. B . Bypass SSL inspection for the affected site(s): Since the intranet site uses your company’s internal certificate authority, bypassing SSL inspection for this specific site allows users to access it without encountering SSL errors. D . Change the SSL Error Settings from Block to Bypass in the Netskope tenant: Adjusting the SSL Error Settings to “Bypass” allows users to proceed past SSL errors, including self- signed certificate errors. This ensures uninterrupted access to the intranet site. Reference: Netskope Security Cloud Introductory Online Technical Training Netskope Security Cloud Operation & Administration (NSCO&A) - Classroom Training Netskope Cloud Security Certification Program

Question 3

You are asked to ensure that a Web application your company uses is both reachable and decrypted
by Netskope. This application is served using HTTPS on port 6443. Netskope is configured with a
default Cloud Firewall configuration and the steering configuration is set for All Traffic.
Which statement is correct in this scenario?

Accepted Answer

C

Explanation: To ensure that the web application using HTTPS on port 6443 is both reachable and decrypted by Netskope, the correct action is to enable “Steer non-standard ports” in the steering configuration and add the domain and port as a new non-standard port. This is because Netskope’s default configuration steers standard HTTP/HTTPS traffic, typically on ports 80 and 443. Since port 6443 is a non-standard port for HTTPS traffic, it requires explicit configuration to be steered through Netskope1. Reference: The process for configuring non-standard ports in Netskope is detailed in the Netskope Knowledge Portal, which provides step-by-step instructions on how to steer HTTP(S) traffic over non- standard ports1. This includes adding the specific non-standard port number in the steering configuration to ensure that traffic to and from that port is properly handled by Netskope.

Question 4

Your organization's software deployment team did the initial install of the Netskope Client with
SCCM. As the Netskope administrator, you will be responsible for all up-to-date upgrades of the
client.
Which two actions would be required to accomplish this task9 (Choose two.)

Accepted Answer

Explanation: To ensure that the Netskope Client is always up-to-date with the latest upgrades, two actions are required. First, in the Client Configuration, the administrator should set the option to Upgrade Client Automatically to Latest Release. This setting ensures that the client will automatically update to the most recent version available. Second, during the original installation of the Netskope Client, the autoupdate-on flag should be set. This flag enables the auto-update feature, allowing the client to receive and apply updates as they are released. Reference: The information is based on the Netskope Client deployment options and upgrade process as detailed in the Netskope Knowledge Portal

Question 5

Your company purchased Netskope's Next Gen Secure Web Gateway You are working with your
network administrator to create GRE tunnels to send traffic to Netskope Your network administrator
has set up the tunnel, keepalives. and a policy-based route on your corporate router to send all HTTP
and HTTPS traffic to Netskope. You want to validate that the tunnel is configured correctly and that
traffic is flowing.
In this scenario, which two statements are correct? (Choose two.)

Accepted Answer

Explanation: To validate that the GRE tunnel is configured correctly and that traffic is flowing to Netskope, the correct statements are: A: You can use your local router or network device to verify that keepalives are being received and traffic is flowing to Netskope. This is a standard method for checking the health and activity of a GRE tunnel. C: You can verify that the tunnel is up and receiving traffic in the Netskope UI under Settings > Security Cloud Platform > GRE. This is a feature provided by Netskope to monitor the status of GRE tunnels directly from the Netskope interface12. Statement B is incorrect because Netskope provides its own tools for monitoring the status of the tunnel. Statement D is incorrect because the Netskope Trust portal provides information on the overall service status and updates, not specific tunnel status3. Reference: The

Question 6

You are the network architect for a company using Netskope Private Access. Multiple users are
reporting that they are unable to access an application using Netskope Private Access that was
working previously. You have verified that the Real-time Protection policy allows access to the
application, private applications are steered for the users, and the application is reachable from
internal machines. You must verify that the application is reachable through Netskope Publisher
In this scenario, which two tools in the Netskope Ul would you use to accomplish this task? (Choose
two.)

Accepted Answer

Explanation: In the scenario where users are unable to access an application through Netskope Private Access, and after verifying that the Real-time Protection policy allows access, the application is steered for the users, and it is reachable from internal machines, the next step is to verify the application’s reachability through the Netskope Publisher. The two tools in the Netskope UI that would be used to accomplish this task are: A . Reachability Via Publisher in the App Definitions page - This tool allows you to check if the application is reachable through the configured Publishers. It is essential to ensure that the application’s connectivity is intact and that there are no issues with the Publishers themselves. B . Troubleshooter tool in the App Definitions page - The Troubleshooter tool can help diagnose and resolve issues related to application reachability. It provides insights into potential problems and offers guidance on how to fix them. These tools are designed to assist in troubleshooting and ensuring that applications are accessible through Netskope Private Access. Reference: The explanation is based on the standard procedures for managing private applications and troubleshooting within the Netskope Private Access environment as outlined in the Netskope Knowledge Portal

Question 7

A company has deployed Explicit Proxy over Tunnel (EPoT) for their VDI users They have configured
Forward Proxy authentication using Okta Universal Directory They have also configured a number of
Real-time Protection policies that block access to different Web categories for different AD groups so.
for example, marketing users are blocked from accessing gambling sites. During User Acceptance
Testing, they see inconsistent results where sometimes marketing users are able to access gambling
sites and sometimes they are blocked as expected They are seeing this inconsistency based on who
logs into the VDI server first.
What is causing this behavior?

Accepted Answer

A

Explanation: The inconsistent results observed during User Acceptance Testing (where marketing users sometimes access gambling sites and sometimes are blocked) are likely due to the configuration of the Forward Proxy. Cookie Surrogate: The Cookie Surrogate is a mechanism used in Forward Proxy deployments to maintain user context across multiple requests. It ensures that user-specific policies are consistently applied even when multiple users share the same IP address (common in VDI environments). Issue: If the Forward Proxy is not configured to use the Cookie Surrogate, it may lead to inconsistent behavior. When different users log into the VDI server, their requests may not be associated with their specific user context, resulting in varying policy enforcement. Solution: Ensure that the Forward Proxy is properly configured to use the Cookie Surrogate, allowing consistent policy enforcement based on individual user identities. Reference: Netskope Security Cloud Operation & Administration (NSCO&A) - Classroom Training Netskope Security Cloud Introductory Online Technical Training Netskope Architectural Advantage Features

Question 8

Review the exhibit. https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/Netskope_NSK300/page_9_img_1.jpg A user has attempted to upload a file to Microsoft OneDrive that contains source code with Pll and PCI data. Referring to the exhibit, which statement Is correct?

Accepted Answer

C

Explanation: In the given scenario, a user is attempting to upload a file containing sensitive PII and PCI data to Microsoft OneDrive. The Netskope Security Cloud provides real-time data and threat protection when accessing cloud services, websites, and private apps from anywhere, on any device. Based on the exhibit provided, different DLP (Data Loss Prevention) profiles are triggered - DLP-SourceCode, DLP-PCI, and DLP-PII. Each of these profiles has specific actions associated with them; for instance, an alert is generated for Source Code while blocking actions are initiated for PCI and PII data. Since multiple DLP profiles are triggered due to the sensitive nature of the content in the file being uploaded, separate incidents will be generated for each matching profile ensuring comprehensive security coverage and incident reporting. Reference: Netskope Cloud Security Netskope Resources Netskope Documentation

Question 9

You have an NG-SWG customer that currently steers all Web traffic to Netskope using the Netskope
Client. They have identified one new native application on Windows devices that is a certificate-
pinned application. Users are not able to access the application due to certificate pinning. The
customer wants to configure the Netskope Client so that the traffic from the application is steered to
Netskope and the application works as expected.
Which two methods would satisfy the requirements? (Choose two.)

Accepted Answer

Explanation: To address the issue of a certificate-pinned application not being accessible due to certificate pinning, while still steering the traffic to Netskope, the two methods that would satisfy the requirements are: B: Configure the SSL Do Not Decrypt policy to not decrypt traffic for domains used by the native application. This ensures that the SSL traffic for the specified domains is not decrypted, thus avoiding issues with certificate pinning. C: Configure domain exceptions in the steering configuration for the domains used by the native application. By setting domain exceptions, traffic to these domains will bypass SSL decryption, allowing the certificate-pinned application to function as expected1. These methods are in line with Netskope’s capabilities for handling certificate-pinned applications, which often require bypassing decryption to prevent breaking the application’s functionality due to its security features1. Reference: The Netskope Knowledge Portal provides detailed information on managing certificate- pinned applications, including how to configure SSL Do Not Decrypt policies and domain exceptions in the steering configuration1. Additionally, the Netskope Community Forum offers insights and best practices for handling certificate-pinned applications2.

Question 10

You are building an architecture plan to roll out Netskope for on-premises devices. You determine
that tunnels are the best way to achieve this task due to a lack of support for explicit proxy in some
instances and IPsec is the right type of tunnel to achieve the desired security and steering.
What are three valid elements that you must consider when using IPsec tunnels in this scenario?
(Choose three.)

Accepted Answer

Explanation: When using IPsec tunnels, especially in the context of deploying Netskope for on-premises devices, several factors must be considered to ensure a secure and efficient architecture: Cipher support on tunnel-initiating devices (A): It is crucial to ensure that the devices initiating the IPsec tunnels support the ciphers used by Netskope. This compatibility is necessary for establishing secure connections. Bandwidth considerations (B): The bandwidth available for the IPsec tunnels will affect the data throughput and performance of the connection. Adequate bandwidth must be allocated to handle the expected traffic without causing bottlenecks. The impact of threat scanning performance (D): The performance of threat scanning can be affected by the encryption and decryption processes in IPsec tunnels. It is important to consider how the threat scanning capabilities will perform under the additional load of encrypted traffic. These elements are essential for the successful implementation of IPsec tunnels in a Netskope architecture plan for on-premises devices12. Reference: The considerations for using IPsec tunnels are outlined in the Netskope Knowledge Portal and Community discussions, which provide guidance on deployment and validation of IPsec tunnels, including cipher support, bandwidth management, and maintaining threat scanning performance

Question 11

Users in your network are attempting to reach a website that has a self-signed certificate using a GRE
tunnel to Netskope. They are currently being blocked by Netskope with an SSL error. How would you
allow this traffic?

Accepted Answer

A

Explanation: To allow traffic from a website with a self-signed certificate that is being blocked by Netskope with an SSL error, the correct action is to configure a Do Not Decrypt SSL Decryption rule. This rule will allow the traffic to pass without being decrypted, thus bypassing the SSL error caused by the self- signed certificate. This is a common practice for handling traffic from trusted internal applications or specific external sites that use self-signed certificates1. Reference: The Netskope Community Forum discusses the application of exceptions for sites with self-signed certificates and the use of SSL decryption policies to bypass the blocking1. Additionally, the Netskope Knowledge Portal provides information on managing error settings and configuring SSL decryption rules2.

Question 12

Your company just had a new Netskope tenant provisioned and you are asked to create a secure tenant configuration. In this scenario, which two default settings should you change? {Choose two.)

Accepted Answer

B, D

Explanation: For a new Netskope tenant provisioned, to create a secure tenant configuration, you should consider changing the following default settings: B . Change Untrusted Root Certificate to Block: This setting will ensure that any traffic coming from an untrusted root certificate is blocked, which is a critical security measure to prevent man-in-the- middle attacks and other types of cyber threats1. D . Change “Disallow concurrent logins by an Admin” to Enabled: This setting will prevent multiple concurrent logins by the same admin account, which is an important security control to mitigate the risk of unauthorized access. If an admin’s credentials are compromised, this setting will help limit the potential damage by ensuring that only one session can be active at a time1. These changes are part of the recommended security hardening guidelines for Netskope tenants to enhance the overall security posture of the tenant environment. Reference: The recommendations for changing default settings for a secure tenant configuration are based on Netskope’s security hardening guidelines, which provide detailed instructions on how to enhance the security of Netskope products and components deployed in customer environments1.

Question 13

You want customers to configure Real-time Protection policies. In which order should the policies be placed in this scenario?

Accepted Answer

B

Explanation: When configuring Real-time Protection policies in Netskope, the recommended order is as follows: RBI (Risk-Based Index) Policies: These policies focus on risk assessment and prioritize actions based on risk scores. They help identify high-risk activities and users. CASB (Cloud Access Security Broker) Policies: These policies address cloud-specific security requirements, such as controlling access to cloud applications, enforcing data loss prevention (DLP) rules, and managing shadow IT. Web Policies: These policies deal with web traffic, including URL filtering, web categories, and threat prevention. Threat Policies: These policies focus on detecting and preventing threats, such as malware, phishing, and malicious URLs. Placing the policies in this order ensures that risk assessment and cloud-specific controls are applied before addressing web and threat-related issues. Reference: Netskope Security Cloud Introductory Online Technical Training Netskope Security Cloud Operation & Administration (NSCO&A) - Classroom Training Netskope Certification Description Netskope Architectural Advantage Features

Question 14

You are consuming Audit Reports as part of a Salesforce API integration. Someone has made a
change to a Salesforce account record field that should not have been made and you are asked to
venfy the previous value of the structured data field. You have the approximate date and time of the
change, user information, and the new field value.
How would you accomplish this task?

Accepted Answer

D

Explanation: To verify the previous value of a structured data field in Salesforce after an unauthorized change, you would use Skope IT with an Access Method of API Connector. This method allows you to search the Application Event Details for the ‘Old Value’ field. By filtering with the user details and the edit activity, you can pinpoint the exact change and retrieve the original value of the field. Reference: The approach is consistent with the Netskope Cloud Security Architect’s guidelines for using API Data Protection with Salesforce. The documentation provides a detailed procedure for configuring Salesforce for API Data Protection, which includes the use of Netskope Audit Reports and the ability to track changes through the ‘Old Value’ field

Question 15

You are attempting to merge two Advanced Analytics reports with DLP incidents: Report A with 3000
rows and Report B with 6000 rows. Once merged, you notice that the merged report is missing a
significant number of rows.
What is causing this behavior?

Accepted Answer

B

Explanation: When merging two Advanced Analytics reports in Netskope, if the merged report is missing rows, it is likely due to viewing limits within the system. Netskope’s Advanced Analytics platform has limitations on the number of rows that can be viewed at once, which can result in missing data when dealing with large reports. This viewing limit ensures performance and manageability of the data within the system. Reference: The behavior of data viewing limits in Netskope Advanced Analytics is discussed in the Netskope Knowledge Portal, which provides insights into how data is explored and managed within the platform1

Free NETSKOPE NSK300 Actual Exam Questions