Skip to main content

Bypassing Netskope for improved performance

Method-1 (Sample Configuration): Bypassing using Custom Firewall Application


If the exception traffic destination IP address/subnet/CIDR (or) Domains, protocol (TCP, UDP) and ports are available then this method is preferable.

Important notes:

  • In the firewall application definition, it is recommended to configure fine grained custom application rules including IP address/Domains, protocol and ports specific to voice/video traffic.
  • For IPSec/GRE GW steering methods, we recommend customers to configure equivalent bypass rules in access gateways in their client network.
  • If FQDN/PQDN is used in custom firewall applications, then we need to make sure to send DNS traffic also through the cloud firewall so that the firewall can be aware of IP to domain mapping. This is needed only for IPSec/GRE GW steering methods and customers can’t configure bypass rules in their access gateways.

Configuration Steps:

  1. Create the Custom Firewall Application in Settings > Security Cloud Platform > TRAFFIC STEERING > App Definition with IP addresses/FQDN, Protocols (TCP, UDP) and ports

    image-1746705487809.png

    image-1746705517399.png

  2. Add the custom application to New Application exception in Settings > Security Cloud Platform > TRAFFIC STEERING > Steering Configuration page

    image-1746705612569.png


    Address
    Protocol
    Ports
    Is Bypass Required
    3.238.83.128/25, 3.251.93.0/26, 3.133.18.38/32, 3.135.139.181/32, 13.51.179.176/32, 13.228.200.40/32, 52.76.233.79/32, 52.221.167.63/32, 54.253.118.63/32, 54.253.248.99/32,
    54.253.250.85/32, 54.253.254.161/32, 54.254.43.153/32,
    165.75.5.0/24
    TCP 443,1720,1935,5060-5061,30000-50000 Yes
    "204.141.11.0/24",
    "204.141.12.0/24",
    "204.141.217.0/24"
    TCP 443, 80, 8080 No
    3.238.83.128/25, 3.251.93.0/26, 3.133.18.38/32, 3.135.139.181/32, 13.51.179.176/32, 13.228.200.40/32, 52.76.233.79/32, 52.221.167.63/32, 54.253.118.63/32, 54.253.248.99/32,
    54.253.250.85/32, 54.253.254.161/32, 54.254.43.153/32,
    165.75.5.0/24
    UDP 443,1719,5060,40000-50000 Yes
    "204.141.11.0/24",
    "204.141.12.0/24",
    "204.141.217.0/24"
    UDP 443, 80, 8080 No
    204.141.12.0/24
    3.251.93.0/26
    13.228.200.40/32
    54.254.43.153/32
    52.206.127.180/32
    34.192.154.13/32
    TCP 443, 40000-50000 Yes
    204.141.12.0/24
    3.251.93.0/26
    13.228.200.40/32
    54.254.43.153/32
    52.206.127.180/32
    34.192.154.13/32
    UDP 443, 40000-50000 Yes

Configuration Steps


We will configure GlobalMeet voice traffic bypass using Custom Firewall Application (Method-1).

  1. Create the 2 Custom Firewall Applications in Settings > Security Cloud Platform > TRAFFIC STEERING > App Definition with IP addresses/FQDN, Protocols (TCP, UDP) and ports

    Example: UDP

    image-1746706271221.png


    Example: TCP

    image-1746706331371.png


  2. Add the custom application to New Application exception in Settings > Security Cloud Platform > TRAFFIC STEERING > Steering Configuration page

    image-1746706433376.png


  3. Validate bypass location is at the client in Security Cloud Platform > Traffic Steering > Steering Configuration > Edit > Cloud, Web and Firewall > Bypass exception traffic at “Client”

    image-1746706493670.png