Question 5 - Netskope NSK101 Real Exam Questions [Jan 2026 Update]

Q: 5

You have applied a DLP Profile to block all Personally Identifiable Information data uploads to Microsoft 365 OneDrive. DLP Alerts are not displayed and no OneDrive-related activities are displayed in the Skope IT App Events table. In this scenario, what are two possible reasons for this issue? (Choose two.)

Options

Correct Answer:

A, B

Explanation

The absence of both DLP alerts and Skope IT App Events for OneDrive indicates that traffic is not being successfully decrypted and inspected by the Netskope Security Cloud.

Option A is correct because adding the "Cloud Storage" category to the steering exceptions will cause the Netskope Client to bypass the Netskope proxy entirely for this traffic. The traffic would go directly to the internet, never reaching Netskope for inspection.

Option B is correct because if the destination domain for OneDrive is excluded from TLS decryption, the Netskope proxy will receive the traffic but will not be able to inspect the encrypted payload. Without decryption, the specific application activity ("Upload") cannot be identified, and the content cannot be scanned by the DLP engine.

Why Incorrect

C. Netskope's NewEdge network is global; policies are applied based on the tenant configuration, not the physical location of the POP. User traffic is routed to the best-performing POP for inspection.

D. DLP policies are fully supported for traffic steered via IPsec tunnels. IPsec is a method for getting traffic to the Netskope cloud, where all standard policy inspections, including DLP, are applied.

References

1. Netskope Security Cloud Administration and Operations (NSK101) Student Guide

v4.5.1

Module 4: Steering Configuration. Section: "Steering Exceptions

" pp. 15-17. This section details how adding categories

applications

or domains to the exception list causes the Netskope Client to bypass the Netskope cloud for that traffic.

2. Netskope Security Cloud Administration and Operations (NSK101) Student Guide

v4.5.1

Module 7: TLS Decryption. Section: "TLS Decryption Policies

" pp. 4-6. This section explains that for inline inspection of content (such as DLP) to occur on encrypted traffic

a "Decrypt" policy action is required. An explicit "Do not decrypt" rule for a domain would prevent DLP inspection.

3. Netskope Technical White Paper

"The 5 Tenets of a Modern SASE Platform

" 2023

Section: "A Private Cloud Network for a Better User Experience

" p. 8. This document describes the global nature of the NewEdge network

clarifying that policy enforcement is independent of POP geography.

4. Netskope Secure Web Gateway (SWG) Deployment Guide

Rev. 11-2022

Section: "Traffic Steering from an On-Premises Proxy

" p. 31. This guide confirms that traffic forwarded via IPsec or GRE tunnels is subject to the full suite of Netskope security services

including Real-time Protection policies like DLP.

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE