Netskope Version 71 Release Notes

Release notes for version 71 of Netskope.

Affected Products:

Netskope

Affected Operating Systems:

Windows
Mac
iOS
Android

Not applicable.

This update of Netskope contains New Features and Enhancements, Hotfix Updates, Fixed Issues, and Known Issues, and New Resource Types Supported in Continuous Security Assessment. For more information, click the appropriate topic.

New Features and Enhancements

Category	Feature	Detailed Description and Benefits
App Connector	Amazon S3	Added 'to_storage' and 'from_storage' fields for Copy and Move events. Activities: Changed Edit to Move, so whenever a file is renamed or cut and paste, a 'Move' activity triggers.
App Connector	Microsoft GCC High Coverage	Activities: Login Attempt, Login Successful, Login Failed, Create, Edit, Rename, Upload, Download, Send, Share, Delete, Post Platform: Browser DLP: Yes
App Connector	GitLab	Activities: Create, Edit, Delete Platform: Browser DLP: Create, Edit
App Connector	Google Suite	Feature: Creating docs, sheets, slides, forms using the shortcut URL Activities: Create Platform: Browser
App Connector	Microsoft Azure	Activities: Create, Edit, Delete, Upload, Download Platform: Browser, CLI DLP: Yes
App Connector	Slack	Activities: Log in Attempt. Log in Successful, Log in Failed, Log out Platforms: Browser, Windows Native
App Connector	Workday Human Capital Management	Added support for Workday Drive. Activities: Upload, Download, Edit Platform: Browser DLP: Yes
DLP	Improved DLP efficacy on Microsoft PowerPoint documents	When inspecting Microsoft PowerPoint files, we can now extract the headers and footers from the notes and handouts section and apply the DLP rules.
DLP	Additional File Type Support	DLP has added support for additional file types including analytics software such as Microsoft Power BI and Tableau. With this change, DLP can now support over 1200 file types.
DLP	File Filter for Threat Protection	Additional criteria have been added to the File Filter profile for Threat Protection. Admins can now use the File Filter profile to allowlist or blocklist files for threat protection based on attributes such as file name, extension, size, and Object ID.
DLP	DLP Machine Learning Models	In this release we have added new machine learning models for detection of passports, driver licenses, and screenshots. These classifiers allow detection of sensitive information accurately without the need for deep content inspections.
DLP-Entity	Brazil LGPD	In this release, the LGPD enhancements include several additional Brazil entities, such as Voter ID, vehicle registration numbers, corresponding rules, and a profile that combines the rules. For information about newly supported entities in this release, see New DLP Entities in version 71 .
IaaS	New Bulk Setup for AWS	To simplify setup (particularly bulk-setup) and to enable the new Storage Scan architecture (leveraging CloudWatch), the setup process for AWS was redesigned. For details, click Setting Up Multiple AWS Accounts Using the New UI to access the help topic. Contact Dell Data Security ProSupport to enable this feature in your account.
Introspection	New Salesforce Retro Functionality	We now support retro V3 functionality for Salesforce.
Notifications	Customizable Suppression Interval for Client Notifications	Admins can customize the suppression interval for duplicate pop-ups that are triggered by a block action. The default is set to 60 seconds. To modify the default setting, contact Dell Data Security ProSupport.
Notifications	Display Remaining Time to Close in the Notification Pop-up	On the Netskope client notification window, end users see the remaining time left configured by the admin. This helps end users to know the remaining time before the admin configured action is taken.
Netskope Private Access (NPA)	New Product Available	NPA provides secure access to private applications that are behind an enterprise firewall in the data center and the public cloud.
Netskope for Web	Alcohol Category Addition	The Alcohol category was previously mapped to 'food and drinks'. It is now a separate category. The new mapping for Alcohol includes sites that show alcoholic drinks such as cocktails, beer, and wine. Examples include whiskey, vodka, merlot, ale, and so on.
Netskope for Web	Prohibited URL Access	Netskope for Web customers can now prevent access to prohibited sites using translators such as Google and Bing. The available options include blocking the translators using the Translation category or using existing Inline policies that also trigger when a prohibited web page is accessed using the above translators. For CASB only customers, the only way to prevent access is to block the translator apps. Note: Browser-based notifications, user-alert, and MFA actions are not supported due to a limitation of those domains.
Netskope for Web	Inline Traffic SSL Decryption	You can now leverage your own certificate for SSL decryption. For details, go to the Signing Certificate section in the Certificates help topic. Online help in your account > Administration > Certificates > Signing Certificate or Knowledge Hub > Manage > Certificates > Signing Certificate
Netskope for Web	Auto-download Incomplete Certificate Chain	During the SSL handshake to certain servers, when the Netskope proxy receives no information about the certificate issuer, the SSL connection is torn down. With this release, admins can configure the action by going to the Security Cloud Platform settings to select if the Netskope proxy should automatically fetch the information when the authority information (AIA) is available. By default, it is enabled to allow the proxy to fetch the missing information automatically.
Traffic Steering	Netskope Client: IdPbased provisioning for multi-user mode deployment	The IdP-based provisioning feature for the Netskope Client has been enhanced to support multi-user mode.
Traffic Steering	Interoperability: Netskope Client on Windows Server 2019	The Netskope Client release 71 has been validated to interoperate with Windows Server 2019.
Traffic Steering	Interoperability: Netskope Client on Microsoft Windows 10 build 1909	The Netskope Client release 71 has been validated to interoperate with Windows 10 build 1909.
Web UI	Refresh button	A refresh button is available for the SkopeIT and Incidents pages that are listed below. If the UI is idle for a time and new events or alerts have been added, click the refresh button to fetch the new data without having to refresh the browser page. SkopeIT: Applications Sites Users Applications Events Page Events Network Events Alerts Incidents: DLP Anomalies Compromised Credentials Malware Malicious Sites Quarantine Legal Hold
Web UI	Configurable Timeout per Tenant	For notification pop-up timeouts, the Netskope proxy has a default value of 60 seconds. With this release, admins can configure a timeout value from the UI that should not exceed 600 seconds. The default timeout is 60 seconds and the timer text is visible in the notification window. You must be an admin to configure this option.
Web UI	Disallow Concurrent Logins by an Admin	You can ensure that an admin can log in to a tenant only once, instead of being able to log in to a tenant multiple times concurrently. The default setting allows concurrent logins. To change the default, go to Settings > Administration > Admins. On the top right side, click the Tools icon to open the Configure dialog box. Activate 'Disallow Concurrent Logins by same Admin' and click Save.

Known Issues

Category	Issue Number	Issue Description
App Connector	77845	Inconsistent behavior for DLP and user alerts.
App Connector	68407	AWS log in activities are not properly detected in SkopeIT.
App Connector	70320, 58450	Encryption is not working correctly for a successful quarantine for BOX.
Client	68975	Cisco AnyConnect is disconnecting intermittently when the Netskope client is enabled. This is working as designed, and the workaround is to add the VPN server IP address to the Netskope IP Exception list.
Client	68435	When the Netskope client is disconnected, the system tries to stop the driver module. This is resulting in the system not working properly.
Client Services	79181	A user is seeing an "Email Invitation Expired" message during the SAML client enforcement flow, when the Netskope client is installed but disabled.
DAPII	90764	When using the reverse proxy mode and after the idle timeout expires, the logout URL is redirected. However, intermittently the redirect may not happen.
DLP	79419, 79415	The DLP Forensics capture must have an option to store in AWS S3.
DLP	73085, 79310	Need DLP sampling or entire file scan.
IaaS	94576, 74864, 78848	The Overview page filters are not displaying data as expected.
IaaS	94572, 94571, 93767	The Inventory storage buckets should display a sortable field for the Storage Inventory page and show the total GB in each storage bucket.
IaaS	94558	Currently, users can create ad-hoc CSV reports, but can only create PDF scheduled reports. Users should be able to select CSV for scheduled reports.
IaaS	93817	Error messaging must be expanded to include asset listing errors.
IaaS	92123	AR exception handling through the API is not working as expected.
IaaS	89904	Storage scan support for Azure files is not working as expected.
IaaS	71692, 89626, 72074, 87724	Need to properly capture the justification when remediating compliance findings.
IaaS	66748, 89352	CloudInstance is not correctly categorized as 'Database'.
IaaS	83999	Provide a script to create a custom role.
IaaS	73198, 79991	The ability to control by account and by bucket is not working properly.
IaaS	69977, 79768	Need CSA type detections for Google SaaS services.
IaaS	72076, 77830	DOM for AWS, listener support for load balancers is not working as expected.
IaaS	69977, 74860	Netskope for IaaS allows customers to write a custom DSL to include an allowlist of IPs allowed to access key vault in Azure. This DSL may also be used to ensure that all key vault instances have a consistent compliance check to detect configuration drifts. An example of this DSL: KeyVault should have NetworkACLs . IpRules with [ value eq 192.10.18.0/24 ] and NetworkACLs . IpRules with [ value eq 206.18.32.6/32 ] and NetworkACLs . DefaultAction eq "Deny" and NetworkACLs . ByPass eq "AzureServices"
IaaS	74866, 71835	The ability to test custom DSL in a selected AWS/Azure/GCP account is not working as expected.
IaaS	72066, 70778	Support for an External ID per account: A user has an API to request from us OR, provide to us an External ID per account on demand. Note: This means that the external ID might change at a time much later than the time it was set up. The user would associate the unique external ID per IAM role that would be set up in each of their AWS accounts.
IaaS	66718	The option for configuring regions is incorrectly required to be enabled from the security scan policy.
IaaS	95343	If a grant fails due to a misconfiguration on the CSP side, trying to grant again displays a pop-up error in the UI or the return data from the REST API may show an error similar to the following: "Error: Instance not found for tenantid ####, appname aws, instance <account name>" The workaround is to edit the account by clicking its name in the Netskope UI.
Introspection	91204	No files are seen in Incidents > Quarantine, but the SkopeIT event shows Quarantine.
Introspection	70596, 85214	Validate that Introspection works in O365 GCC environments correctly.
Introspection	84962	Prevent duplicate DLP alerts when email metadata changes.
Introspection	70320, 74878	A user uploaded a file, and the policy action executed, but the quarantine action did not.
Introspection	70596, 72236	The Select All functionality for Introspection file actions is not working properly.
iOS VPN Solution	80510	This limitation is from Microsoft. Microsoft Onedrive / OneNote does not use the PAC file, traffic is not getting tunneled.
Netskope Proxy	94088	Browser based justification for translating URLs is not supported.
REST API	Not applicable	In the online help, the Get Client Data REST API topic is missing. However, it is available in the Knowledge Hub: Get Client Data REST API
Reverse Proxy	94865	There are some limitations when using Microsoft PowerPoint and Teams through reverse proxy, you cannot perform the following: Upload Post events from the Chat and Teams tab Download events from the Chat tab for Microsoft Teams Download events are seen only while downloading a file in the Team Files tab
SAML Proxy	72934	Client certificate validation through the Cert checker option is disabled for Chromebook from release 62 onward. By default, the Chromebook sign in and enrollment is blocked. However, two flags to bypass the sign-in and enrollment flows are available. Contact Dell Data Security ProSupport to enable those flags in your tenant.
SAML Proxy	70385	Bypass Android and iOS devices with Google MDM on reverse proxy.
User Justification	67146	If a policy with a user alert is triggered and the user adds a justification, a user Justification event is generated, but it does not have policy details for which the justification was given or the event was generated.
Web UI	67438	There is not a way to tell if a Client invitation was sent through the UI.

To contact support, reference Dell Data Security International Support Phone Numbers.
Go to TechDirect to generate a technical support request online.
For additional insights and resources, join the Dell Security Community Forum.