Netskope / Proxy Interview Guide – Vishakha Sharma

Comprehensive Q&A; covering Netskope architecture, OSI mapping, forward vs reverse proxy, DLP, SSL
inspection, troubleshooting scenarios, industry use cases, and HR questions.

Target Roles: Network Engineer (L1/L2), Security Analyst (Proxy), Cloud Security Analyst.
1) Netskope Architecture – Overview
• Netskope Security Cloud is delivered via the NewEdge global network (data plane) with a separate
management plane (admin console, policy, reporting).

• Traffic is steered to Netskope using: (a) Netskope Client/Agent (endpoint steering), (b) Network-based
steering like GRE/IPsec from egress devices, (c) PAC files/explicit proxy, and (d) IdP SAML-based reverse
proxy for select SaaS apps (clientless).

• Security services include: Next-Gen SWG, CASB (inline & API), DLP, ZTNA/Private Access, Threat
Protection, RBI (remote browser isolation), and Cloud Firewall features.

• Identity & context used in policy: user/group from IdP (SAML/SCIM), device posture from MDM/endpoint
checks, location, app, activity, risk, file type, and content inspection results.

• Logging & visibility: Real-time events (web, cloud app, private access), incidents for DLP/Threats, and detailed
reports for compliance and operations.

2) Netskope Working – Mapping to the OSI Model

• Layer 3 (Network): Steering via IP-based tunnels (GRE/IPsec) from on-prem egress to Netskope NewEdge;
routing decisions determine path to cloud security.

• Layer 4 (Transport): TCP/UDP sessions are established to Netskope gateways; connectivity/latency at this
layer affects user experience.

• Layer 5 (Session): TLS/SSL handshakes begin; session persistence and renegotiation impact inspection.
• Layer 6 (Presentation): SSL/TLS decryption/re-encryption occurs for inspection (if SSL inspection enabled).
Certificate trust and pinning issues appear here.

• Layer 7 (Application): HTTP/HTTPS and SaaS API calls are inspected for URL category, app risk, user
activity, and content (DLP, threat intel). Policies are enforced at this layer.

3) Forward Proxy vs Reverse Proxy – In Depth

Forward Proxy (Client → Proxy → Internet)
• Used for outbound user traffic control, web filtering, SWG, CASB inline controls, malware scanning, and DLP.
• Common with endpoint agent or PAC/explicit proxy. Netskope’s Next-Gen SWG and Inline CASB operate in
this mode.

• Pros: Visibility of all outbound traffic, granular controls (user, app, activity, content).
• Challenges: SSL inspection complexities (cert trust, pinning), performance/latency if not tuned.
Reverse Proxy (Client → Reverse Proxy → Internal/SaaS App)
• Used to protect access to specific applications by placing a proxy in front of the app (often integrated via IdP
SAML flows).

• Netskope supports clientless access for sanctioned SaaS apps via SAML-based reverse proxy to enforce
policies without an agent.

• Pros: No agent required for certain use cases; selective control over target apps; good for BYOD scenarios.
• Challenges: App compatibility, complex SSO/SAML configs, and limited coverage (only sanctioned apps).

4) Netskope Policy Evaluation – What Decides Allow/Block

• Policy match uses identity (user/group), destination (URL/app/category), activity (upload, download, post), and
context (location, device posture).

• Content inspection (DLP/Threat) contributes to final decision. Policy order and specificity matter: more specific
rules should be above general ones.
• Bypass logic: business-critical apps with breakage (e.g., certificate pinning) may require targeted SSL bypass
or steering exceptions.

• Coaching/Justification can be used instead of hard block to reduce user disruption while capturing intent.
5) Netskope DLP – Tricky Questions & Answers
Q: What is the difference between Inline DLP and API-based DLP in Netskope?
A: Inline DLP inspects data in motion for web/SaaS traffic steered through Netskope in real time. API-based DLP
scans data at rest in sanctioned cloud apps via app connectors, detecting sensitive data already stored or newly
created.

Q: How do you design DLP policies for PAN/Aadhaar without breaking business?
A: Start with ‘Alert’ mode to baseline; tune dictionaries/regex for Indian identifiers; add exceptions for trusted
domains; move to ‘Block’ with thresholds and user coaching; iterate with business owners.

Q: How do you handle OCR-based detections?

A: Enable OCR for targeted file types (scanned PDFs, images); limit to sensitive workflows to reduce overhead;
validate detections and adjust thresholds or dictionaries.

Q: Explain EDM and IDM and when to use each.

A: Use EDM for exact matching of structured, high-value records (customer IDs). Use IDM for protecting unique
documents (contracts, designs). Combine both for layered protection.

Q: Common causes of DLP false positives and how you tuned them?
A: Overly broad regex, dictionary noise, lack of thresholds, missing exceptions. I tightened regex with word
boundaries, added whitelists for internal domains/seed data, and set match counts to reduce noise.

Q: How do you report DLP effectiveness to leadership?

A: Monthly incident trends, top violating apps/users, false positive rate, policy changes made, and business
impact avoided. Provide before/after metrics to show tuning benefits.

6) SSL Inspection – Deep Dive Q&A;

Q: What breaks when SSL inspection is enabled?
A: Apps with certificate pinning (banking, some mobile apps), mutual TLS requirements, or non-HTTP protocols
over TLS can break. Fix with targeted SSL bypass for domains/SNI or app categories.

Q: How do you validate SSL issues quickly?

A: Check certificate chain in browser, compare with direct vs through proxy, review Netskope logs, and capture
with Wireshark to inspect TLS alerts (e.g., handshake failure, unknown CA).

Q: What is SNI and why is it important?

A: Server Name Indication is part of TLS handshake that carries the hostname. Proxies use SNI for routing and
policy decisions prior to decryption. Accurate SNI is critical for precise bypass rules.

7) Troubleshooting Scenarios – Step-by-Step

• User cannot browse with proxy: verify internet and DNS, agent status, policy hits in logs, try bypass test,
inspect TLS handshake, apply temporary exception if justified.

• App slow via proxy: check path latency to nearest gateway, review SSL inspection and policy complexity, test
without decryption, review content scanning load, coordinate with vendor if app specific.

• DLP incident seems wrong: pull incident details, validate content matches, test with sanitized sample, adjust
regex/dictionary/thresholds, document change and monitor.

• Identity mismatch: ensure IdP attributes synced via SAML/SCIM, verify user-group mapping, and re-test policy
hits.
8) Why Clients Across Industries Need Netskope Proxy
• BFSI: Prevent exfiltration of PII/financial data, meet PCI-DSS; control access to SaaS (CASB) and enforce
strict DLP for statements/KYC docs.

• Healthcare: Protect PHI, HIPAA alignment, restrict file sharing to approved tenants, scan uploads/downloads.
• IT/ITES: Control source code leakage, secure contractor/BYOD access with clientless reverse proxy and
ZTNA for private apps.

• Manufacturing: Protect CAD/design IP with IDM fingerprints; restrict unsanctioned cloud storage.
• Media/EdTech: Safe browsing, malware protection, policy-based access to social and collaboration tools.
9) Challenges Faced in My Work & How I Overcame Them (STAR)
• SSL Pinning Broke a Banking App
Situation: Users could not access a critical banking portal after enabling SSL inspection.
Task: Restore access without weakening overall security.
Action: Collected Wireshark traces, confirmed pinning; created a scoped SSL bypass for specific FQDNs and
relevant CDNs; validated with change window; added user coaching on uploads.
Result: Service restored within SLA, zero DLP blind spots for other domains, and an SOP was published to
handle future pinning cases.

• High False Positives in DLP for PAN/Aadhaar

Situation: Business teams flagged frequent false positives blocking normal workflows.
Task: Reduce noise without missing true incidents.
Action: Tightened regex with boundaries, added thresholds, whitelisted internal test domains, and piloted ‘alert’
mode before enforcement.
Result: False positives reduced by ~60%, with improved user satisfaction and cleaner reports.

10) One Standout Netskope Issue I Solved (Extraordinary)

Situation: A global team could not upload compliance reports to a regulator portal through Netskope; uploads
timed out intermittently, impacting a filing deadline.
Task: Identify root cause and restore reliable uploads before cutoff.
Action: Correlated Netskope transaction logs with Wireshark captures and found that the portal rotated among
multiple hostnames behind a CDN; our policy inspected some hosts but another hostname triggered certificate
pinning errors. I built a targeted policy set: (1) precise SSL bypass for the pinned hosts based on SNI and
certificate issuer, (2) maintained full inspection for the non-pinned hosts, and (3) added traffic shaping to stabilize
throughput. Coordinated a controlled test with power users and completed a change ticket with rollback.
Result: Upload success rate went from ~60% to 100%, filing completed on time, and the tuned policy set was
standardized across regions with a runbook for future CDN changes.
11) Netskope Architecture – Explainer Q&A;
Q: What is NewEdge?
A: Netskope’s globally distributed data plane providing low-latency security services (SWG, CASB, DLP, etc.).

Q: How is traffic steered to Netskope?

A: Via endpoint client, PAC/explicit proxy, GRE/IPsec tunnels, and SAML-based reverse proxy for specific SaaS
apps.

Q: Where are policies configured and how are they applied?

A: Policies are configured in the admin console (management plane) and enforced at the data plane when traffic
matches steering and policy criteria.

Q: How does ZTNA/Private Access fit in?

A: It provides application-specific access to internal apps without exposing the network, using identity and device
posture.

12) General Networking & Proxy – Expanded Q&A;

Q: Explain PAC file vs explicit proxy vs agent steering.
A: PAC provides dynamic proxy selection via a script; explicit proxy sets a fixed proxy; agent steering captures
traffic locally and sends it to the closest gateway with identity and posture context.

Q: What is split tunneling and when would you use it?

A: Steer only business traffic to the proxy and send personal/bypass traffic direct to the internet to reduce latency
and privacy issues.

Q: How do you decide between GRE and IPsec to NewEdge?

A: GRE is simple and performant for web traffic; IPsec adds encryption between sites and Netskope and may be
preferred for compliance.

Q: How do you debug a 407/401 proxy auth issue?

A: Check identity mapping, SSO tokens, PAC rules, agent status, and ensure user/group attributes flow correctly
from IdP.

Q: What is URL category vs app definition?

A: URL category classifies sites (e.g., Finance, Social), while app definition understands specific SaaS apps and
their activities (upload, share, post).

13) HR / Behavioral – Comprehensive Q&A;

Q: Tell me about yourself.
A: Cybersecurity Analyst with ~1.9 years of L1 experience in proxy solutions (Netskope, Zscaler), DLP, and
network troubleshooting. Looking to grow into broader network/security operations.

Q: Biggest strengths?
A: Structured troubleshooting, clear communication with users, and strong documentation (SOPs/runbooks).

Q: Areas to improve?
A: Deepening automation skills and advanced routing/switching—currently learning and applying to routine tasks.

Q: Why do you want this role?

A: It aligns with my hands-on experience in proxy and network security and offers scope to contribute while
learning advanced capabilities.

Q: How do you handle pressure and multiple incidents?

A: Triage by impact/severity, communicate ETAs, and use templates/runbooks to accelerate standard
resolutions.

Q: Any offer in hand?

A: Yes; evaluating options that align with growth in proxy/cloud security. Priority is long-term learning and impact.

Q: Expected CTC?
A: Open to discussion; aligned to role scope and market standards for my experience.

Q: Notice period?
A: Immediate.

Q: Why did you leave your last role?

A: Completed tenure and seeking roles with deeper network/security responsibilities and growth.

14) Rapid-Fire – Short Answers

• TCP vs UDP: reliability vs speed; choose based on app needs.
• DNS failures mimic proxy issues; always validate name resolution first.
• SNI drives early policy/bypass decisions before decryption.
• Use user coaching instead of hard blocks during pilots.
• Measure success: reduced false positives, faster MTTR, satisfied users.