TTechclick ⚡ XP 0% All lessons
Netskope · SWG · Next Gen Secure Web GatewayInteractive · L1 / L2 / L3

Netskope Next Gen SWG — Real-Time Protection Policies

Real-time Protection is the rulebook Netskope reads for every web request your users make — top to bottom, first match wins. Get the order wrong and your “Block” rule quietly does nothing. This lesson teaches you to read and build that rulebook like an engineer, not a guesser.

📅 2026-06-05 · ⏱ 12 min · 3 live demos · 4 infographics · 🏷 10-Q assessment + AI Tutor inline

⚡ Quick Answer

Build Netskope Next Gen SWG Real-time Protection policies: top-down first-match-wins order, web categories, user/group/OU source, activity control (upload/download/post), DLP + threat profiles, SSL decryption, block pages and user coaching.

🎯 By the end you will be able to

Read as:

Pick where you want to start

1

How RTP reads rules

Top-down, first-match-wins — and the default-allow trap.

 2

Build one rule

Source → Destination → Profile & Action, field by field.

 3

Order + SSL

Why placement is the policy, and decrypt-or-not.

 4

Coach, block, debug

Block pages, User Alert, and fixing a dead rule.

🧠 Warm-up — 3 questions, no score

Just notice which ones make you pause. We answer all three inside the lesson.

1. Netskope checks your Real-time Protection rules…

Answered in How RTP reads rules.

2. A web request hits NO rule in the list. What happens by default?

Answered in Order + SSL.

3. What decides whether DLP can actually read an HTTPS upload?

Answered in Build one rule.

Most engineers think…

Most new engineers think a Real-time Protection rule “just works” the moment they hit Save — and that adding a Block rule anywhere in the list will block that thing.

Wrong on both counts, and both will burn you in your first week. Edits stay staged until you click Apply Changes, and new rules can even be created Disabled. Worse, because the list is top-down, first-match-wins, a Block placed below a broad Allow never runs. In RTP, where a rule sits is as important as what it says.

① How Real-time Protection reads the rulebook

Open your Netskope tenant and go to Policies → Real-time Protection. What you see is a numbered list of rules. Every web, SaaS and AI request that the Netskope Client steers and decrypts is run against this list from the top down, and Netskope stops at the first rule that matches. That rule’s action is applied and — with one narrow exception — no rule below it is even looked at for that activity.

This single behaviour, first-match-wins, explains most of the “why isn’t my policy working?” tickets an L1 engineer ever raises. If a broad Allow rule sits near the top and your specific Block sits below it, the Allow matches first and your Block is dead weight. The one exception: a non-terminal DLP action set to Alert can let processing continue, but treat the default mental model as “first match, full stop”.

Now the trap that catches everyone: what about traffic that matches no rule at all? Netskope’s documented default is to allow it. So an empty or sloppy list does not “fail closed” — it lets things through. That is exactly why explicit Block rules, allowlists and a sensible bottom-of-list catch-all matter.

👉 So far: RTP is one top-down list, first-match-wins, and no-match means allow. Next: picture where this list sits relative to SSL Decryption — because that decides what RTP can even see.
Figure 1 — RTP sits behind SSL Decryption
SSL Decryption decides what the Real-time Protection list even gets to see A request from a user flows into the Netskope POP. First it hits the SSL Decryption policy set, which either decrypts the traffic or waves it through encrypted. Only decrypted traffic reaches the Real-time Protection policy list with full context for DLP and threat inspection; Do-Not-Decrypt traffic reaches RTP with limited context. SSL Decryption runs FIRST — it gates what RTP can inspect user10.50.2.7 SSL Decryptionpolicy set (top-down) Decrypt Do Not Decrypt Real-time Protection listevaluated top-down · first match wins 1 · exceptions / small groups 2 · category + activity + DLP/threat 3 · broad acceptable-use (bottom) RTP sees it with LIMITED contextno DLP/threat on encrypted payload ↑ decrypted → DLP + threat can read it untrusted / blockeddecrypted / inspectedpolicy decisionkey ideaallowed
SSL Decryption runs first and decides Decrypt vs Do Not Decrypt. Only decrypted traffic reaches RTP with the full context DLP and threat profiles need.

Four terms you will use every day in RTP

Tap each card — these are the load-bearing words for the whole policy screen.

📋
RTP list
tap to flip

The Real-time Protection policy list — your inline rulebook for web, SaaS and AI traffic. Read top-down, first match wins.

⬇️
First-match-wins
tap to flip

Netskope applies the first matching rule and stops. Rules below it never run for that activity — so order is everything.

🟢
Default allow
tap to flip

No rule matched? The request is allowed by default. RTP does not fail closed — your explicit blocks carry the weight.

Apply Changes
tap to flip

Save only stages a rule. It goes live only when you click Apply Changes. New rules can also be created Disabled.

Pause & Predict

Predict: you add a brand-new Block rule for “Gambling” to the list, hit Save, and immediately test a betting site — it still loads. Name the TWO things you should check first. Type your guess.

Answer: (1) Did you click Apply Changes? Save only stages it. (2) Is a broader Allow rule sitting above it (first-match-wins), or is the new rule Disabled? Check order and status, then Apply Changes.
Quick check · Q1 of 10

A request from a user matches no rule anywhere in the Real-time Protection list. What does Netskope do?

Correct: b. Netskope’s documented default is implicit allow — no match means the activity is permitted. That is why explicit Block rules and allowlists matter; the list does not fail closed on its own.

② Build one rule: Source → Destination → Profile & Action

Every RTP rule is the same sentence read left to right: WHO is doing WHAT on WHICH destination, and what is the verdict. Click New Policy → Web Access and you build it in three sections, each edited via the pencil icon by its heading.

Source — who the rule applies to

The Source section is the “who”. Pick by User, User Group, or Organizational Unit (OU); you can also match Unknown (all unauthenticated users), a Source network location (Trusted/Untrusted), an Access Method, an OS Family, or device classification. A rule for a small VIP group is simply a Source set to that group.

Destination — what they are reaching

The Destination for a Web Access rule is a Category — a web category chosen from the dropdown (Gambling, Streaming Media, Newly Registered Domains, and so on). For app-aware rules you instead pick a Cloud App, App Instance, or App Suite — and selecting a cloud app activates the “Activities and Constraints” section.

Profile & Action — the activity and the verdict

This is the action side. Activity-based control lets you match the verb: Browse, Upload, Download, Post, Share, Edit, Create, Delete, Form Post (the list depends on the app). A handy gotcha: Alert events are not generated for the Browse activity, so don’t expect “Alert on Browse” to fill Skope IT. You can narrow further with a Constraint Profile, attach a DLP Profile and a Threat Protection profile, then pick the Action and a Notification template (the block / coaching page).

Figure 2 — One rule, three sections
Every RTP rule is the same sentence: WHO doing WHAT on WHICH app, then the verdict A left-to-right pipeline of one Real-time Protection rule. Source answers who (user, group, OU). Destination answers what (web category or cloud app). Profile and Action answers the activity (upload, download, post), the attached DLP and threat profiles, and the final action with a notification template. Build a rule left to right — Source → Destination → Profile & Action Source — WHO • User / Group / OU • Unknown (unauth) • Network location • OS / Access Method Destination — WHAT • Web Category • Cloud App • App Instance • App Suite Profile & Action • Activities (Upload…) • Constraint Profile • DLP + Threat profile • Action: Block / Alert… • Notification template the verdict + the page shown Nothing is live until you click "Apply Changes"Save stages the rule · Apply Changes commits it · new rules can be created Disabled untrusted / blockeddecrypted / inspectedpolicy decisionkey ideaallowed
Read every rule as a sentence: Source (who) → Destination (what) → Profile & Action (activity + DLP/threat + action). Apply Changes makes it live.
🖥️ This is the screen you’ll use — Netskope tenant → Policies → Real-time Protection → New Policy → Web Access. Each row is one section of the rule. (Recreated for clarity — your tenant matches this.)
tenant.goskope.com · Policies → Real-time Protection → New Policy
1
Source (Users / Group / OU)
Group: Sales-India
2
Destination (Category)
Gambling
3
Activities
Browse, Upload
DLP Profile
PII-India
4
Action
Block
Notification template
TC-Coaching-Block
Save → Apply Changes

▶ Follow one request: Priya uploads a file on a Gambling site

Watch how a single Web Access rule evaluates Priya’s upload, field by field. Press Play for the healthy path, then Break it to see the failure.

① SourcePriya · Group=Sales-India · 10.50.4.21 matches the rule’s Source
② DestinationSite classified as Category = Gambling → Destination matches
③ Activity + DLPAction is Upload; the rule’s DLP profile scans the file
④ ActionRule action = Block → block page shown, logged in Skope IT
Press Play to step through the healthy path. Then press Break it.

Pause & Predict

Predict: you set Action = Alert on the Browse activity for the Streaming Media category, expecting Skope IT to fill with “who watched what”. Why is the log empty? Type your guess.

Answer: Because Netskope does not generate Alert events for the Browse activity. To see activity in Skope IT, alert on a real verb (Upload, Download, Post) — Browse-Alert is a known no-op.
Quick check · Q2 of 10

Sneha at Infosys must stop Sales-India staff from uploading files to Gambling sites, but still let them read those sites. Which one field change turns a blanket block into exactly that?

Correct: a. Activity-based control is the lever: scope the rule to the Upload activity so reading (Browse) is untouched while uploads are blocked. Changing Source, App Suite, or DLP does not isolate the verb.

③ Order is the policy — and SSL decides what RTP sees

Here is the lesson that separates a guesser from an engineer: in a first-match-wins list, placement is policy. Netskope’s own best practice is blunt — place rules for individuals or small groups near the top, place exceptions at the top of block policies, and put broad access-control toward the bottom. A specific rule below a broad one is a rule that never runs.

Figure 3 — Order changes the verdict
Order is the control: a broad Allow above a specific Block means the Block never fires Two stacked rulebases. On the left the broad Allow streaming-and-gambling rule sits above the Block gambling rule, so gambling is wrongly allowed because evaluation stops at the first match. On the right the specific Block gambling rule is moved to the top, so it fires first and gambling is correctly blocked. First match wins — so where you place the rule IS the policy WRONG — Block sits below the broad Allow 1 · Allow: Streaming + Gambling ← matches first 2 · Block: Gambling ← never reached Result: gambling site LOADSeval stopped at rule 1 — rule 2 dead RIGHT — Block moved above the broad Allow 1 · Block: Gambling ← matches first 2 · Allow: Streaming + Gambling Result: gambling BLOCKEDstreaming still allowed by rule 2 Rule of thumb: exceptions + small groups at the TOP, broad access-control at the BOTTOMNo match at all? Netskope allows by default — so explicit blocks matter. untrusted / blockeddecrypted / inspectedpolicy decisionkey ideaallowed
Same two rules, two orders, opposite results. A Block below a broad Allow is dead; move it above and it fires. Reorder by drag-and-drop, then Apply Changes.

Netskope’s own best-practice doc gives a documented top-to-bottom shape: Threat Protection → Utility policies → Remote Browser Isolation (RBI) → CASB activity rules → Web category rules → Netskope Private Access (NPA). You don’t have to memorise it, but notice the pattern — sharp, high-risk and exception rules first; the broad acceptable-use web-category catch-all near the bottom. And always test new rules with a small test-user group first before they hit everyone.

SSL Decryption — the gate before RTP

SSL Decryption is a separate policy set at Policies → SSL Decryption → Add Policy, and it runs before RTP. Its action is Decrypt or Do Not Decrypt. The docs are explicit: “Decrypt: traffic will move to deep analysis via the Real-time Protection policies.” If a flow hits Do Not Decrypt (or is a certificate-pinned app that auto-bypasses), RTP still sees it but with limited context — your DLP and threat profiles can’t read an encrypted payload.

Common mistake — “my DLP profile never fires on HTTPS”

Symptom: you attach a perfect DLP profile to a Web Access rule, upload a test file to an HTTPS site, and Skope IT shows nothing. Cause: the traffic hit a Do Not Decrypt SSL policy (or a cert-pinned app), so RTP only saw it “with limited context” and DLP couldn’t read the payload. Fix: add a Decrypt policy for that category/app — but remember Finance/Accounting is often left as Do-Not-Decrypt on purpose to avoid PCI-DSS / GLBA / GDPR issues.

One more SSL gotcha for your first day: new SSL Decryption policies are created Disabled — you must enable them. And path-based matching doesn’t work on undecrypted traffic, because the URL path lives inside the encrypted payload.

Karthik at Wipro faces this

Karthik, an L1 analyst, built a Block rule for “Gambling”, hit Save, and pinged a betting site to test — it loaded fine. He’s convinced the category is wrong.

Likely cause

The category was right. A broad “Allow: Streaming + Gambling” acceptable-use rule sat ABOVE his Block, so first-match-wins handed the verdict to the Allow. His Block was never reached. (And he hadn’t clicked Apply Changes either.)

Diagnosis

He opens Skope IT and checks which policy name actually hit the request — it shows the broad Allow, not his Block.

Skope IT → Page Events → (Policy column shows the matching rule)
Fix

Drag the “Block: Gambling” rule ABOVE the broad Allow, confirm Status = Enabled, then click Apply Changes.

Verify

Re-test the betting site → it now shows the block page; in Skope IT the matching policy is now “Block: Gambling”, and streaming still works.

👉 So far: order decides the verdict, and SSL Decryption decides whether DLP/threat can even read the payload. Next: the user-facing side — block pages, coaching, and debugging a dead rule.
Quick check · Q3 of 10

You enabled a DLP profile on a Web Access rule for an HTTPS app, but no incidents appear in Skope IT. What is the most likely cause?

Correct: c. DLP needs the decrypted payload. If SSL Decryption sent the flow down a Do-Not-Decrypt path (or it’s a pinned app), RTP only matches with limited context and DLP can’t read the content. Add a Decrypt policy for that app/category.

④ Block, coach, and debug the dead rule

When a rule matches, the Action dropdown decides the user’s experience. Web Access primarily exposes Alert (log only / monitor) and Block, with the broader action set including Allow, User Alert, Bypass and Quarantine. The two you’ll explain in interviews are Block vs User Alert.

Block is a locked door: the request is denied and the user sees the Notification template you attached (your block page). User Alert is a polite doorman: it shows a coaching page that warns “this site is risky” and lets the user click Continue if they truly need it — and it logs who proceeded. Block is enforcement; User Alert is awareness with an audit trail.

Figure 4 — RTP build cheat sheet
The Real-time Protection cheat sheet — actions, activities, and the build order on one card A cheat-sheet card with three columns. Left lists the RTP actions Allow, Block, Alert, User Alert, Bypass, Quarantine. Middle lists common activities Browse, Upload, Download, Post, Share, Edit. Right is the seven-step build checklist from Source to Apply Changes. Real-time Protection — one-glance build card Actions Allowlet it throughBlockdeny + block pageAlertlog only (monitor)User Alertcoach: click ContinueBypassskip inspectionQuarantinehold for review Activities Browseno Alert events fireUploadoutbound fileDownloadinbound filePostsubmit / sendSharegrant accessEdit / Createmodify content Build order 1 · Set Source (who)2 · Set Destination3 · Pick Activities4 · Add Constraint5 · Attach DLP/Threat6 · Choose Action + page7 · Save → Apply Changes order = top-down, first match wins
Your one-card reference: the action menu, the common activities, and the seven-step build order ending in Apply Changes.
Pro tip — the mental model that sticks

For any RTP question, read the rule as a sentence and check three things in order: (1) Order — is a broader rule above it stealing the match? (2) Decryption — is the flow actually decrypted so DLP/threat can read it? (3) Commit — did you click Apply Changes and is the rule Enabled? Nine out of ten “it’s not working” tickets are one of these three.

Prove the rule actually works

Don’t trust Save — prove it in Skope IT. Trigger the activity with a test user, then open Page/Application Events and confirm the Policy column shows YOUR rule name and the expected Action. If it shows a different policy, you have an ordering problem; if it shows nothing, check decryption and Apply Changes.

A modern twist worth knowing for interviews: Netskope’s April 2025 AI-security update extended this same RTP engine to police GenAI apps. Inline policies can control specific AI actions — upload, download, copy and print — beyond a blunt allow-or-block, and real-time DLP can inspect both the prompt a user types and the AI-generated response. The “block uploads to a personal app” pattern you just learned is exactly how teams now stop staff pasting source code into ChatGPT.

For certification, map this lesson to the Netskope tracks: NSK100 (NCCSA) at the foundational tier and NSK200 (NCCSI), whose blueprint explicitly tests “User Activity and Threat Protection” and “SWG Functionalities” — URL filtering, SSL inspection, and category/threat/user-context policy building. The classic interview question: “Explain Netskope policy evaluation order and what happens on a no-match.” You can now answer it cold.

Pause & Predict

Predict: your manager wants finance staff coached (not hard-blocked) before they reach high-risk Newly Registered Domains, with a record of who proceeds. Which Action, and where in the list does this rule belong? Type your guess.

Answer: Use User Alert (coach + Continue + logged), and place it near the top for that small finance group — above any broad acceptable-use Allow — so first-match-wins lets it fire. Then Apply Changes.
Next: CASB — Inline + API Data ProtectionBack: Architecture & Traffic Steering
Quick check · Q4 of 10

Aditya at TCS must let users reach a risky-but-sometimes-needed vendor portal, while warning them and recording who chose to proceed. Which Action fits best?

Correct: c. User Alert shows a coaching page, lets the user click Continue, and logs the choice — exactly “warn + allow + audit”. Block denies outright, Bypass skips inspection entirely, and Quarantine holds content for review.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from Netskope docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

📝 Wrap-up assessment — six more

You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.

Q5 · Remember

How is the Netskope Real-time Protection policy list evaluated?

Correct: c. RTP is read top-down and stops at the first matching rule, applying its action. It is not strictest-wins or bottom-up; order is therefore policy.
Q6 · Apply

Sneha must block Sales-India from uploading to Gambling sites but still let them read those sites. Which field isolates exactly that?

Correct: a. Activity-based control scopes the rule to the Upload verb, so reading (Browse) is untouched. Quarantine, Source=Unknown, and dropping the template do not separate the verb.
Q7 · Apply

You add a Decrypt SSL policy for a category but the change has no effect — DLP still sees nothing. The single most likely first thing to check?

Correct: b. New SSL Decryption policies are created Disabled, and edits stay staged until Apply Changes. Enabling it and committing is the first check before deeper troubleshooting.
Q8 · Analyze

A Block rule for Gambling sits at position 8; a broad “Allow: Streaming + Gambling” acceptable-use rule sits at position 3. Gambling still loads. Root cause?

Correct: c. First-match-wins: the broad Allow higher in the list wins and evaluation stops, so the lower Block never runs. Move the Block above the Allow and Apply Changes.
Q9 · Analyze

After enabling RTP, an HTTPS app shows policy hits in Skope IT but the attached DLP profile never raises an incident. Best explanation?

Correct: b. Policy hits show the rule matched, but DLP needs decrypted content. A Do-Not-Decrypt (or cert-pinned) path gives RTP only limited context, so DLP sees nothing. Add a Decrypt policy.
Q10 · Evaluate

Two RTP rollouts for a 4,000-user firm: (A) one broad Allow on top with specific blocks below; (B) exceptions + small-group + sharp blocks on top, broad acceptable-use at the bottom, tested with test users first. Which is the stronger default and why?

Correct: a. In a first-match-wins list, specific and exception rules must sit above the broad catch-all or they never run. B mirrors Netskope’s documented ordering and the test-first practice; A’s broad top Allow would shadow every block below it.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the path that tripped you up and tap "Try again".

🧠 In your own words

Type one line: In one line, why can a Block rule placed below a broad Allow rule do absolutely nothing? Then compare to the expert version.

Expert version: Because the Real-time Protection list is evaluated top-down and stops at the first match — the broad Allow matches first, applies its action, and the Block below it is never reached. Move the Block above the Allow and Apply Changes.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📖 Glossary

Real-time Protection (RTP)
Netskope’s inline policy list for web, SaaS and AI traffic, evaluated top-down on decrypted flows.
First-match-wins
The first matching rule’s action is applied and evaluation stops — so rule order is policy.
Default allow
Traffic that matches no rule is permitted by default; RTP does not fail closed.
Source
The who of a rule: User, User Group, OU, Unknown (unauthenticated), network location, OS, or access method.
Destination
The what of a rule: a Web Category, Cloud App, App Instance, or App Suite.
Web Category
A URL-filtering classification of a site (e.g. Gambling, Streaming Media, Finance/Accounting).
Activity-based control
Matching the verb a user performs — Browse, Upload, Download, Post, Share, Edit — not just the destination.
Constraint Profile
An extra condition that narrows an activity, e.g. only Upload when file type, size or name matches.
DLP Profile
A content-inspection ruleset attached to a rule to find sensitive data (PII, secrets, source code).
Action
The verdict: Allow, Block, Alert, User Alert, Bypass, or Quarantine.
Notification template
The block page or user-coaching page shown to the user when a rule fires.
SSL Decryption
A separate policy set, run before RTP, that decides Decrypt vs Do Not Decrypt — gating deep inspection.
Apply Changes
The commit step; Save only stages edits, which go live only after Apply Changes.
Skope IT
Netskope’s log/event console used to confirm which policy actually hit a request.

📚 Sources

  1. Netskope Docs — “Create a Real-time Protection Policy for Web Categories” (Policies → Real-time Protection → New Policy → Web Access; Source/Category/Action fields). docs.netskope.com
  2. Netskope Docs — “Best Practices for Real-time Protection Policies” (top-down sequential; small groups + exceptions at top; default-allow; Apply Changes). docs.netskope.com
  3. Netskope Docs — “Add a Policy for SSL Decryption” (Do Not Decrypt vs Decrypt → deep analysis via RTP; new policies created disabled). docs.netskope.com
  4. Netskope Community — “Best Practices: Managing RealTime Policy Structure” + “SSL Decryption of Web Category: Finance/Accounting” (recommended Threat→Utility→RBI→CASB→Web→NPA grouping, PCI/GLBA/GDPR do-not-decrypt rationale). community.netskope.com
  5. Netskope — “Netskope Advances AI Security” (Apr 2025): RTP/inline control of GenAI actions (upload/download/copy/paste) + real-time DLP on prompts and AI responses. netskope.com/press-releases
  6. Netskope NSK200 (NCCSI) exam blueprint — domains “User Activity and Threat Protection” + “SWG Functionalities” (URL filtering, SSL inspection, policy building); NSK100 (NCCSA) foundational. infosec.netskope.com

What's next?

You can now read and build the inline web rulebook. Next we go deeper into Inline + API Data Protection — how Netskope finds and stops sensitive data both in real time and at rest inside your SaaS.

Next · Netskope CASB: Inline + API Data Protection → Practice on exam.techclick.in →