Subsequent to extensive logging, analysis, and corresponding packet captures I have correlated results from two managed endpoints under the following conditions:
With Netskope active/tunneling
With both Netskope/GlobalProtect active/tunneling
Without either
Log streams captures were correlated against corresponding pcaps; results are presented as pasted herein. Sanitized logs and reports available upon request.
TIME ───────────────────────────────────────────────────────────▶
STEP 1: DNS RESOLUTION (Resolver Layer)
────────────────────────────────────────
Client → DNS Query
← Response: hostname → IPs (TTL = 60)
[TTL countdown begins immediately]
Example:
cityofphoenix.jamfcloud.com
→ 184.32.98.75, 54.218.86.150, 34.215.108.82
TTL = 60s
STEP 2: TTL DECAY (Cache Reality)
────────────────────────────────────────
Time passes (milliseconds → seconds)
Observed TTLs:
- 60 → 57 → 32 → 7 → 2
(Netskope system shows fragmented snapshots:
multiple partial TTL views simultaneously)
STEP 3: FLOW INITIATION (Application Layer)
────────────────────────────────────────
App (Jamf / MDM / curl) initiates connection
→ Uses cached DNS result (may be near-expiry)
STEP 4: NETSKOPE INTERCEPTION (Enforcement Layer)
────────────────────────────────────────
NEFilterDataProvider.handleNewFlow()
Evaluation happens HERE → *later in time*
Inputs:
- hostname (policy)
- IP (connection)
- TTL state (already decayed)
- possibly re-resolved or stale mapping
STEP 5: DECISION POINT
────────────────────────────────────────
❌ If hostname ↔ IP mapping is out of sync:
→ verdict = DROP
✅ If IP explicitly allowed:
→ verdict = ALLOW
STEP 6: OUTCOME
────────────────────────────────────────
Without IP exception:
→ probabilistic / inconsistent success
With IP exception:
→ deterministic success