Frequently Asked Questions

Q: What happens if Umbrella roaming client can’t connect to the server for IP Layer Enforcement?

A: If the VPN can't connect, it keeps trying to connect but it also backs off and should not interfere with other services. The VPN does not fail closed and block other traffic, it simply fails t o open if the VPN server is not available.

Q: How does this affect my existing Umbrella service?

A: Other than improving a small gap in our ability to secure your computers both on and off the network, there should be no change. Direct requests to IP addresses that are not considered suspicious won't be affected. Only direct connections to IP addresses or ranges of IPs, listed in the routing table delivered onto the Umbrella roaming client will be affected and only attempts to contact these IPs will be intercepted by the technology.  

Q: How is the VPN for IP Layer Enforcement secured?

A: The secure tunnel for the IP Layer Enforcement is based on IPSec, so the traffic between the computer that has the Umbrella roaming client installed and the Umbrella service is encrypted for integrity and confidentiality from end to end.

Q: How does IP Layer Enforcement work with another VPN installed?

A: When another VPN, such as AnyConnect or JunOS/Pulse Secure, is active and detected, the IP Layer Enforcement feature will 'back off’ automatically and become disabled. The IP Layer Enforcement will be enabled when the VPN is not connected. Any issues you do see with other VPN software should be reported to Support.

Q: Can I add my own list of IPs to allow or block?

A: On our early release of this feature, the IP Layer Enforcement will have a single list of malicious/suspicious IPs for everyone. Cisco Umbrella security researchers maintain and update the list to protect you from the latest threats. However, customer specified IP addresses are something we'd love to add in and are part of the roadmap under a feature called "Allow/Block Lists" that's coming up. We'll also give you the ability to specify IP ranges.

Q: How does this VPN approach fit into my existing policy application?

A: The policy application takes place at the same point in the cloud as any other Umbrella policy, so whatever you’ve defined for policy will still take place. For instance, if you have a custom block page and are attempting to reach a malicious IP on port 80 through a browser, you should see a block page displayed.

Add IP Layer Enforcement < Frequently Asked Questions > Appendix A – Status and Functionality