Not all features described here are available to or compatible with all Umbrella packages. If you encounter a feature described here that you do not have access to, contact your sales representative for more information about your current package. See also, Cisco Umbrella Packages.
- Enable IP Layer Enforcement for the Umbrella Roaming Client
- Test to Ensure IP Layer Enforcement is Functional
- Frequently Asked Questions
There are times when malware authors will use an IP address instead of a fully qualified domain name to host malware. Malware authors might use IP addresses that bypass DNS lookups when creating a threat. For example, one of your users might receive a phishing email with a URL that has an IP address in it, for example, http://x.x.x.x/malware.exe while they're not in your office and protected by your firewalls. Or, a user may go home, insert an infected USB stick into their computer to look at their children's homework, and execute malware that contacts http://x.x.x.x:3000/malicious/bad.exe.
Normally, malware authors use domain names and not IP addresses. There's a good reason for that: IP addresses that host malware are quickly blocked or taken down by the ISP that owns them, but a domain name can always resolve to a new IP address. There are, however, exceptions where Umbrella needs to block IPs. Some IP addresses are simply known to be bad. Other IP addresses may host valid content on non-HTTP ports, while the web ports host malicious content. The inverse is also true: IP addresses can host legitimate HTTP websites but also host malicious command and control hosts on a non-standard port. Umbrella's IP Layer Enforcement functionality handles all of these scenarios.
Note: IP Layer Enforcement is only available for IPv4.
IP Layer Enforcement requires that Anyconnect version 4.8.03052 or above (Windows only) or the Umbrella roaming client version 2.0.1 or above (macOS or Windows) be available to your organization before the feature can be enabled. If Umbrella roaming clients are not automatically upgrading to this version, they may be offline or the installation may be broken.
- Either Anyconnect version 4.8.03052 or above (Windows only) or the Umbrella roaming client version 2.0.1 or above (Windows or macOS) should be installed and working
- Compatible versions of Windows: 7, 8, 8.1 and 10
Note: IP Layer Enforcement is compatible with Windows 10 version 1511 or later. If IP Layer Enforcement does not work, it would fail gracefully—network connectivity and DNS Layer protection will not be affected.
- Incompatible versions of Windows: Windows XP, Vista
- Supported versions of macOS: 10.11.6 and above.
Currently, the Umbrella roaming client only supports dual stack IPv4/IPv6 for the Mac OS. Stand alone support for IPv6 for both the Mac and Windows operating systems is not supported. For more information, see Umbrella Roaming Client: IPv6 Support.
- If the Umbrella roaming client is behind a virtual appliance (VA), the policy applied to the Umbrella roaming client will come from the VA identity rather than the policy for the Umbrella roaming client identity and testing will be difficult. For more information, see the next section of this guide.
- ipl.opendns.com (188.8.131.52) is used to download the IP filtering list.
- Internet Protocol Security (IPSec) traffic must be allowed through firewalls. The following ports and protocols must be allowed:
- Protocol 50 (ESP)
- Protocol 51 (AH)
- UDP Port 500
- UDP Port 4500
IPSec uses IP protocol 50 for Encapsulated Security Protocol (ESP), IP protocol 51 for Authentication Header (AH), and UDP port 500 for IKE Phase 1 negotiation and Phase 2 negotiations. UDP port 4500 is also used.
The Umbrella ERC service uses probe IPs to verify that IP Layer Enforcement is functioning over port 8077. The probe IPs are most likely in the Umbrella ranges listed below. When the ERC service is blocked, a message similar to this appears:
To restrict IPSec to only the Umbrella servers providing malicious IP blocking, allow ESP, AH, UDP Port 500 and UDP Port 4500 to these IP ranges only:
184.108.40.206/23 220.127.116.11/23 18.104.22.168/24 22.214.171.124/24 126.96.36.199/24 188.8.131.52/24 184.108.40.206/24 220.127.116.11/24 18.104.22.168/24 22.214.171.124/24 126.96.36.199/23 188.8.131.52/23 184.108.40.206/22 220.127.116.11/23
Note: A full list of the exact IP addresses—not just the ranges—can be found here.
18.104.22.168/19 22.214.171.124/24 126.96.36.199/24 188.8.131.52/24 184.108.40.206/24 220.127.116.11/24 18.104.22.168/24 22.214.171.124/21 126.96.36.199/21 188.8.131.52/21
- Navigate to Deployments > Core Identities > Roaming Computers and click Settings.
- Select either the Umbrella Roaming Client or Anyconnect Roaming Client tab.
- Enable Allow IP Layer Enforcement.
- Navigate to Policies > Management > All Policies and click Add or expand a policy to edit it.
- When adding a new policy, at the bottom of the What should this policy do page, expand Advanced Settings, enable the intelligent proxy, and check Enable IP Layer Enforcement.
- Click Next and complete the wizard.
Alternatively, at the bottom of the Summary page, expand Advanced Settings, check Enable IP-Layer Enforcement, and then click Save.
IP Layer Enforcement only applies to roaming computers with the Umbrella roaming client installed on Windows or Mac. However, the IP Layer Enforcement feature will still continue to be active and take effect when the Umbrella roaming client is behind a VA. The other security features (and filtering configurations) of the Umbrella roaming client will 'back off' in those instances and the policies for the Network, Internal Network, or Active Directory User/Computer policy will be applied instead, depending on your configuration.
If the Umbrella roaming client is being protected by a network that has been added to your Umbrella dashboard, and the roaming computer setting “Disable DNS Redirection on Umbrella Protected Networks” (Deployments > Core Identities > Roaming Computer > Settings > General Settings) is enabled, the Umbrella roaming client essentially disables itself and relies on the protection of the network for all features except IP Layer Enforcement.
IP Layer Enforcement is a separate part of the Umbrella roaming client and as such, behaves differently than the rest of the Umbrella roaming clients when behind the network. This is because most of the features are duplicated by the network or VA but IP Layer Enforcement is unique to the Umbrella roaming client.
To test whether you're blocking malicious IPs with the IP Layer Enforcement, we have set up a test page at http://ipblock.opendnstest.com/
This page displays correctly when the feature is enabled and working for the Umbrella roaming Client installed on the computer. Feel free to test the additional scenarios to get a sense of how the feature will behave when blocking a malicious IP address.
If things are not working as expected or the feature is not enabled on the roaming computer that you're testing with, Umbrella displays a warning that you are not currently using the IP Blocking system.
If your policy is correctly configured as best as you can determine and the test page is still not reflecting that IP Layer Enforcement is enabled, this could be because the policy applied to this roaming computer does not have the IP Layer Enforcement feature enabled. Double-check the order of policy precedence for this identity in the dashboard.
To start troubleshooting, it's worth checking to ensure these outbound ports are set to allow encrypted DNS requests to be routed through the Umbrella global network:
- Port 53 TCP/UDP to Umbrella
- Port 443 TCP to Umbrella
Double-check the system requirements for this feature and ensure they've been met.
If problems persist, or if there are any unexpected or unusual behaviors when the IP Layer Enforcement feature is enabled, contact Support at [email protected].
Updated 3 months ago