The Umbrella Documentation Hub

Welcome to the Umbrella documentation hub. Here you'll find access to all of our Cisco Umbrella user guides.

Get Started    

Other Configurations

Table of Contents

Configure Rate-limiting

Umbrella virtual appliances (VAs) support the rate-limiting of DNS queries on a per-IP basis. This can be used to prevent any single endpoint from attempting to flood the VA with DNS queries and causing a Denial-of-Service on the VA.

Command
Description
Notes

config va per-ip-rate-limit enable <pps> <burst>

Enable Rate-limiting

Rate-limiting is off by default.

<pps>—Number of packets to be accepted per second from each individual IP. Supported values are 10 to 100000.

<burst>—Packet burst rate.

config va per-ip-rate-limit disable

Disable Rate-limiting

config va show

Check Status and Packet Drops

Configure NTP Servers

By default, Umbrella virtual appliances (VAs) use Ubuntu NTP servers (ntp.ubuntu.com) as their time servers.

You can configure VAs to use other NTP servers.

Command
Description

config ntp add <serverIP1> <serverIP2> …

Add NTP servers to the VA

config ntp remove <serverIP1> <serverIP2> …

Remove NTP servers

config ntp show

View VA's Current NTP Servers

Configure Umbrella Resolvers

By default, the VA is configured to use the standard Umbrella resolvers (208.67.220.220 and 208.67.222.22).

You can change the Umbrella resolvers used by the VA.

Command
Description
Notes

config va resolvers global

Use standard Umbrella resolvers (208.67.220.220 and 208.67.222.222)

config va resolvers alternate

Use alternate Umbrella resolvers (208.67.222.220 and 208.67.220.222).

Use this option if your ISP blocks traffic to the standard Umbrella resolvers.

config va resolvers global-v6

Use standard IPv6 Umbrella resolvers (2620:119:35::35 and 2620:119:53::53)

config va resolvers US

Use the US-only Umbrella resolvers (208.67.221.76 and 208.67.223.76).

Note that these resolvers are not currently in Generally Available status.

config va resolvers US-v6

Use the US-only IPv6 Umbrella resolvers (2620:119:17::76 and 2620:119:76::76).

Note that these resolvers are not currently in Generally Available status.

When the Umbrella IPv6 resolvers are configured, only DNS queries are sent over IPv6. HTTPS traffic to other endpoints (api.opendns.com, disthost.umbrella.com, and s.tunnels.ironport.com) will be over IPv4 only.

Configure DNSSEC Support

Cisco Umbrella supports DNSSEC by performing validation on queries sent from Umbrella resolvers to upstream authorities.

If your endpoints are making DNS queries with the DNSSEC OK (DO) bit to the VA, the default behavior of the VA is to turn off this bit before forwarding the query to Umbrella or the local DNS server.

Command
Description
Notes

config va dnssec enable

Configure the VA to preserve the DO bit when forwarding the DNS query to Umbrella and/or the local DNS server.

This will preserve any DNSSEC Security Resource Records in the DNS response to the endpoint.

config va dnssec disable

Disable the above configuration

Configure Logging to Remote Syslog Server

Umbrella VAs can forward logs to a remote syslog server. Forwarding of logs related to internal DNS queries, logs on upgrades and reboots of the VA, and admin audit logs is supported.

  1. Configure the destination (remote syslog server) on the VA with the following command:
    config logexport destination <rsyslog-server-ip:port> <protocol>

Supported Values for <protocol>

  • TCP, UDP, and TLS are supported protocols.
  • If no value is specified TCP is the default.
  • If the protocol value is TCP or UDP and a port is not specified, 514 is assigned as the default port.
  • If the protocol value is TLS and a port is not specified, 6514 is taken as the default port.
  • IPv6 addresses are not supported as destination IPs for this command.
    Example: config logexport destination <10.26.02.82:514> udp

To forward the logs over a TLS-encrypted session, first create the certificates for client (VA) and server (remote syslog server). The certificates can be self-signed or signed by a Root certificate authority (CA). Add the key and certificate to the VA using the following commands:
config logexport key <copy the contents from keyForClientCert.pem file> config logexport cert <copy the contents from ClientCert.pem file> config logexport ca <copy the contents from selfsignedCA.pem|chainCertCA.pem file>

The CA configured in the last command should be the CA used to sign the server certificate.

  1. Configure the forwarding of logs on the VA.
Command
Description
Log Format

config logexport enable internaldns

All internal DNS queries sent to the internal DNS server are logged at the syslog server. Logs include the date and time, the internal domain being queried and the private IP, hostname and username of the source endpoint that made the query.

Note that the hostname and username of the source endpoint will not be available if AD integration is not configured for the VA.

Format for Internal DNS queries:

  • Date
  • Time
  • Hostname ("forwarder")
  • VA Label:"InternalDNS"
  • Internal IP of source
  • User AD identity of source (if a user identity is mapped to this IP else "NULL")
  • Host AD identity of source (if a host identity is mapped to this IP else "NULL")
  • Internal Domain being queried

config logexport enable health

Reboots and upgrades of the VA are logged at the syslog server.

Format for VA boot:

  • Date
  • Time
  • Hostname ("forwarder")
  • VA Label:"Health"
    "VA started"

Format for VA upgrade:

  • Date
  • Time
  • Hostname ("forwarder")
  • VA Label:"Health"
  • "VA downloaded version <x.y.z>" or "VA upgraded to version <x.y.z>"

config logexport enable admin

Admin audit log (logins by admin users and config commands run on the VA are logged at the syslog server).

Format for User Login to VA:

  • Date
  • Time
  • Hostname ("forwarder")
  • VA Label:"Audit-Auth"
    "SSH login from <IP> as <vmadmin/vmuser> succeeded/failed" or "Console login as <vmadmin/vmuser> succeeded/failed"

Format for Configuration change:

  • Date
  • Time
  • Hostname ("forwarder")
  • VA Label:"AuditLog-Config" "Command <config _ __> executed"

config logexport enable all

Enables logging of internaldns, health and admin logs at the syslog server.

  1. To check the status of the log forwarding, use the following command:
    config logexport status

Turn Off the Logging

To turn off logging, use the following command:
config logexport disable <feature>

The feature parameter can take the value of “internaldns”, “health”, “audit” or “all”.
Example: config logexport disable all

Configure Dual-NIC Support on the VA

NIC Terminology

Throughout this section, the terms NIC, network interface, and network adapter are used interchangeably.

The Umbrella VA supports a dual-NIC configuration. This dual-NIC configuration is intended to enable DMZ deployment of a VA for traffic segregation with one network interface being used for outbound communication and the other network interface used for internal communication.

Dual-NIC support has only been qualified on virtual appliances (VA) running on Hyper-V and VMware. There is no change to existing behavior if the VA is deployed with a single NIC. Configuring more than two NICs on the VA is not supported.

Note: IPv6 addresses cannot be configured for network adapters when using the dual-NIC configuration.

Configure an Existing VA to Support Dual-NIC

  1. Open your existing VA in your preferred hypervisor’s console or SSH to the VA.
  2. Run the command config va show.
    Ensure that the IP configured here is the IP that will be used for internal communication. This is the IP that your endpoints will use for DNS resolution.
    Tip: Note the MAC address of the existing network adapter before adding a secondary network adapter.
  3. Shut down the VA and add a second network adapter using your hypervisor console.
    This is the network adapter you will be using for your outbound communication. This should be of the same driver type as your primary network adapter.
    Note: Some platforms may not permit the addition of a second network adapter after the VA has been created.
  4. Turn the VA on, enter the Configuration mode from the console or through SSH, and run the command config va show. This command returns the name of the second adapter.
    Note: Adding a second adapter when the VA is powered on may result in the adapter not being detected or the corruption of the existing configuration. The VA needs to be compulsorily shut down before adding the second adapter.
  5. For the secondary adapter, assign the IP, netmask, and gateway parameters to be used for outbound (Internet) communication. Enter: config va interface <*interface name*> <*ip address*> <*netmask*> <*gateway*>.
    Verify against the MAC address of the respective adapters to ensure that the IP addresses are not misconfigured.
    Note: You cannot direct DNS requests to the IP configured on the secondary adapter because incoming DNS traffic will be blocked on this IP.
  6. Once you have saved changes, enable traffic segregation. Enter: config va dmz enable
    Static routes are configured for the IP on the secondary adapter to all Umbrella destinations required for the proper functioning of the VA. Configuring additional static routes is currently not supported.

Deploy a New VA to Support Dual-NIC DMZ Mode

You can deploy a new VA with dual-NIC support. The configuration steps are similar to configuring an upgraded VA. You can add the secondary adapter to the VM using the hypervisor console, before powering on the VM. Both adapters should be of the same driver type.

  1. Enter configuration mode on the VA and retrieve the name of both adapters. Enter: config va show
  2. Configure the primary adapter and then the secondary adapter. Enter config va interface <*interface name*> <*ip address*> <*netmask*> <*gateway*>
    Ensure that the primary adapter is configured with the IP that you wish to use for internal communication and that the secondary adapter is configured with the IP to be used for internet-bound communication.
  3. Once both adapters are configured, enable traffic segregation. Enter: config va dmz enable

Configure Anycast

The Umbrella virtual appliance (VA) enables the use of Anycast DNS addressing within an enterprise.

The advantage of using Anycast is that all your endpoints can use the same DNS IP address irrespective of the site to which they belong. Configuring an Anycast IP address on the VA adds resiliency for DNS resolution.

The VA currently supports enabling Anycast using the BGP protocol. This requires support for BGP on the VA’s neighboring router, or any router that is reachable from the VA within 255 hops.

You can configure up to 4 routers running BGP as BGP peers for the VA.

Two VAs in different branches can also be configured with the same Anycast IP address, ensuring resiliency across branches. However, if AD integration is required, these VAs must be in the same Umbrella site, since the AD Connector propagates IP-AD user mappings only to VAs in its Umbrella site.

Only IPv4 addresses can be configured as an Anycast address on the VA.

Configure Anycast over BGP on the VA

  1. Enter the Configuration Mode on the VA.
  2. Enable Anycast support on the VA. Enter config anycast bgp <options>
    Command returns an ASN for the VA.
    Options are:
    • enable <anycast_ip> <bgp_info>—Enable the anycast mode
      • <anycast_ip>—Anycast IP address
      • <bgp_info>—ASN:ipaddress:Hop count of the BGP router to publish. If a hop count is not specified, a default value of 255 is assumed, therefore, the router can be up to 255 hops away.
    • add <ASN:Router IP:Hop count>—Use this command to specify an additional router as a BGP peer for the VA. A maximum of 4 peers can be configured.
    • delete <Router IP>—Use this command to remove a BGP peer for the VA.
    • stats—Show statistics around the Anycast configuration
    • summary—Show summarized list of all BGP peers for this VA
    • disable—Disable anycast mode
    • status—Show status of anycast
    • test—test Anycast connectivity
    • help—Display this usage information
  3. Validate status. Enter config anycast bgp status
  4. On the router, add the VA’s ASN from step 2 as the neighbor of the router.

Example:
In the following configuration, the VA needs to be configured with Anycast IP 192.168.1.22, the BGP router’s ASN is 7105, and IP address is 10.1.0.1.


Troubleshoot Virtual Appliances < Other Configurations

Updated 2 months ago

Other Configurations


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.