The Umbrella Documentation Hub

Welcome to the Umbrella documentation hub. Here you'll find access to all of our Cisco Umbrella user guides.

Get Started    

Internal Networks Setup Guide

Internal Networks allows to you manage your Umbrella policy for subnets of computers based on the internal IP addresses of your network.

After an Umbrella Virtual Appliance (VA) has been deployed, an Internal Networks identity can be configured. To set this up, drop one of our lightweight VAs into your network, direct your DNS traffic through it, and start mapping your network based on specific internal IP addresses and/or subnets.

The purpose of the Internal Networks identity is to define a subnet that's non-routable (or RFC1918 compliant) as an identity you can apply policy to. To create an Internal Networks identity, define a subnet that's non-routable (or RFC 1918 compliant) as an identity you can apply policy to. For example, if your Internal Network is defined as 192.168.0/24, any computer, tablet or device with an IP on that subnet would receive the filtering policy defined for it whenever it made a request to access the Internet.

From there you can begin to build multiples sites if you have more than one physical location or if you have more than one Internal Network to configure.

The Umbrella VA will have your DNS traffic pointed to it for this configuration and anything identified as coming from the networks you've defined will have the policies applied.


These steps assume you have set up a VA. If you have not yet done so, provision VAs before you continue. For more information, see the Virtual Appliance Setup Guide.

You should be provisioning at least one VA per site, but you can have multiple subnets per site if necessary.

For more information about whether you should be using sites in your network, see Sites and Internal Networks.

Provision a Subnet for Your VA

  1. Navigate to Deployments > Configuration > Sites and Active Directory.
    By default, the VA will be assigned to the default site or no site at all.
  1. To add a second site for a second VA:
    a. Click Settings.

b. Click Add New Site.

c. Add Site Name and click Save.
Your new site is listed.

  1. Navigate to Deployments > Configuration > Internal Networks and click Add.
  2. Name your network and provide a valid subnet.
  3. Click Show Sites and choose your newly added site from the pull-down menu.
  1. Click Save.
    Note: If you are unable to save your changes, it may be because the Cisco Umbrella Internal Networks setup does not allow an invalid range to be configured. The basic principle is that the final octet of your IP range should match the mask for that range. More information about subnet masks, as well as tools, are easily available from many third-party websites.

You can assign an individual Internal Network policy to a single IP address or to an entire DHCP scope that's already been configured for your network.

Assign a Policy to your Site

Internal Networks identities are assigned to policies through the Site identities.

Once you've selected the site that contains your Internal Networks, you can begin to select the parts of the policy to apply to these computers.

For more information on creating policies, see Create and Apply Policies.

Using Umbrella Sites

Individual Umbrella sites should be configured as if they were complete deployments. So, for each Umbrella site:

  • Follow the previous steps of this guide again, and after each sub-step to verify that the component has synced or reported to the dashboard, assign the component to a site by clicking its name and selecting an existing site or creating a new site.
  • You may also rename the default or any existing sites.

"Sites” in Umbrella refer to separate different locations or networks, which do not have a direct connection to another of your locations or networks.
Utilizing different sites results in a segregated Internal Networks environment. For example, different "sites" means that each location must have a minimum of one VA.

You should use Umbrella sites when the following is true:

  • There is 150ms or more of latency between two locations
  • Your locations communicate between a NAT device, which causes the internal IP address of an end machine to be lost.

Updated 3 months ago

Internal Networks Setup Guide

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.