Limitations and Range Limits

Umbrella sets limitations and range limits by component, data type, user role, or service. These general limitations affect how you configure, deploy, and interact with Umbrella.


Cisco Umbrella DNS Security packages are subject to a Monthly DNS Query Average limit of up to 5,000 DNS queries per Covered User per day. For more information, see Monthly DNS Query Average.

To determine your current package, navigate to Admin > Licensing. For more information, see Determine Your Current Package.

Table of Contents

Internet Protocol Versions

IPv6- Supported by DNS layer security.
- Not supported with dynamic IP addresses.
- Not supported by virtual appliances when configured as an anycast address.
Internet Protocol version 6.
IPv4Supported by all services.Internet Protocol version 4.

Umbrella Components

Destination Lists- A destination list is not active until you set a policy for the destination list.
- A destination list does not support regular expressions in URL paths.
Destination lists may contain fully qualified domain names (FQDN), URLs, or IP addresses.
- A destination list comment string must be no longer than 256 characters.
- A destination list may contain URLs or IP addresses. Depends on the Umbrella package type and destination list type (Allow or Block).For more information, see Cisco Umbrella Packages.
Internal DomainsNo more than 2000 internal domains may be deployed.Internal domain count can be increased upon request.
Internal NetworksNo more than 5000 internal domains may be deployed.
External Domains/IPsNo more than 5000 external domains or IPs can be deployed.
Roaming Computers- You cannot apply a tag to a roaming client when installing the roaming client.
- You cannot delete a tag. Instead, remove the tag from a roaming computer.
- Tags must be less than 40 characters.
- Tags are only available for roaming computer identities.
Intelligent ProxyUmbrella Intelligent Proxy does not proxy web requests on non-standard ports.
LoggingWith default logging enabled, Umbrella logs all destination requests for an identity.
Block Page BypassYou cannot use the Block Page Bypass feature with a redirected block page.If configured, Umbrella uses the default appearance of the block page.
Single Sign On- Umbrella only integrates single sign on (SSO) to the dashboard.
- Single sign on (SSO) is not tied to the authorization for a user's access level within the Umbrella dashboard, such as whether the user is an Administrator or a Read-Only user.
You must use Block Page Bypass codes.
File Scanning (Antivirus, Threat Grid, and AMP)- A file must be less than 50 MB.
- Compressed file scanning supports no more than 16 levels of recursion.
- AMP: The system computes only the archive hash, not hashes for files inside archives.
Selective Decryption List- Accepts no more than 2000 destinations
- DNS policy—selective decryption list may only contain content categories
For more information, see Manage the Intelligent Proxy.

Identity Integrations

User Import Active Directory (AD), Azure AD, and Okta—imports no more than one million users.
Manual import—imports no more than 4000 rows in a CSV file.
* Google Workspace (G Suite)—imports no more than 250,000 users.
Group Import Azure AD, Duo Security, Okta, OpenAM, and PingID—imports 200 groups. Request to increase the number of groups which you can import (no more than 3000 groups).
Active Directory (AD)—imports 3000 groups. We recommend that you use the selective sync functionality on the Umbrella AD Connector to restrict the number of groups imported.
* Google Workspace (G Suite)—imports 5000 organization units (OUs) from G Suite. Google Groups are not supported.

Users and Roles

User RoleLimitDescription
Block Page Bypass- Block Page Bypass users do not have access to Umbrella Investigate.
- Does not allow a user to edit policies or view reports. Umbrella limits access to the dashboard.
- If SAML is enabled, Block Page Bypass is not available.
Grants a user the ability to bypass pages that are otherwise blocked by Umbrella policies.
Read OnlyA Read Only user can only view pages and reports. Functionality, including buttons, may not be displayed or available. A user can access Investigate (if applicable), but not create/delete API tokens.Grants limited access to the Umbrella dashboard.
Reporting OnlyA Reporting Only user can only view and run reports.
Full Administrator- Create and assign user roles.


Umbrella Reports:

- Total Requests
- Top Destinations
- Top Categories
- Top Identities
Data available for one calendar year.Data retention.
- Activity Search
- Security Activity
Data retained for 30 days.Data retention.
- Activity VolumeData retained for one calendar year.Data retention.
- Admin Audit LogData retained for one calendar year. You can access data in 90-day increments.Data retention.
Scheduled Report (email attachment)Accepts up to 10,000 rows of data.
Exported Report (CSV export)Exports no more than 1,000,000 rows of data.

Policy Testing

The Umbrella Policy Tester helps you evaluate your configured DNS policies. For more information, see Umbrella Policy Tester.

Umbrella Policy Tester- Supported by DNS security layer.
- Evaluates domains. Does not test IP addresses, URLs, or CIDR ranges.
Evaluates configured DNS policies (identities and destinations).
- Displays up to 20 records for each query.

Get Started FAQ < Limitations and Range Limits > Data Retention