The Umbrella Documentation Hub

Welcome to the Umbrella documentation hub. Here you'll find access to all of our Cisco Umbrella user guides.

Get Started    

Manage the Intelligent Proxy

A proxy is a step between your computer or mobile device and the internet. It intercepts requests to internet content, inspects them, and if it doesn't find a problem, allows access. If there's a security threat posed by the content the computer or mobile device is trying to access, the proxy blocks access to it. This quickly and easily protects you without the threat ever coming near enough to do harm.

Cisco Umbrella's intelligent proxy intercepts and proxies requests for malicious files embedded within certain so-called "grey" domains. You enable and disable the intelligent proxy when first creating a policy and, once configured, from the Policy Summary page.

Umbrella Packages and Feature Availability

Not all features described here are available to all Umbrella packages. To determine your current package, navigate to Admin > Licensing. For more information, see Determine Current Package.

If you encounter a feature described here that you do not have access to, contact your sales representative for more information. See also, Cisco Umbrella Packages.

Best Practices

When enabling the intelligent proxy, we highly recommend also enabling SSL Decryption, which broadens the scope of your protection. With SSL decryption, you must install the Cisco root certificate. As well, with SSL Decryption selected, you can create a list of content categories to exclude from being sent to the intelligent proxy. For more information, see Enable the Intelligent Proxy.

As with any change, we recommend that you first enable the intelligent proxy for a small subset of your identities to ensure full compatibility; you may find you need to expand your allow list.

SSL Decryption Requirements and Implementation

Although only SSL sites on Umbrella's greylist are proxied, it's required that the root certificate be installed on computers that are using SSL decryption for the intelligent proxy in their policy. Sites on our 'grey' list can include popular sites, such as file sharing services, that can potentially host malware on certain specific URLs while the vast majority of the rest of the site is perfectly harmless, so your users will go to some proxied sites even if they're acting in good faith.

Without the root certificate, when your users go to that service, they receive browser errors and the site is not accessible. The browser correctly believes that the traffic is being intercepted (and proxied) by a 'man in the middle', which, in this case, is the Umbrella service. Traffic is not decrypted and inspected; instead, the website is unavailable.

With the root certificate installed, errors do not occur and the site is accessible when it's been proxied and allowed. For information on installing the root certificate, see Install the Cisco Certificate.

Selective Decryption

When enabling SSL decryption, you can also exclude the proxying of requests to content categories by creating a Selective Decryption list. When configured, requests to access destinations within a selected content category are not proxied even though the intelligent proxy is enabled. For example, if you add the category News / Media to the Selective Decryption list and then visit, this destination is not inspected by the intelligent proxy.

Note: The categories Terrorism, Internet Watch Foundation, and German Youth Protection are excluded from this list and are always proxied.

Wildcards and Destination Lists < Enable the Intelligent Proxy > What is the Intelligent Proxy

Updated 3 months ago

Manage the Intelligent Proxy

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.