The Umbrella Documentation Hub

Welcome to the Umbrella documentation hub. Here you'll find access to all of our Cisco Umbrella user guides.

Get Started    

Policy Precedence

The policy wizard allows for the customization of identity filtering and security settings. While any identity can be added to any policy, the settings Umbrella applies to an identity result from policy precedence rules.

Policies are applied to identities using a "first match" methodology based on rank (the number listed at the left of each policy), which follows a top to bottom execution order. Therefore, only the highest ranked policy that matches an identity is applied, and all subsequent lower ranking matches are ignored.

In general, the topmost policy in the list that is added to an end user applies. However, this gets more complex when a user has multiple identities such as Umbrella roaming client and an Active Directory (AD) user active at the same time.

If an identity has no matches in any custom policy, the Default Policy will apply to the identity. If you'd like to find out which policy is matched for a particular identity, see Umbrella Policy Tester.

For configurations without Active Directory integration, the Identity Precedence order is as follows (topmost is first priority):

Roaming Client
Network

Roaming Clients including Windows/Mac, iOS Client, Chrome books, and other roaming devices.

Network Identity based on source IP of the DNS request.

If the roaming client and network are on the same policy, and the roaming client is behind the network, the roaming client policy applies instead of the network policy.
For configurations that include Active Directory integration, identities apply in the following order.
Note: The available identities are different depending on whether a virtual appliance or roaming client provides the AD integration.

Element
Description

AD User

Identified by Virtual Appliance (VA) or Roaming Client (RC).

AD Computer

Identified by VA only.

Internal Network /
Umbrella Site

Identified by VA only.

Default Umbrella Site

Traffic on VA with no other identity.
Identified by VA only.

Roaming Client

Roaming Client only.

Network

Network Identity based on source IP of the DNS request.

Policy Precedence: Identities

When choosing which identities belong to a policy, the list of identities appears to the right of the Identity chooser. When the entire category (for example, AD Users, AD Groups, Networks) is chosen, a checkmark appears. When only some of the categories (for example, a specific AD user, AD Group, roaming client) are chosen, a dash appears.

If you are viewing a nested identity set and see a grayed-out checkmark and wish to modify the subgroup, go up a level and ensure that a blue checkmark is not present.

Identity Combinations

Each policy has the option to select any combination of Identities.

For example, "Joe", a user in Active Directory, can be added to several different policies as an individual user, and can be included as part of any policy with "All AD Users."
Since "Joe" can be included in several policies, it's critical to understand the order in which those policies are applied to "Joe."

Policies are applied based on a "first match" methodology based on rank (the number listed at the left of each policy), which follows a top to bottom execution order. Therefore, only the highest-ranked policy that matches a user's identity will be applied, and all subsequent lower-ranking matches will be ignored.

A common misconception is that policies are additive and that by creating a "YouTube Policy" and a "Facebook Policy" and then adding identities results in all selected Identities accessing these sites. However, this is not the case.

For example, if you had an AD User identity "AD Admin" and two policies: a rank 2 policy that applies to all AD Users (AD Users Policy), and a second policy (rank 3) that is more restrictive (Restrictive Users Policy) and that only applies to the specific user "AD Admin." Because it is the highest-ranking policy of the two, the "AD Users policy" is the first match in the execution order and, it will be applied and the Restrictive Policy match will be ignored.

The goal of the Restrictive Policy in the above example was to set up the "AD Admin" identity with stricter filtering than the other users, but it was not correctly ordered. Note that this will apply to Roaming Clients and Networks as well. To apply a specific policy to this user, the order of the policies will need to be updated. In this case, the Restrictive Policy needs to be moved higher than the AD Users policy.

Configure Policy Order

Drag and drop policies to change their ranking order.

  1. Navigate to Policies > Management > All Policies.
  2. Drag and drop policies to re-order policies and reset precedence.

Identity Precedence Within the Same Policy

Note: The information in this section only refers to the final matching of multiple identities within a single policy. The information here also only refers to which identity will be the primary matching Identity and affects statistics and reports. Regardless of where along the flow chart the identity finishes, the same policy is applied. The Activity Search and Security Overview reports only list the primary match identity. In cases where a user belongs to multiple identities on the same policy; for example, a Roaming Client and Network identity, an Identity Precedence order takes place.

For configurations without a virtual appliance (VA) setup, the Identity Precedence order is as follows (topmost is first priority):

  • Mobile devices*
  • Roaming clients
  • Networks
    *Mobile devices connect through a VPN and will always be the first match. Mobile devices are also not available for most customers as an identity type.

If the roaming client and network are on the same policy, and the roaming client is behind the network, the roaming client policy applies instead of the network policy. Reports will show activity based on the roaming client, not the network.

For configurations that include a VA, identities apply in the following order:

  • AD user
  • AD computer
  • Internal network (Site)
  • Default site (Traffic on VA with no other Identity)
  • Roaming clients
  • Networks
    Network and Roaming Client identities can only appear when a VA is present on the network if their DNS is not configured to point to the VA. Generally, all computers should be configured to point to the VA. If you see network identities it may indicate an incomplete configuration.

Policies and Block Page Bypass (BPB)

Policy precedence also has an impact on using bypass codes and bypass users. Since the enabling of BPB codes and users is per-policy, if your bypass code isn't working or the "Admin" bypass link isn't appearing, check that the code/user is enabled for their policy. To enable a code or user, check the box next to the code or user, then save the policy.

Updated about a month ago


Policy Precedence


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.