The Umbrella Deployment Documentation Developer Hub

Welcome to the Umbrella Deployment Documentation developer hub. You'll find comprehensive guides and documentation to help you start working with Umbrella Deployment Documentation as quickly as possible, as well as support if you get stuck. Let's jump right in!

Get Started    

Add an Identity and Protect Your Network

A network is an identity in Umbrella and is defined by the public IP space of the network itself. All traffic originating from that IP space is identified as coming from that network in Umbrella. Thus, to add a network to Umbrella you add the public IP space, or IP range, to define the scope of identity. For network identities, both IPv4 and IPv6 IP addresses are supported; however, dynamic IP addresses are only supported for IPv4.

Once the identity has been added, you'll need to build policies to extend Umbrella's protection to any device that connects to the internet from behind that network. For more information, see Create and Apply Policies.

Wait, what's an identity?

An identity is simply an entity that you can enforce policy against and report on. It can be very high level—an entire network can be an identity—or very granular—down to the individual logged in user in Active Directory.

Step 1 – Select the Appropriate Network

First, determine what the IP address of your network is.

  1. Go to
    Your IP address and location is displayed. Both IPv4 and IPv6 IP addresses are displayed.
  2. In Umbrella, navigate to Deployments > Core Identities > Networks.
    You'll find your IP address listed at the top of the page. If you don't see your IP address, click the i (Information) icon.

Pre-registering your networks

If you plan to have multiple network identities, it's a good idea to register all of your networks with Umbrella right away. Chances are that if you have more than one public egress IP in your organization, you'll have more than one network identity. Having the networks pre-registered ensures that they're available right away when you do point traffic. It also ensures that all the IP space that belongs to your company is correctly assigned in our systems. Until traffic is pointed to Umbrella's DNS service, no protection is available and there is no reporting so there's no harm in adding in all networks beforehand.

Note: If you have the Umbrella Professional package, and you attempt to add a network other than the one currently being used to access the Umbrella dashboard, you will be prompted to contact Support for manual verification. You'll also need manual verification from support for IPv4 ranges larger than a /29 network and IPv6 rangers than a /56 network. Verification cases are created automatically and you'll receive an update as soon as it's reviewed.

Step 2 – Set up the Network Identity

Before you begin, it's a good idea to determine if you have an IPv4 dynamic IP address. Most home, small school, and small business networks are typically provisioned by Internet Service Providers (ISPs) with a dynamic IP address (IPv4 only) when defining each unique internet network.

Note: Most Dynamic DNS (DDNS) clients work toward keeping your network updated; however, third party DDNS clients are not supported by Support.

  1. Navigate to Deployments > Core Identities > Networks and click Add.

Note: If possible, add the network from the IP being registered, otherwise an email will be generated that will require a link to be visited from the IP address of the network being registered.

  1. In the Add a New Network modal, give your network identity a meaningful Network Name.
    Giving your identity a good network name will help you find it easily when you later add a policy against it through the Policy wizard.
    Note: Dynamic IP addresses are only supported for IPv4.
  1. Select an internet protocol.
    Select a protocol based on the Umbrella IP address to which you have configured your router to point.
  2. Add the network's IP address along with the subnet mask, usually a /32 subnet for IPv4 and /64 subnet for IPv6.
  3. For IPv4 only, if it's a dynamic IP address, check Dynamic and download the Umbrella Dynamic IP Updater:

Dynamic IP Address—IPv4 Only

A dynamic IP address means that the 'public' IP of your network changes over time when the 'lease' for that IP address changes. Your IP may stay the same for several weeks, but the lease will eventually expire and be given to another customer of your ISP. When the IP address you've registered with Umbrella changes, the Umbrella security settings no longer apply. These settings no longer match your account information and must be updated. To avoid having to manually update this information, we recommend installing the Umbrella Dynamic IP Updater on at least one computer within the network that you've registered in Umbrella. The Umbrella Dynamic IP Updater automates the discovery and registration of a network's IP address to your Umbrella account whenever the dynamic IP address changes. If you do not do this, you must manually re-enter your IP address each time it changes. For more information, see Networks with Dynamic IP Addresses.

To maintain and automatically update your IPv4 dynamic IP when it changes, following these guidelines:

  • The computer should be stationary to the network and not a laptop (only used in the network on which you are configuring Umbrella).
  • The computer should always be powered on (or turned on before any other computers log onto the network.)
  1. Click Save.
    Once the service validates your IP address, the network appears in the list at Deployments > Core Identities > Networks. Initially, Umbrella lists your new network identity's status as Inactive. Network status only changes to Active when DNS traffic is sent to Umbrella from the network.
    The policy applied to your new identity depends on your policy configurations. If you have a policy configured that includes network identities, Umbrella applies that policy; otherwise; Umbrella applies the Default policy.

Step 3 – Change the DNS Settings on Your Relevant Network Device

You need only do this on your edge DNS equipment, typically a DNS or DHCP server, or a router—this could be your DSL router or cable modem if that's the only router in your network.

For instructions on how to configure computers (including laptops) or routers, see Point Your DNS To Cisco Umbrella.

Note: The client on which you test must have either retrieved a new set of DNS servers from the DNS/DHCP server or router, or have had its DNS settings changed manually for you to be able to verify successfully.

Step 4 – Test Your Network

And that's it! At this point, you may need to restart your client's network interface (or simply restart the computer) and then you should be able to verify that your DNS connections are being routed through the Cisco Umbrella global network by going to the following page in your client's browser:

You should see the Welcome to Umbrella page. There is also a test to go to to test the security settings.

Point Your DNS to Umbrella

Once your network identity is configured and ready to receive DNS traffic from your network, point your DNS to Umbrella.

Hardware Deployments < Protect Your Network: Add an Identity > Delete an Identity