Umbrella Policy Tester

The Umbrella Policy Tester lets you test your policies to determine if they are working as intended without having to test them from the computer, network, or identity to which your policies are applied. We encourage you to give it a go—it's interesting to see how exactly the order of policies applies to each of your identities and various destinations, and there's no harm in running through the tester.

If you allow your users to send you feedback from the block page, using the same functionality as what's described below, the feedback from the block page includes what identity was blocked, what the destination was and what the policy that blocked them was so you can react accordingly.

There are a few circumstances under which the Policy Tester currently will not return accurate (or any) information for a given destination. For more information about this, see Limitations of the Umbrella DNS Policy Tester.

Note: The Policy Tester is only able to test against domains as destinations. IP addresses and CIDR ranges are not supported and do not return results.



  1. Navigate to Policies > Management > All Policies and click Policy Tester.

Two fields are required—an identity or identities to test against and a destination. The basic point is the tester will determine, based on the way you've configured your policies, whether the identity you've selected can reach the destination you've defined. Depending on whether you expect that the identity should or should not reach that destination, it will offer assistance to understand why the results are what they are.

Note: The destination must be a fully qualified domain name. IP Addresses and URLs are not supported.


You might want to enter more than one identity when you want to see which identity would take priority. For instance, if there were a policy for a computer that had an Umbrella roaming client installed and was also protected with one or more network identities, it may not be clear which of these policies would take effect. The policy tester will let you know which identity would be triggered first and by which policy.

  1. Click Run Test, once you've selected the identity or identities you'd want.
  2. Click Reset to clear fields.
  3. The results of your test will include the following:
  • Triggered Identity—Which identity was triggered; this information is important if there was more than one identity specified.
  • Destination—Whichever destination you put in to test again.
  • Result—Whether the destination was allowed or blocked, and more specifically, why it was blocked. The reasons include security settings, category settings, and domain lists. The exact type of block is recorded, and the actual name of the setting or domain list is mentioned.
  • Destination List/Security Settings/Category Settings—Depending on the block type, this is the name of the setting or list that was applied. If nothing was matched here, this information will not appear.
  • Categorization—The categorization will be what Umbrella categorized the destination as. Note that the category will appear whether the destination was blocked or not. This information can be helpful in determining if you wanted to block a category setting because a certain destination is categorized there. If nothing was matched here, this information will not appear.
  • Policy Applied—Which policy was applied. The applied policy will also be highlighted in red below. If no other policy was applied, this will show the Default Policy (which is applied to all).

In addition, you'll see a little write-up explaining your results. For example:

"This identity was found in two policies. Out of these, "Your First Policy" was the highest ranked policy so it was applied to the identity. To have one of the lower ranked policies apply to this identity, click and drag the policy above "Your First Policy.""

Last but not least, the exact policy that was applied is highlighted. If the destination was blocked, the highlighted policy is red, and if the destination was allowed, the highlighted policy is green.


Policy Precedence < Umbrella Policy Tester > Enable SafeSearch