Through DNS policies, you set the rules as to how Umbrella protects and manages your systems—your identities. Add a DNS policy to Umbrella to provide DNS-layer visibility and enforcement of your web traffic with the ability to selectively proxy risky domains.
Note: Various features of the policy wizard may not be available for your Umbrella package. If you encounter a feature described here that you do not have access to, contact your sales representative for more information about your current package. See also, Cisco Umbrella Packages.
There are two parts to adding a new DNS policy:
- Part One — Set up the Policy Wizard.
Select protection options and components for your policy along with the identities to which this policy will be applied. The selections you make here determine which steps of the policy wizard are made available to you for configuration in Part Two — Configure the Policy.
- Part Two — Configure the Policy.
Once you have set up the Policy wizard, configure your policy by moving through the wizard and selecting various Umbrella features for implementation. The steps available here are determined by the choices you made in Part One — Set up the Policy Wizard.
- Identities are added and configured. See Manage Identities.
- Navigate to Policies > Management > DNS Policies and click Add.
When the DNS Policies page opens for the first time, it only lists the Default policy.
- The first page of the Policy wizard is where you choose the components of the policy that you want to configure. The options you choose here determine which steps of the Policy wizard become available for configuration.
a. Select the Policy wizard components you'd like enabled and determine how Umbrella will block threats.
Selecting an option here makes that component available for configuration in the Policy wizard's later steps.
- Access Control options are:
- Content Category Blocking—When selected, the Policy wizard's Content step is available.
- Apply Destination Lists—When selected, the Policy wizard's Destinations step is available.
- Application Control—When selected, the Policy wizard's Applications step is available. SSL Decryption must also be enabled.
- Block Threats options are:
- Security Category Blocking—When selected, the Policy wizard's Security step is available.
- File Analysis—When selected, the Policy wizard's File Analysis step is available.
- IP-Layer Enforcement—For roaming client identities only. Tunnels suspect IP connections to gain visibility into threats that bypass DNS lookups.
b. Optionally, expand Advanced Settings, enable the intelligent proxy and related SSL Decryption features, SafeSearch, and logging.
Advanced Settings are:
- Enable Intelligent Proxy—When enabled, Umbrella uses the Cisco Talos web reputation and other third-party feeds to determine if a URL is malicious. The intelligent proxy also uses anti-virus (AV) engines and Cisco Advanced Malware Protection (AMP) to inspect files before they are downloaded. When disabled, options such as File Inspection are unavailable. For more information about the intelligent proxy, see Manage the Intelligent Proxy.
- SSL Decryption—When selected, allows the intelligent proxy to inspect traffic over HTTPS and block custom URLs in destination lists. The intelligent proxy must be enabled. For more information, see SSL Decryption Requirements and Implementation.
Note: SSL Decryption is required to block applications. See Configure Application Settings.
- Root Certificate—If SSL Decryption is selected, download and install the Cisco Umbrella root certificate on all computers integrated with this policy; for example, all computers integrated with the Network identity. For more information, see Install the Cisco Certificate.
- Selective Decryption—Create a list of content categories to exclude from inspection by the intelligent proxy. For more information, see Selective Decryption.
- Enforce SafeSearch—Enables SafeSearch for all computers integrated with this policy. SafeSearch is a feature of the major search engines that restricts and filters explicit images and results. Umbrella provides the ability to enforce traffic to Google, YouTube, and Bing on a per-policy basis. For more information, see Enforce SafeSearch for DNS Policies.
- Allow-Only mode—Select to only allow access to a small subset of domains through destination lists and automatically block all other domains. Because the result of enabling this feature is to effectively block access to the internet except for that part you've defined as "allowable", we recommend caution when enabling this feature. When enabled, you can only add Allowed destination lists.
Logging settings are:
- Log All Requests—For full logging, whether for content, security or otherwise.
- Log Only Security Events—For security logging only, which gives your users more privacy—a good setting for people with the roaming client installed on personal devices.
- Don't Log Any Requests—Disables all logging. If you select this option, most reporting for identities with this policy will not be helpful as nothing is logged to report on.
For more information about managing your logs, see Manage Your Logs.
c. Click Next.
- Select the identities you wish to apply this policy to and click Next.
Identities that are listed with a number to the right can be clicked through to more selectively choose identities.
Note: Tags are not identities, but rather groupings of roaming computer identities. For more information, see Group Roaming Computers with Tags.
When you click Next you move to part two of the Policy wizard, a progress meter appears listing the step you are on and the number of steps remaining until you've fully configured the policy. Steps listed correspond to the policy components selected in part one of the Policy wizard.
The steps available here are determined by the choices you made in step one Set up the Policy Wizard.
Security settings determine which categories of security threat Umbrella blocks. For more information about each category, see Manage Security Settings.
- Click Next to use default settings or click Edit, select or clear categories, and then click Save.
Note: A grey shield indicates that the item is not selected.
As an alternative to clicking Edit, you can select a preconfigured grouping of security settings or create a new setting:
a. From the Security Settings drop-down list, choose a security setting or Add New Setting.
If you choose Add New Setting, a window appears allowing you to add a new setting.
b. Give the Security setting a good meaningful name, choose how you are going to create it, and click Create.
c. Select or clear categories and click Save.
- Optionally, expand Integrations.
Only custom integrations enabled and configured under your account appear. For more information about integrations, see Umbrella Integrations.
a. Integrations become available for selection when you click Add New Setting—if this is your first policy—or Edit at the top of the page.
b. Select integrations as necessary and click Save.
- Once you've configured security settings, click Next.
Content Categories organize websites into categories based on the type of information served by the site; for example, gambling or social networking or alcohol. You limit the access that identities have to web sites based on the categories you select. For a list of all categories and details for each, see Content Categories for DNS Policies.
When an identity attempts to access a destination that is blocked because of a content setting, an Umbrella block page appears.
- Choose a preset Content Category level of protection or click Custom.
- If you choose Custom, select Categories to Block as needed.
Optionally, from the Custom Setting drop-down list, choose Create New Setting.
- Once you've configured content categories, click Next.
Select applications you'd like to block identities from accessing. You may want to block access to applications because they represent an unacceptable security risk or when their functionality is inappropriate. Conversely, if an application should override a block, such as in the case of a content category match with the application, then change the block action to allow.
Note: You must enable SSL Decryption. If not already done, you must also download and install the Cisco Umbrella root certificate. For more information, see Install the Cisco Certificate.
- Select an application category to select app applications associated with the category or expand the category to choose individual applications within the category.
- Expand a category to allow or block individual applications within a category:
a. Click the wheel icon.
b. Select Block or Allow.
c. Click Apply.
- Click Next.
- Click Proceed to confirm your application selections.
- Once you've configured application settings, click Next.
Destination lists control identity access—allowed or blocked—to specific internet destinations. Destinations supported are:
- Blocked—Domains and URLs. For URLs, you must also enable the intelligent proxy, SSL decryption and install the Cisco certificate. See Advanced Settings.
- Allowed—Domains, IP, or CIDR.
Note: If you enabled Allow-Only Mode under Advanced Settings, you can only add Allowed destination lists.
- Click Add New List or click a list to edit it.
Your new destination list is added to the policy.
- Once you've configured destination lists, click Next.
When enabled, Umbrella inspects inbound files for malware using anti-virus (AV) signatures and Cisco AMP file reputation.
- Enable File Inspection.
- Click Next.
Block Page settings let you set the appearance of the block page that displays when a request is made to access a web page that is blocked by policy settings. You can customize the block page's appearance and redirect blocked identities to a custom domain. Bypass users and bypass codes let you set up a mechanism that allows identities access to blocked destinations. For more information about block pages, see Customize Block Pages.
Note: Not all categories can be bypassed. If a user is blocked for a Security or Malware category, the site is considered malicious and should not be accessed under any circumstances.
- Click Use Umbrella's Default Appearance or Use a Custom Appearance.
- If you clicked Use a Custom Appearance, choose Create New Appearance from the drop-down list.
- Configure options as necessary and click Save.
A bypass user can bypass block pages by authenticating against the block page. However, a bypass user cannot bypass a security block. A user must have an Admin Account to be added to a policy as a bypass user. For more information and the procedure, see Add A New User.
- Expand Bypass Users, select a user or click Create New.
- Add a good meaningful description, choose a Bypass User, select what can be bypassed, and click Save.
You can select specific content categories and destination lists.
Bypass codes allow a bypass user access to a blocked page. All bypass codes have a configurable expiry date and can be extended at any time.
- Expand Bypass Codes, select a code or click Create New.
- Add a good meaningful name, select what can be bypassed, configure an expiry date, and click Save.
You can select specific content categories and destination lists.
Once you've set your block page and bypass settings, click Next.
The last step of the Policy wizard is the Policy Summary page, which lists the policy's current configuration.
- Give your policy a meaningful name, review settings, and then click Save.
Your policy is complete and operational. It is added to the list of policies and becomes part of the enforcement evaluation process. For more information, see Policy Precedence.
- To change a setting, click the relevant Edit button and the Policy wizard opens at that step. Make changes as needed and click Set & Return.
- Click Disable to disable a setting.