The Umbrella Documentation Hub

Welcome to the Umbrella documentation hub. Here you'll find our comprehensive guides designed to help you use Cisco Umbrella.

Get Started    

Manage Firewall

Umbrella's Cloud-Delivered Firewall

Umbrella's cloud-delivered firewall provides firewall services without the need to deploy, maintain and upgrade physical or virtual appliances at each site. Umbrella’s cloud-delivered firewall (CDFW) provides visibility and control for internet traffic across all branch offices. With Umbrella’s cloud-delivered firewall, all activity is logged and unwanted traffic blocked using IP, port, and protocol rules. To forward traffic, you establish an IPsec (Internet Protocol Security) IKEv2 (Internet Key Exchange, version 2) tunnel from any network device and as new tunnels are added, rules are automatically applied for easy setup and consistent enforcement.

IPsec tunnels created to the cloud-delivered firewall automatically forward traffic on ports 80 and 443 to the Umbrella secure web gateway (SWG). You can use IPSec tunnels for deploying SWG even if you choose not to use the IP/Port/Protocol controls in the CDFW.

RFC 1918

Firewall currently only supports RFC1918 IP addresses as Source IP address and Public IP address as Destination IP address. If IP addresses do not conform, packets will be dropped.


  • Umbrella SIG data center (DC) public IP address, to which the tunnel will connect. (For the latest Umbrella SIG DC locations and their IPs, see Cisco Umbrella Data Centers.
  • An Umbrella organization ID. (The organization ID is the number in the URL you use to log in to the Umbrella dashboard.)
  • A router (ISR-G2, ISR4K or CSR, or Cisco ASA) with a security K9 license to establish an IPsec tunnel. Other devices may work but have not been tested.
  • A valid Cisco Umbrella SIG Essentials subscription or a free SIG trial.
  • Allow ports on any upstream device: UDP ports 500 and 4500.

Establishing a Tunnel

With the certificate or passphrase credentials generated in the Umbrella portal, establish an IPsec IKEv2 tunnel to the Umbrella head-end <umbrella_dc_ip> ( <umbrella_dc_ip> represents the public IP address in sample commands).
More information about setting up a tunnel with:

Network Tunnel Identities

A unique set of Network Tunnel credentials must be used for each IPsec tunnel. Two IPsec tunnels cannot connect to the same datacenter with the same credentials. Using unique credentials for every tunnel prevents inadvertent outages should one tunnel get re-routed to a nearby datacenter via anycast failover.

This product is intended to be compatible with many different types of network devices. If you have a device that isn’t listed here, feel free to try it, but we may not be able to provide thorough assistance.

Bypassing DNS Traffic

When you establish tunnels to the Cisco Umbrella head end to use the cloud-delivered firewall, DNS traffic should be bypassed to ensure that DNS Layer Enforcement is not impacted.

When DNS traffic gets routed in tunnels, the traffic will go through all services in the service chain in the cloud-delivered firewall, undergo Network Address Translation (NAT), and then go to the Umbrella Resolvers with the cloud-delivered firewall's public IP address. In that situation, Umbrella Resolvers will not be able to apply DNS-based policies as the source IP will not match your organization.

To ensure that DNS Layer security is not impacted by the cloud-delivered firewall, the following traffic should bypass the tunnel:

  • Destination Port—53 (DNS)
  • Destination IP—,

Redirect to a Custom Block Page < Manage Firewall > Add a Tunnel: Cisco ASA

Updated 11 days ago

Manage Firewall

Umbrella's Cloud-Delivered Firewall

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.