Umbrella's cloud-delivered firewall provides firewall services without the need to deploy, maintain and upgrade physical or virtual appliances at each site. Umbrella’s cloud-delivered firewall provides visibility and control for internet traffic across all branch offices. With Umbrella’s cloud-delivered firewall, all activity is logged and unwanted traffic blocked using IP, port, and protocol rules. To forward traffic, you establish an IPsec (Internet Protocol Security) IKEv2 (Internet Key Exchange, version 2) tunnel from any network device and as new tunnels are added, rules are automatically applied for easy setup and consistent enforcement.
Firewall currently only supports RFC1918 IP addresses as Source IP address and Public IP address as Destination IP address. If IP addresses do not conform, packets will be dropped.
- CDFW DC's public IP address, to which the tunnel will connect. (For the latest CDFW DC locations and their IPs, see Cisco Umbrella Data Centers).
- An Umbrella organization ID. (The organization ID is the number in the URL you use to log in to the Umbrella dashboard.)
- A router (ISR-G2, ISR4K or CSR, or Cisco ASA) with a security K9 license to establish an IPsec tunnel. Other devices may work but have not been tested.
- A valid Cisco Umbrella SIG Essentials subscription or a free SIG trial.
With the certificate or passphrase credentials generated in the Umbrella portal, establish an IPsec IKEv2 tunnel to the Umbrella head-end <umb_ip> ( <umb_ip> represents the public IP address in sample commands).
Network Tunnel Identities
Network Tunnel identities must be unique for each IPSec tunnel to the same Umbrella data center (DC). You cannot use the same identity to build multiple IPSec tunnels to the same DC using the same public IP address.
This product is intended to be compatible with many different types of network devices. If you have a device that isn’t listed here, feel free to try it, but we may not be able to provide thorough assistance.
When you establish tunnels to the Cisco Umbrella head end to use the cloud-delivered firewall, DNS traffic should be bypassed to ensure that DNS Layer Enforcement is not impacted.
When DNS traffic gets routed in tunnels, the traffic will go through all services in the service chain in the cloud-delivered firewall, undergo Network Address Translation (NAT), and then go to the Umbrella Resolvers with the cloud-delivered firewall's public IP address. In that situation, Umbrella Resolvers will not be able to apply DNS-based policies as the source IP will not match your organization.
To ensure that DNS Layer security is not impacted by the cloud-delivered firewall, the following traffic should bypass the tunnel:
- Destination Port—53 (DNS)
- Destination IP—184.108.40.206, 220.127.116.11