The Umbrella Documentation Hub

Welcome to the Umbrella documentation hub. Here you'll find our comprehensive guides designed to help you use Cisco Umbrella.

Get Started    

Manage the Intelligent Proxy for DNS Policies

DNS Policies Only

The intelligent proxy is only available for DNS policies.

For DNS policies, Cisco Umbrella's intelligent proxy intercepts and proxies requests for malicious files embedded within certain so-called "grey" domains. You enable and disable the intelligent proxy when first creating a policy and, once configured, from the Policy Summary page.

Note: The intelligent proxy and related features are not available to all Umbrella packages. If you encounter a feature described here that you do not have access to, contact your sales representative for more information about your current package. See also, Cisco Umbrella Packages.

Wait, what's a proxy?

A proxy is just a step between your computer or mobile device and the internet. It intercepts requests to internet content, inspects them and if it doesn't find a problem, allows access. However, if there's a security threat posed by the content the computer or mobile device is trying to access, the proxy blocks access to it. This quickly and easily protects you without the threat ever coming near enough to do harm.

Best Practices

When enabling the intelligent proxy, we highly recommend also selecting SSL Decryption, which broadens the scope of your protection. With SSL decryption, you must install the Cisco certificate. As well, with SSL Decryption selected, you can create a list of content categories to exclude from being sent to the intelligent proxy. For more information, see Enable the Intelligent Proxy.

SSL Decryption Requirements and Implementation

Although only SSL sites on Umbrella's greylist are proxied, it's required that the root certificate be installed on computers that are using SSL decryption for the intelligent proxy in their policy. Sites on our 'grey' list can include popular sites, such as file-sharing services, that can potentially host malware on certain specific URLs while the vast majority of the rest of the site is perfectly harmless, so your users will go to some proxied sites even if they're acting in good faith.

Without the root certificate, when your users go to that service, they receive browser errors and the site is not accessible. The browser correctly believes that the traffic is being intercepted (and proxied) by a 'man in the middle', which, in this case, is the Umbrella service. Traffic is not decrypted and inspected; instead, the website is unavailable.

With the root certificate installed, errors do not occur and the site is accessible when it's been proxied and allowed. For information on installing the root certificate, see Install the Cisco Certificate.

Selective Decryption

When enabling SSL decryption, you can also exclude the proxying of requests to content categories by creating a Selective Decryption list. When configured, requests to access destinations within a selected content category are not proxied even though the intelligent proxy is enabled. For example, if you add the category News / Media to the Selective Decryption list and then visit, this destination is not inspected by the intelligent proxy.

Note: The categories Terrorism, Internet Watch Foundation, and German Youth Protection are excluded from this list and are always proxied.

Wildcards and Destination Lists < Enable the Intelligent Proxy > What is the Intelligent Proxy

Updated about a month ago

Manage the Intelligent Proxy for DNS Policies

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.