This guide is for Cisco devices running SD-WAN IOS XE (e.g. ISR, ASR, CSR).
For information on using Umbrella with Viptela vEdge devices, see: Using Umbrella DNS Security
For instruction on how to setup an IPsec tunnel from a Cisco SD-WAN (Viptela) device to Umbrella, see: [https://docs.umbrella.com/umbrella-user-guide/docs/add-a-tunnel-viptela] or [https://docs.umbrella.com/umbrella-user-guide/docs/add-auto-tunnel-viptela].
Cisco’s SD-WAN and Umbrella integration enables you to deploy Umbrella across your SD-WAN to hundreds of devices in minutes and instantly gain web and DNS-layer protection against threats. You gain the cost-savings and improved performance of direct internet access (DIA) at branch offices, without sacrificing security or the burden of managing devices individually.
With the integration, administrators can create policies and view reports on a per-VPN basis.
This document details how to configure Umbrella DNS re-direct security policies with Cisco SD-WAN. For more comprehensive information about configuring additional Cisco SD-WAN Security policies, see the SD-WAN Security Deployment Guide.
Notes: Automatic policy assignment based on VPN name - Viptela VPNs, represented by Network Devices in the Umbrella dashboard, will automatically be placed in an Umbrella policy if the Viptela VPN name matches the name of an existing Umbrella policy. Otherwise, all Viptela VPNs will be covered by the Umbrella default policy unless they are manually added to another policy. Policy assignment can be done in the UI or via API.
- A security K9 license to enable Umbrella Integration.
- The device runs on the SD-WAN IOS XE 16.10 software image or later.
- vManage version 18.4 or later.
- Not available on Viptela vEdge devices
- If an application or host uses IP address directly instead of DNS to query domain names, policy enforcement is not applied.
- If a client is connected to a web proxy, the DNS query does not pass through the device. In this case, the connector does not detect any DNS request and the connection to the web server bypasses any policy from the Umbrella portal.
- When the Umbrella Integration policy blocks a DNS query, the client is redirected to a Umbrella block page. HTTPS servers provide these block pages and the IP address range of these block pages is defined by the Umbrella portal.
- The type A, AAAA, and TXT queries are the only records that are redirected. Other types of query bypasses the connector.
- Only the IPv4 address of the host is reported to Umbrella
- A maximum of 64 local domains can be configured under bypass list, and the allowed domain name length is 100 characters.
- In the Umbrella dashboard, navigate to Admin > API Keys and click Create.
Check your vManage version
The process for obtaining authorization data differs for vManage up to and including 16.12 versus vManage 17.2 or later.
- Expand Legacy Network Devices, and then copy the API token—Your Key—so that you can complete the next steps.
The API token is a long alphanumeric set of characters.
- Select Umbrella Network Devices and then click Create.
- Copy Your Key and Your Secret to a secure document.
This Key and Secret are required for later steps.
- Select Keep it secure... and click Close.
- In the vManage dashboard, navigate to Configuration > Security and click the Custom Options dropdown.
- Select the Umbrella API Token. In the Manage Umbrella Registration box that appears, paste the token (legacy vManage) or the key and secret plus your Umbrella org ID (vManage 17.2 and later) into the appropriate fields.
vManage 17.2 and later:
- If you have an existing Security Policy, you can edit that policy to add DNS Security. You can also click Add Security Policy to create a new Security Policy.
- Click Create New, then enter a policy name. Since the Umbrella Token ID has already been applied, Umbrella Registration Status shows “green” (configured).
- Choose whether to apply your policy to all VPNs, or only selected VPNs. You can also create a domain bypass list for internal addresses that should not be redirected to Cisco Umbrella.
- Under Advanced settings, you can optionally enable DNSCrypt to encrypt DNS packets with EDNS (Device ID and Client IP) data.
- Click Save DNS Security Policy.
- You should now see a Network Device identity in the Umbrella dashboard for each VPN that was registered. If the VPN name at the time of registration matched an existing policy name in the Umbrella dashboard, then the Network Device representing that VPN will automatically be placed into that Umbrella policy. Otherwise, all VPNs as represented by Network Devices will be part of the default Umbrella policy.
Updated 2 months ago