Cisco’s SD-WAN and Umbrella integration enables you to deploy Umbrella across your SD-WAN to hundreds of devices in minutes and instantly gain web and DNS-layer protection against threats. You gain the cost-savings and improved performance of direct internet access (DIA) at branch offices, without sacrificing security or the burden of managing devices individually.
With the integration, administrators can create policies and view reports on a per-VPN basis.
This document details how to configure Umbrella DNS redirect security policies with Cisco SD-WAN. For more comprehensive information about configuring additional Cisco SD-WAN Security policies, see the SD-WAN Security Deployment Guide.
For more information about Cisco SD-WAN hardware compatibility, see the SD-WAN Compatibility Matrix.
Notes: Automatic policy assignment based on VPN name - Viptela VPNs, represented by Network Devices in the Umbrella dashboard, will automatically be placed in an Umbrella policy if the Viptela VPN name matches the name of an existing Umbrella policy. Otherwise, all Viptela VPNs will be covered by the Umbrella default policy unless they are manually added to another policy. Policy assignment can be done in the UI or via API.
- vManage version 20.1/IOS XE 17.2 or later.
- A security K9 license to enable Umbrella Integration.
The device must be running either:
- SD-WAN cEdge IOS XE 16.10 software image or later.
- SD-WAN vEdge 20.3.1 software image or later.
- If an application or host uses IP address directly instead of DNS to query domain names, policy enforcement is not applied.
- If a client is connected to a web proxy, the DNS query does not pass through the device. In this case, the connector does not detect any DNS request and the connection to the web server bypasses any policy from the Umbrella portal.
- When the Umbrella Integration policy blocks a DNS query, the client is redirected to a Umbrella block page. HTTPS servers provide these block pages and the IP address range of these block pages is defined by the Umbrella portal.
- The type A, AAAA, and TXT queries are the only records that are redirected. Other types of query bypasses the connector.
- Only the IPv4 address of the host is reported to Umbrella
- A maximum of 64 local domains can be configured under bypass list, and the allowed domain name length is 100 characters.
- In the Umbrella dashboard, navigate to Admin > API Keys and click Create.
- Select Legacy Network Devices, then click Create.
- Expand Legacy Network Devices, and then copy the API token—Your Key—so that you can complete the next steps.
The API token is a long alphanumeric set of characters.
- Select Umbrella Network Devices and then click Create.
- Copy Your Key and Your Secret to a secure document.
This Key and Secret are required for later steps.
- Select Keep it secure... and click Close.
- In the vManage dashboard, navigate to Configuration > Security and click the Custom Options dropdown.
- Select the Umbrella API Token. In the Manage Umbrella Registration box that appears, paste the token (legacy vManage) or the key and secret plus your Umbrella org ID (vManage 20.1 and later) into the appropriate fields.
vManage 20.1 and later:
- If you have an existing Security Policy, you can edit that policy to add DNS Security. You can also click Add Security Policy to create a new Security Policy.
- Click Create New, then enter a policy name. Since the Umbrella Token ID has already been applied, Umbrella Registration Status shows “green” (configured).
- Choose whether to apply your policy to all VPNs, or only selected VPNs. You can also create a domain bypass list for internal addresses that should not be redirected to Cisco Umbrella.
- Under Advanced settings, you can optionally enable DNSCrypt to encrypt DNS packets with EDNS (Device ID and Client IP) data.
- Click Save DNS Security Policy.
- You should now see a Network Device identity in the Umbrella dashboard for each VPN that was registered. If the VPN name at the time of registration matched an existing policy name in the Umbrella dashboard, then the Network Device representing that VPN will automatically be placed into that Umbrella policy. Otherwise, all VPNs as represented by Network Devices will be part of the default Umbrella policy.
Updated about a month ago