IP Layer Enforcement will be end of life July, 2022
For more information, please see the official IPLE End of Life announcement
Not all features described here are available to or compatible with all Umbrella packages. If you encounter a feature described here that you do not have access to, contact your sales representative for more information about your current package. See also, Cisco Umbrella Packages.
Table of Contents
- Enable IP Layer Enforcement for the Umbrella Roaming Client
- Test to Ensure IP Layer Enforcement is Functional
- Frequently Asked Questions
IP Layer Enforcement requires that a version 2.0.1 (or above) of the Umbrella roaming client be available to your organization before the feature can be enabled, both for Mac and Windows. If Umbrella roaming clients are not automatically upgrading to this version, they may be offline or the installation may be broken.
Umbrella already provides some of the most advanced threat protection and predictive security in the world but there are times when malware authors will use an IP address instead of a fully qualified domain name to host their malware. Since Umbrella protects against malicious domains and URLs primarily, we saw this as an area we needed to address.
Malware authors might use IP addresses that bypass DNS lookups when creating a threat. For instance, one of your users might receive a phishing email with a URL that has an IP address in it, eg: http://x.x.x.x/malware.exe while they're not in your office and protected by your firewalls. Or, a user may go home, insert an infected USB stick into their computer to look at their children's homework, and execute malware that contacts http://x.x.x.x:3000/malicious/bad.exe.
Normally, malware authors use domain names and not IP addresses. There's a good reason for that: IP addresses that host malware are quickly blocked or taken down by the ISP that owns them, but a domain name can always resolve to a new IP address. However, there are exceptions and we recognize that in order to provide the best possible security coverage, we'd need to block IPs in certain circumstances. Some IP addresses are simply known to be bad. Other IP addresses may host valid content on non-HTTP ports, while the web ports host malicious content. The inverse is also true; IP addresses can host legitimate HTTP websites but also host malicious command and control hosts on a non-standard port. The IP Layer Enforcement feature handles all of these scenarios.
IP Layer Enforcement requires that Anyconnect version 4.8.03052 or above (Windows only) or the Umbrella roaming client version 2.0.1 or above (macOS or Windows) be available to your organization before the feature can be enabled. If Umbrella roaming clients are not automatically upgrading to this version, they may be offline or the installation may be broken.
- Either Anyconnect version 4.8.03052 or above (Windows only) or the Umbrella roaming client version 2.0.1 or above (Windows or macOS) should be installed and working
- Compatible versions of Windows: 7, 8, 8.1 and 10
Note: IP Layer Enforcement is compatible with Windows 10 version 1511 or later. If IP Layer Enforcement does not work, it would fail gracefully—network connectivity and DNS Layer protection will not be affected.
- Incompatible versions of Windows: Windows XP, Vista
- Supported versions of macOS: 10.11.6 to 10.15. Note: IPLE is not compatible with BigSur (MacOS version 11.0) or above.
Currently, the Umbrella roaming client only supports dual-stack IPv4/IPv6 for the Mac OS. Stand-alone support for IPv6 for both the Mac and Windows operating systems is not supported. For more information, see Umbrella Roaming Client: IPv6 Support.
If the Umbrella roaming client is behind a virtual appliance (VA), the policy applied to the Umbrella roaming client will come from the VA identity rather than the policy for the Umbrella roaming client identity and testing will be difficult. For more information, please see the next section of this guide.
Internet Protocol Security (IPSec) traffic must be allowed through firewalls. The following ports and protocols must be allowed:
- Protocol 50 (ESP)
- Protocol 51 (AH)
- UDP Port 500
- UDP Port 4500
If the Umbrella roaming client is behind a virtual appliance (VA), the policy applied to the Umbrella roaming client will come from the VA identity rather than the policy for the Umbrella roaming client identity and testing will be difficult. For more information, see the next section of this guide.
- Internet Protocol Security (IPSec) traffic must be allowed through firewalls. The following ports and protocols must be allowed:
- Protocol 50 (ESP)
- Protocol 51 (AH)
- UDP Port 500
- UDP Port 4500
IPSec uses IP protocol 50 for Encapsulated Security Protocol (ESP), IP protocol 51 for Authentication Header (AH), and UDP port 500 for IKE Phase 1 negotiation and Phase 2 negotiations. UDP port 4500 is also used.
To restrict IPSec to only the Umbrella servers providing malicious IP blocking, allow ESP, AH, UDP Port 500 and UDP Port 4500 to these IP ranges only:
184.108.40.206/23 220.127.116.11/23 18.104.22.168/24 22.214.171.124/24 126.96.36.199/24 188.8.131.52/24 184.108.40.206/24 220.127.116.11/24 18.104.22.168/24 22.214.171.124/24 126.96.36.199/23 188.8.131.52/23 184.108.40.206/22 220.127.116.11/23
Note: A full list of the exact IP addresses—not just the ranges—can be found here.
If you would like to simply allow access to all of the Umbrella ranges used:
18.104.22.168/19 22.214.171.124/24 126.96.36.199/24 188.8.131.52/24 184.108.40.206/24 220.127.116.11/24 18.104.22.168/24 22.214.171.124/21 126.96.36.199/21 188.8.131.52/21
- In Umbrella, navigate to Deployments > Core Identities > Roaming Computers and click Settings.
- Select either the Umbrella Roaming Client or Anyconnect Roaming Client tab.
- Enable Allow IP Layer Enforcement.
- Navigate to Policies > Management > All Policies and click Add or expand a policy to edit it.
- When adding a new policy, at the bottom of the What should this policy do page, expand Advanced Settings, enable the intelligent proxy, and check Enable IP Layer Enforcement.
- Click Next and complete the wizard.
Alternatively, at the bottom of the Summary page, expand Advanced Settings, check Enable IP-Layer Enforcement, and then click Save.
IP Layer Enforcement only applies to roaming computers with the Umbrella roaming client installed on Windows or Mac. However, the IP Layer Enforcement feature will still continue to be active and take effect when the Umbrella roaming client is behind a VA. The other security features (and filtering configurations) of the Umbrella roaming client will 'back off' in those instances and the policies for the Network, Internal Network, or Active Directory User/Computer policy will be applied instead, depending on your configuration.
If the Umbrella roaming client is being protected by a network that has been added to your Umbrella dashboard, and the roaming computer setting “Disable DNS Redirection on Umbrella Protected Networks” (Deployments > Core Identities > Roaming Computer > Settings > General Settings) is enabled, the Umbrella roaming client essentially disables itself and relies on the protection of the network for all features except IP Layer Enforcement.
IP Layer Enforcement is a separate part of the Umbrella roaming client and as such, behaves differently than the rest of the Umbrella roaming clients when behind the network. This is because most of the features are duplicated by the network or VA but IP Layer Enforcement is unique to the Umbrella roaming client.
To test whether you're blocking malicious IPs with the IP Layer Enforcement, we've set up a test page here: http://ipblock.opendnstest.com/
This page displays correctly when the feature is enabled and working for the Umbrella roaming client installed on the computer. Feel free to test the additional scenarios to get a sense of how the feature will behave when blocking a malicious IP address.
If things are not working as expected or the feature is not enabled on the Roaming Computer that you're testing with, this is what you will see:
If your policy is correctly configured as best as you can determine and the test page is still not reflecting that IP Layer Enforcement is enabled, this could be because the policy applied to this Roaming Computer does not have the IP Layer Enforcement feature enabled. Double-check the order of policy precedence for this identity in the dashboard.
To start troubleshooting, it's worth checking to ensure these outbound ports are set to allow encrypted DNS requests to be routed through the Umbrella Global Network:
- Port 53 TCP/UDP to opendns.com
- Port 443 TCP to opendns.com
Double-check the system requirements for this feature and ensure they've been met.
If problems persist beyond this point, or if there are any unexpected or unusual behaviors when the IP Layer Enforcement feature is enabled, we'd like to hear about it. Please e-mail us at [email protected]!
Updated 7 months ago