Umbrella's intelligent proxy allows for URL-based malware filtering of domains with legitimate content where some pages may contain malicious files. The steps to enable or disable it are the same as the steps for changing any other Security Setting: you can do it as a part of Centralized Settings so that it applies to all customers.
Wait, what's a proxy?
A proxy is just a step between your computer or mobile device and the internet. It intercepts requests to content on the internet, inspects it and if it doesn't find a problem, allows access. On the other hand, if there's a security threat posed by the content the computer was trying to access, it's blocked by the proxy. This quickly and easily protects you without the threat ever coming near enough to do harm.
There's no additional software (or hardware) required to use it, and no additional cost besides your license. The intelligent proxy is just another security setting. However, we do highly recommend also selecting the SSL Decryption option to broaden the scope of your protection. To make the decryption possible, you must install the Cisco root certificate. As with any change we recommend making this change on a small subset of your user base first to ensure full compatibility; you may find you need to expand your allow list.
Although only SSL sites on our greylist will be proxied, it's required that the root certificate be installed on the computers that are using SSL decryption for the intelligent proxy in their policy. Sites on our 'grey' list can include popular sites, such as file sharing services, that can potentially host malware on certain specific URLs while the vast majority of the rest of the site is perfectly harmless, so your users will go to some proxied sites even if they're acting in good faith.
Without the root certificate, when your users go to that service, they will receive errors in the browser and the site will not be accessible. The browser, correctly, will believe the traffic is being intercepted (and proxied!) by a 'man in the middle', which is our service in this case. The traffic won't be decrypted and inspected; instead, the entire website won't be available.
With the root certificate installed, errors won't occur and the site will be accessible when it's been proxied and allowed. For information on installing the root certificate on multiple browsers and platforms, see Cisco Certificate Import Information.
- In the MSSP console, navigate to Centralized Settings > Advanced Settings and click Add A Setting or expand an existing setting.
- Toggle on Enable Intelligent Proxy. When enabled, you have access to the following options:
- Enable IP-Layer Enforcement—(Roaming Computer identities only.) Tunnels suspect IP connections. To learn more, see Add IP Layer Enforcement.
- Inspect Files—Inspects files for malicious content hosted on suspicious domains before downloading files. A suspicious domain is one that is neither trusted nor known to be malicious but might potentially pose a threat—in this case, we want to run a deeper inspection. Our proxy captures the file, scans it to determine if a threat exists and, if a threat is detected, blocks the file from being downloaded. This can be an explicit download, such as when a user clicks on a link in an email or a download that happens behind the scenes, in so-called 'drive-by download' scenarios. The Umbrella Security Activity and Activity Search reports offer you data on these actions so you can review what Umbrella blocked. For more information about Umbrella's File Inspection feature, see our Umbrella docs.
- SSL Decryption—Inspects HTTPS traffic. To learn more, read this.
You must download and install the Cisco root certificate. For more information, see Cisco Certificate Import Information.
- Click Continue until you can Save.
Once it's enabled, it's a good idea to check if it's working as you expect. To learn more about testing the intelligent proxy, read this.
To disable the intelligent proxy for testing, or for a group of users, simply un-toggle the option and apply changes.
For more information about the other advanced security settings on this page, see Configure Advanced Settings.
Updated about a year ago