Other Configurations
Table of Contents
- Configure Rate Limiting
- Configure NTP Servers
- Configure Umbrella for Government Resolvers
- Configure DNSSEC Support
- Configure Logging to Remote Syslog Server
- Configure Dual-NIC Support on the VA
- Configure Load Balancing
- Configure Identity Association Timeouts
- Configure NTP over TLS
- PIV-CAC Support
Configure Rate Limiting
Umbrella virtual appliances (VAs) support the rate-limiting of DNS queries on a per-IP basis. This can be used to prevent any single endpoint from attempting to flood the VA with DNS queries and causing a Denial-of-Service on the VA.
Command | Description | Notes |
---|---|---|
config va per-ip-rate-limit enable <pps> <burst> | Enable Rate-limiting | Rate-limiting is off by default. <pps>—Number of packets accepted per second from each individual IP. Supported values are 10 to 100000. <burst>—Packet burst rate. |
config va per-ip-rate-limit disable | Disable Rate-limiting | |
config va show | Check Status and Packet Drops |
Configure NTP Servers
By default, Umbrella virtual appliances (VAs) use Ubuntu NTP servers (ntp.ubuntu.com) as their time servers.
You can configure VAs to use other NTP servers.
Command | Description |
---|---|
config ntp add <serverIP1> <serverIP2> … | Add NTP servers to the VA |
config ntp remove <serverIP1> … | Remove NTP servers |
config ntp show | View VA's Current NTP Servers |
Configure Umbrella for Government Resolvers
By default, the VA is configured to use the standard Umbrella for Government resolvers. You can change the Umbrella for Government resolvers used by the VA.
Command | Description | Notes |
---|---|---|
config va resolvers global | Use standard Umbrella for Government resolvers. | |
config va resolvers alternate | Use alternate Umbrella for Government resolvers. | Use this option if your ISP blocks traffic to the standard Umbrella for Government resolvers. |
config va resolvers global-v6 | Use standard IPv6 Umbrella for Government resolvers. |
When the Umbrella IPv6 resolvers are configured, only DNS queries are sent over IPv6. HTTPS traffic to other endpoints is sent over IPv4 only.
Configure DNSSEC Support
Cisco Umbrella supports DNSSEC by performing validation on queries sent from Umbrella for Government resolvers to upstream authorities.
If your endpoints are making DNS queries with the DNSSEC OK (DO) bit to the VA, the default behavior of the VA is to turn off this bit before forwarding the query to Umbrella or the local DNS server.
Command | Description | Notes |
---|---|---|
config va dnssec enable | Configure the VA to preserve the DO bit when forwarding the DNS query to Umbrella and/or the local DNS server. | Preserves any DNSSEC Security Resource Records in the DNS response to the endpoint. |
config va dnssec disable | Disable the above configuration |
Configure Logging to Remote Syslog Server
Umbrella VAs can forward logs to a remote syslog server. Forwarding of logs related to internal DNS queries, logs on upgrades and reboots of the VA, and admin audit logs is supported.
- Configure the destination (remote syslog server) on the VA with the following command:
config logexport destination server-ip-address:port udp
Supported Values for
- TCP, UDP, and TLS are supported protocols.
- If no value is specified TCP is the default.
- If the protocol value is TCP or UDP and a port is not specified, 514 is assigned as the default port.
- If the protocol value is TLS and a port is not specified, 6514 is taken as the default port.
- IPv6 addresses are not supported as destination IPs for this command.
To forward the logs over a TLS-encrypted session, first create the certificates for client (VA) and server (remote syslog server). The certificates can be self-signed or signed by a Root certificate authority (CA). Add the key and certificate to the VA using the following commands:
config logexport key <copy the contents from keyForClientCert.pem file> config logexport cert <copy the contents from ClientCert.pem file> config logexport ca <copy the contents from selfsignedCA.pem|chainCertCA.pem file>
The CA configured in the last command should be the CA used to sign the server certificate.
- Configure the forwarding of logs on the VA.
Command | Description | Log Format |
---|---|---|
config logexport enable internaldns | All internal DNS queries sent to the internal DNS server are logged at the syslog server. Logs include the date and time, the internal domain being queried and the private IP, hostname and username of the source endpoint that made the query. Note that the hostname and username of the source endpoint will not be available if AD integration is not configured for the VA. | Format for Internal DNS queries: Date Time Hostname ("forwarder") VA Label:"InternalDNS" Internal IP of source User AD identity of source (if a user identity is mapped to this IP else "NULL") Host AD identity of source (if a host identity is mapped to this IP else "NULL") Internal Domain being queried |
config logexport enable health | Reboots and upgrades of the VA are logged at the syslog server. | Format for VA boot: Date Time Hostname ("forwarder") VA Label:"Health" "VA started" Format for VA upgrade: Date Time Hostname ("forwarder") VA Label:"Health" * "VA downloaded version <x.y.z>" or "VA upgraded to version <x.y.z>" |
config logexport enable admin | Admin audit log (logins by admin users and config commands run on the VA are logged at the syslog server). | Format for User Login to VA: Date Time Hostname ("forwarder") VA Label:"Audit-Auth" "SSH login from as <vmadmin/vmuser> succeeded/failed" or "Console login as <vmadmin/vmuser> succeeded/failed" Format for Configuration change: Date Time Hostname ("forwarder") VA Label:"AuditLog-Config" "Command executed" |
config logexport enable all | Enables logging of internaldns, health and admin logs at the syslog server. |
- To check the status of the log forwarding, use the following command:
config logexport status
Turn Off the Logging
To turn off logging, use the following command:
config logexport disable <feature>
The feature parameter can take the value of “internaldns”, “health”, “audit” or “all”.
Example: config logexport disable all
Configure Dual-NIC Support on the VA
NIC Terminology
Throughout this section, the terms NIC, network interface, and network adapter are used interchangeably.
The Umbrella VA supports a dual-NIC configuration. This dual-NIC configuration is intended to enable DMZ deployment of a VA for traffic segregation with one network interface being used for outbound communication and the other network interface used for internal communication.
Dual-NIC support has only been qualified on VAs running on Hyper-V and VMware. There is no change to existing behavior if the VA is deployed with a single NIC. Configuring more than two NICs on the VA is not supported.
Note: IPv6 addresses cannot be configured for network adapters when using the dual-NIC configuration.
Configure an Existing VA to Support Dual-NIC
- Open your existing VA in your preferred hypervisor’s console or SSH to the VA.
- Run the command
config va show
.
Ensure that the IP configured here is the IP that will be used for internal communication. This is the IP that your endpoints will use for DNS resolution.
Tip: Note the MAC address of the existing network adapter before adding a secondary network adapter. - Shut down the VA and add a second network adapter using your hypervisor console.
This is the network adapter you will be using for your outbound communication. This should be of the same driver type as your primary network adapter.
Note: Some platforms may not permit the addition of a second network adapter after the VA has been created. - Turn the VA on, enter the Configuration mode from the console or through SSH, and run the command
config va show
. This command returns the name of the second adapter.
Note: Adding a second adapter when the VA is powered on may result in the adapter not being detected or the corruption of the existing configuration. The VA needs to be compulsorily shut down before adding the second adapter. - For the secondary adapter, assign the IP, netmask, and gateway parameters to be used for outbound (Internet) communication. Enter:
config va interface <*interface name*> <*ip address*> <*netmask*> <*gateway*>
.
Verify against the MAC address of the respective adapters to ensure that the IP addresses are not misconfigured.
Note: You cannot direct DNS requests to the IP configured on the secondary adapter because incoming DNS traffic will be blocked on this IP. - Once you have saved changes, enable traffic segregation. Enter:
config va dmz enable
Static routes are configured for the IP on the secondary adapter to all Umbrella destinations required for the proper functioning of the VA. Configuring additional static routes is currently not supported.
Deploy a New VA to Support Dual-NIC DMZ Mode
You can deploy a new VA with dual-NIC support. The configuration steps are similar to configuring an upgraded VA. You can add the secondary adapter to the VM using the hypervisor console, before powering on the VM. Both adapters should be of the same driver type.
- Enter configuration mode on the VA and retrieve the name of both adapters. Enter:
config va show
- Configure the primary adapter and then the secondary adapter. Enter
config va interface <*interface name*> <*ip address*> <*netmask*> <*gateway*>
Ensure that the primary adapter is configured with the IP that you wish to use for internal communication and that the secondary adapter is configured with the IP to be used for internet-bound communication. - Once both adapters are configured, enable traffic segregation. Enter:
config va dmz enable
Configure Load Balancing
Umbrella VAs can be load balanced behind a load balancer that meets the following requirements:
- The load balancer is able to inject the source IP address of the client making the query in the EDNS Client Subnet (ECS) field of the DNS request sent to the VA.
- The DNS response from the virtual appliance routes through the load balancer so the response to the client comes from the address of the load balancer.
This feature has specifically been qualified with the F5 BIGIP-LTM 16.1.1 version, where the F5 can inject the endpoint source IP in DNS requests that it forwards to VAs in the load balancing pool. Refer to F5 documentation on ECS injection in DNS requests when forwarding these requests to a DNS server pool.
The VA will not accept DNS requests with the ECS option from any endpoint by default. To allow the VA to accept DNS requests with the ECS option from load balancers, the load balancer IP has to be added to the VA configuration using the following commands:
- Add a load balancer—
config loadbalancer add <server-ip/prefix>
- Remove a load balancer—
config loadbalancer remove <server-ip/prefix>
Note: A maximum of 8 load balancers can be added to a VA and only a single load balancer can be added or removed at a time.
Configure Identity Association Timeouts
The config admap command can be used to configure identity association timeouts as well as viewing or clearing the AD Mapping. As this time, it is possible only to clear clear out the mappings of an individual IP address.
Example commands:
config admap view <ip address>
config admap clear <ip address>
config admap set-user-timeout 28800
(This would set it for 8hours)config admap set-host-timeout 28800
(This would set it for 8 hours)config admap show-timeout
Configure NTP over TLS
Overview
Network Time Protocol (NTP) is used to synchronize the clocks of computers on a network. Transport Layer Security (TLS) is a protocol that encrypts messages for security and privacy. Network Time Security (NTS) is a feature that adds an additional layer of encryption to NTP communication by securing it with TLS. This documentation provides instructions on how to enable NTS support in the Chrony NTP server and client.
Network Time Security (NTS) provides cryptographic security for the client-server mode of the Network Time Protocol (NTP). This security allows users to obtain time in an authenticated manner.
Background
The NTS protocol is divided into two phases:
- NTS key exchange: Establishes the necessary key material between the NTP client and the server, using a Transport Layer Security (TLS) handshake (the same public key infrastructure as the web). Once the keys are exchanged, the TLS channel is closed and the protocol enters the second phase.
- NTP authentication: Authenticates NTP time synchronization packets using the results of the TLS handshake. For more information, see RFC 8915.
Prerequisites
To enable NTS support in Chrony, you need Chrony version 4.0 or higher. You can check the version of Chrony installed on your system by running the following command:
chronyd -version
Ensure that Chrony is version 4.0 or higher, and includes the +NTS option. In case you need to install or update Chrony, update the package sources in the /etc/apt/sources.list file to point to a repository that provides the required version of Chrony.
Install Chrony on both the NTP server and client machines using the command:
sudo apt update sudo apt install chrony
Configuration
Configure the NTP server to enable NTS support:
-
Open the /etc/chrony/chrony.conf configuration file in a text editor, and make the following changes:
-
Add the following line to specify the location of the NTS server key and certificate files:/code>
ntsserverkey /etc/chrony/server-key.pem ntsservercert /etc/chrony/server-cert.pem
-
-
Optionally, you can enable logging by uncommenting the following line:/code>
log tracking measurements statistics
-
Save and close the configuration file
-
Start the NTP server using the command sudo chronyd -d
Configure the NTP client to enable NTS support:
- Open the /etc/chrony/chrony.conf configuration file in a text editor, and make the following changes:
- Uncomment the following lines to specify the NTS server as a time source
#pool ntp.ubuntu.com iburst maxsources 4
#pool 0.ubuntu.pool.ntp.org iburst maxsources 1
#pool 1.ubuntu.pool.ntp.org iburst maxsources 1
#pool 2.ubuntu.pool.ntp.org iburst maxsources 2
#pool time.cloudflare.com iburst nts
- Save and close the configuration file.
Note
The specific NTS server and configuration may vary depending on your environment and requirements. For more information, see Chrony documentation on NTS configuration options.
After making the necessary configuration changes, you need to restart the Chrony services on both the NTP server and client machines to apply the changes. Run the following commands:
On NTP server:
sudo systemctl restart chronyd
On NTP client:
sudo systemctl restart chronyd
Verification: To verify that NTS is enabled and working, you can check the Chrony logs for any error messages or warnings related to NTS. The logs are usually located in /var/log/chrony dir
For self signed certs
Use pem certs and put on client in /etc/ssl/certs location
- Convert .pem to .crt and then
- sudo cp my.crt /usr/local/share/ca-certificates/
- sudo update-ca-certificates
PIV-CAC Support
The purpose of this feature is to replace the common password-based SSH login with individual smart card-based public key authentication for each administrator and to allow multiple smart cards to be used on the SSH client, passing only the current card's authentication while rejecting others.
To enable PIV-CAC support:
Enter Configuration Mode on a VA Deployed on VMware or Hyper-V
When you open the VA in your preferred hypervisor's console, you will see a configuration menu. The system time is set to UTC by default. This will not affect your DNS, network, or hypervisor. If you have deployed the VA in a network that supports DHCP, the VA is automatically assigned a DHCP IP address and registers to Umbrella using this IP. This IP address appears on the configuration as well as the Umbrella dashboard.
- Press Ctrl+B and when prompted, provide a password for configuration changes.
Note: Using the numbers lock or the number pad on your keyboard may return incorrect characters. You must change the password when you enter Configuration Mode. Your password must contain a minimum of eight characters and include a minimum of one lowercase character, one uppercase character, one digit, and one special character. Your new password cannot be the same as your last password.
Note: Umbrella<OrgID> should be set as the default password for the VA. Your Org ID can be retrieved from the dashboard URL in your address bar. For example, if your Org ID is 2406960, the default password for the VA would be Umbrella2406960. For more information about the Umbrella Org ID, see Find Your Organization ID. - Optionally, enable remote configuration of this VA over SSH by entering config va ssh enable.
- f you have enabled SSH, you can now remotely connect to the VA over SSH and enter Configuration Mode after authentication. Enter ssh vmadmin@<VA’s IP address>. Note: Configuration mode does not support concurrent access by more than two users.
- Once SSH is enabled, only password based authentication is supported by default.
- To use PIV-CAC in VA, enable Public-Key based authentication by entering config ssh publickey enable. Once enabled, you can add the public keys from PIV-CAC cards by entering config ssh add .
- You can now remotely connect to the VA over SSH using PIV-CAC smart cards and enter Configuration Mode after authentication. Enter ssh vmadmin@<VA’s IP address>. (Assuming Client side configuration is done to use PIV-CAC for authenticating with Servers)
- If needed, you can disable the password based authentication to VA by entering config ssh password disable. This will make sure only authorized PIV-CAC users can login into VA.
Note: Disabling both authentication modes cannot be done. Ensure that a minimum of one public key added in VA is a VALID key. If password based authentication is disabled, and if the keys added in VA are not valid, then User cannot access VA anymore and it cannot be recovered as vmadmin is the only user login supported in VA.
Troubleshoot Virtual Appliances < Other Configurations
Updated 3 months ago