- Configure Rate Limiting
- Configure NTP Servers
- Configure Umbrella Resolvers
- Configure DNSSEC Support
- Configure Logging to Remote Syslog Server
- Configure Dual-NIC Support on the VA
- Configure Anycast
- Configure Load Balancing
- Configure Identity Association Timeouts
Umbrella virtual appliances (VAs) support the rate-limiting of DNS queries on a per-IP basis. This can be used to prevent any single endpoint from attempting to flood the VA with DNS queries and causing a Denial-of-Service on the VA.
|config va per-ip-rate-limit enable <pps> <burst>||Enable Rate-limiting||Rate-limiting is off by default. <pps>—Number of packets accepted per second from each individual IP. Supported values are 10 to 100,000.<burst>—Packet burst rate.|
|config va per-ip-rate-limit disable||Disable Rate-limiting|
|config va show||Check Status and Packet Drops|
By default, Umbrella VAs use Ubuntu NTP servers (ntp.ubuntu.com) as their time servers.
You can configure VAs to use other NTP servers.
|config ntp add <serverIP1> <serverIP2> …||Add NTP servers to the VA|
|config ntp remove <serverIP1> …||Remove NTP servers|
|config ntp show||View VA's Current NTP Servers|
By default, the VA is configured to use the standard Umbrella resolvers (184.108.40.206 and 220.127.116.11).
You can change the Umbrella resolvers used by the VA.
|config va resolvers global||Use standard Umbrella resolvers (18.104.22.168 and 22.214.171.124).|
|config va resolvers alternate||Use alternate Umbrella resolvers (126.96.36.199 and 188.8.131.52).||Use this option if your ISP blocks traffic to the standard Umbrella resolvers.|
|config va resolvers global-v6||Use standard IPv6 Umbrella resolvers (2620:119:35::35 and 2620:119:53::53).|
|config va resolvers US||Use the US-only Umbrella resolvers (184.108.40.206 and 220.127.116.11).|
|config va resolvers US-v6||Use the US-only IPv6 Umbrella resolvers (2620:119:17::76 and 2620:119:76::76).|
When the Umbrella IPv6 resolvers are configured, only DNS queries are sent over IPv6. HTTPS traffic to other endpoints (api.opendns.com, disthost.umbrella.com, and s.tunnels.ironport.com) is sent over IPv4 only.
Cisco Umbrella supports DNSSEC by performing validation on queries sent from Umbrella resolvers to upstream authorities.
If your endpoints are making DNS queries with the DNSSEC OK (DO) bit to the VA, the default behavior of the VA is to turn off this bit before forwarding the query to Umbrella or the local DNS server.
|config va dnssec enable||Configure the VA to preserve the DO bit when forwarding the DNS query to Umbrella and/or the local DNS server.||Preserves any DNSSEC Security Resource Records in the DNS response to the endpoint.|
|config va dnssec disable||Disable the above configuration.|
Umbrella VAs can forward logs to a remote syslog server. Forwarding of logs related to internal DNS queries, logs on upgrades and reboots of the VA, and admin audit logs is supported.
- Configure the destination (remote syslog server) on the VA with the following command:
config logexport destination server-ip-address:port udp
Supported Values for
- TCP, UDP, and TLS are supported protocols.
- If no value is specified, TCP is the default.
- If the protocol value is TCP or UDP and a port is not specified, 514 is assigned as the default port.
- If the protocol value is TLS and a port is not specified, 6514 is taken as the default port.
- IPv6 addresses are not supported as destination IPs for this command.
config logexport destination <10.26.02.82:514> udp
To forward the logs over a TLS-encrypted session, first create the certificates for client (VA) and server (remote syslog server). The certificates can be self-signed or signed by a Root certificate authority (CA). Add the key and certificate to the VA using the following commands:
config logexport key <copy the contents from keyForClientCert.pem file> config logexport cert <copy the contents from ClientCert.pem file> config logexport ca <copy the contents from selfsignedCA.pem|chainCertCA.pem file>
The CA configured in the last command should be the CA used to sign the server certificate.
- Configure the forwarding of logs on the VA.
config logexport enable internaldns
All internal DNS queries sent to the internal DNS server are logged at the syslog server. Logs include the date and time, the internal domain being queried and the private IP, hostname and username of the source endpoint that made the query.
Note that the hostname and username of the source endpoint will not be available if AD integration is not configured for the VA.
Format for Internal DNS queries:
config logexport enable health
Reboots and upgrades of the VA are logged at the syslog server.
Format for VA boot:
Format for VA upgrade:
config logexport enable admin
Admin audit log (logins by admin users and config commands run on the VA are logged at the syslog server).
Format for User Login to VA:
Format for Configuration change:
|config logexport enable all||Enables logging of internaldns, health and admin logs at the syslog server.|
- To check the status of the log forwarding, use the following command:
config logexport status
To turn off logging, use the following command:
config logexport disable <feature>
The feature parameter can take the value of “internaldns”, “health”, “audit” or “all”.
config logexport disable all
Throughout this section, the terms NIC, network interface, and network adapter are used interchangeably.
The Umbrella VA supports a dual-NIC configuration. This dual-NIC configuration is intended to enable DMZ deployment of a VA for traffic segregation with one network interface being used for outbound communication and the other network interface used for internal communication.
Dual-NIC support has only been qualified on virtual appliances (VA) running on Hyper-V and VMware. There is no change to existing behavior if the VA is deployed with a single NIC. Configuring more than two NICs on the VA is not supported.
Note: IPv6 addresses cannot be configured for network adapters when using the dual-NIC configuration.
- Open your existing VA in your preferred hypervisor’s console or SSH to the VA.
- Run the command
config va show.
Ensure that the IP configured here is the IP that will be used for internal communication. This is the IP that your endpoints will use for DNS resolution.
Tip: Note the MAC address of the existing network adapter before adding a secondary network adapter.
- Shut down the VA and add a second network adapter using your hypervisor console.
This is the network adapter you will be using for your outbound communication. This should be of the same driver type as your primary network adapter.
Note: Some platforms may not permit the addition of a second network adapter after the VA has been created.
- Turn the VA on, enter the Configuration mode from the console or through SSH, and run the command
config va show. This command returns the name of the second adapter.
Note: Adding a second adapter when the VA is powered on may result in the adapter not being detected or the corruption of the existing configuration. The VA needs to be compulsorily shut down before adding the second adapter.
- For the secondary adapter, assign the IP, netmask, and gateway parameters to be used for outbound (Internet) communication. Enter:
config va interface <*interface name*> <*ip address*> <*netmask*> <*gateway*>.
Verify against the MAC address of the respective adapters to ensure that the IP addresses are not misconfigured.
Note: You cannot direct DNS requests to the IP configured on the secondary adapter because incoming DNS traffic will be blocked on this IP.
- Once you have saved changes, enable traffic segregation. Enter:
config va dmz enable
Static routes are configured for the IP on the secondary adapter to all Umbrella destinations required for the proper functioning of the VA. Configuring additional static routes is currently not supported.
You can deploy a new VA with dual-NIC support. The configuration steps are similar to configuring an upgraded VA. You can add the secondary adapter to the VM using the hypervisor console, before powering on the VM. Both adapters should be of the same driver type.
- Enter configuration mode on the VA and retrieve the name of both adapters. Enter:
config va show
- Configure the primary adapter and then the secondary adapter. Enter
config va interface <*interface name*> <*ip address*> <*netmask*> <*gateway*>
Ensure that the primary adapter is configured with the IP that you wish to use for internal communication and that the secondary adapter is configured with the IP to be used for internet-bound communication.
- Once both adapters are configured, enable traffic segregation. Enter:
config va dmz enable
The Umbrella virtual appliance (VA) enables the use of Anycast DNS addressing within an enterprise.
The advantage of using Anycast is that all your endpoints can use the same DNS IP address irrespective of the site to which they belong. Configuring an Anycast IP address on the VA adds resiliency for DNS resolution.
The VA currently supports enabling Anycast using the BGP protocol. This requires support for BGP on the VA’s neighboring router, or any router that is reachable from the VA within 255 hops.
You can configure up to 4 routers running BGP as BGP peers for the VA.
Two VAs in different branches can also be configured with the same Anycast IP address, ensuring resiliency across branches. However, if AD integration is required, these VAs must be in the same Umbrella site, since the AD Connector propagates IP-AD user mappings only to VAs in its Umbrella site.
Only IPv4 addresses can be configured as an Anycast address on the VA.
- Enter the Configuration Mode on the VA.
- Enable Anycast support on the VA. Enter config anycast bgp <options>
Command returns an ASN for the VA.
- enable <anycast_ip> <bgp_info>—Enable the anycast mode
- <anycast_ip>—Anycast IP address
- <bgp_info>—ASN:IPAddress:Hop count of the BGP router to publish. If a hop count is not specified, a default value of 255 is assumed, therefore, the router can be up to 255 hops away.
- add <ASN:Router IP:Hop count>—Use this command to specify an additional router as a BGP peer for the VA. A maximum of 4 peers can be configured.
- delete —Use this command to remove a BGP peer for the VA.
- stats—Show statistics around the Anycast configuration
- summary—Show summarized list of all BGP peers for this VA
- disable—Disable anycast mode
- status—Show status of anycast
- test—test Anycast connectivity
- help—Display this usage information
- enable <anycast_ip> <bgp_info>—Enable the anycast mode
- Validate status. Enter config anycast bgp status
- On the router, add the VA’s ASN from step 2 as the neighbor of the router.
In the following configuration, the VA needs to be configured with Anycast IP 192.168.1.22, the BGP router’s ASN is 7105, and IP address is 10.1.0.1.
Umbrella VAs can be load balanced behind a load balancer that meets the following requirements:
- The load balancer is able to inject the source IP address of the client making the query in the EDNS Client Subnet (ECS) field of the DNS request sent to the VA.
- The DNS response from the virtual appliance routes through the load balancer so the response to the client comes from the address of the load balancer.
This feature has specifically been qualified with the F5 BIGIP-LTM 16.1.1 version, where the F5 can inject the endpoint source IP in DNS requests that it forwards to VAs in the load balancing pool. Refer to F5 documentation on ECS injection in DNS requests when forwarding these requests to a DNS server pool.
The VA will not accept DNS requests with the ECS option from any endpoint by default. To allow the VA to accept DNS requests with the ECS option from load balancers, the load balancer IP has to be added to the VA configuration using the following commands:
- Add a load balancer—
config loadbalancer add <server-ip/prefix>
- Remove a load balancer—
config loadbalancer remove <server-ip/prefix>
Note: A maximum of 8 load balancers can be added to a VA and only a single load balancer can be added or removed at a time.
The config admap command can be used to configure identity association timeouts as well as viewing or clearing the AD Mapping. As this time, it is possible only to clear clear out the mappings of an individual IP address.
config admap view <ip address>
config admap clear <ip address>
config admap set-user-timeout 28800(This would set it for 8hours)
config admap set-host-timeout 28800(This would set it for 8 hours)
config admap show-timeout
Troubleshoot Virtual Appliances > Other Configurations
Updated about 1 month ago