Configure the Secure Web Gateway

You can deploy various Umbrella components—DNS-layer security, cloud-delivered firewall (CDFW), and secure web gateway (SWG)—to secure your DNS and web traffic for your organization. Umbrella DNS-layer security is straightforward to deploy and is effective in protecting your systems. We recommend that you deploy the Umbrella DNS-layer security on all networks to protect users and devices.

When configured together, the CDFW and SWG provide greater visibility into the traffic on your networks and advanced filtering of web destinations. The Umbrella CDFW filters traffic based on a rule action and rule criteria—port, protocol, IP source and destination, and application. You can filter traffic at layer 3 and layer 4 that originates on the internal network but is destined for the internet and block apps at layer 7.

The Umbrella SWG proxies web traffic on various ports over TCP, UDP, and ICMP. If you configure Web security with HTTPS inspection, Umbrella can decrypt and inspect web destinations including applications and selectively control your organization's access to specific types of file.

Table of Contents

Umbrella Intelligent Proxy

The Umbrella intelligent proxy routes web traffic for domains that Umbrella considers neither safe nor malicious. The intelligent proxy also:

  • Only proxies requests on standard web ports: HTTP (80/TCP) and HTTPS (443/TCP).
  • Decrypts and inspects URLs and domains that are unknown to Umbrella or found on our list of uncategorized domains.
  • Filters and blocks specific URLs for unknown or risky domains.
  • Scales its proxying capabilities as the number of destination requests increases.

Configure the intelligent proxy with SSL decryption in your DNS policies. For more information about the intelligent proxy, see Manage the Intelligent Proxy.

Umbrella Secure Web Gateway

The Umbrella SWG flexibly controls and routes web traffic. The SWG can decrypt and inspect traffic for web destinations, including applications accessed by users and devices in your organization. The SWG also:

  • Proxies HTTP and HTTPS traffic on standard and non-standard web ports.
  • Receives traffic filtered by the Umbrella CDFW on specific ports, protocols, and IP addresses.
  • Controls access to certain types of file and manages tenant controls.

Configure the SWG with HTTPS inspection in a Web policy rule. In the Web policy, you can configure the SWG and manage how your organization accesses files and applications. For more information about the Umbrella SWG configuration settings, see Manage the Web Policy.

Web Security Best Practices

We do not recommend that you apply the same deployed identities in both your DNS policies with the intelligent proxy configured and Web policy rules with SWG controls enabled. Choose the type of policy, deployments, and configuration components that best match the identities and traffic in your organization.

The Umbrella intelligent proxy and SWG both provide routing and inspection of web traffic.

Proxy FeatureIntelligent Proxy with SSL DecryptionSecure Web Gateway with HTTPS Inspection
Decrypts and inspects URLs that are filtered by port, protocol, source IP, destination IP, and application.:heavy-check-mark:
Decrypts and inspects URLs for domains that Umbrella neither considers safe nor malicious. For more information, see Talos IP & Domain Reputation Center.:heavy-check-mark:
Proxies traffic on standard web ports (80 and 443).:heavy-check-mark::heavy-check-mark:
Proxies traffic on non-standard web ports.:heavy-check-mark:

Set Up Web Security < Configure the Secure Web Gateway > Uninstalling Umbrella