Hybrid Reporting

Table of contents


  • For a successful connection to Umbrella, update the Cert bundle to the latest version.
  • To configure the translated policy from Umbrella, update the Content Categories to the latest version
  • Manually enable the HTTPS Proxy in SWA, if HTTPS Inspection is enabled in Umbrella Ruleset.
  • If an Active Directory (AD) is integrated with Umbrella, configure the same AD realm in SWA. Cisco recommends that you have a healthy AD Connector and Domain Controller.
  • In SWA, enable Application Discovery and Control (ADC) under Security Services > Acceptable Use Controls for translation of the application settings selected in Umbrella rules.
  • In Umbrella, ensure that a minimum of one internal network is associated with the public network or AD integrated with Umbrella.

Known Limitations

  1. AD user mapping to Umbrella OriginID may not be possible if:
    1. The new AD user is not explicitly configured in Umbrella policy after the last Policy Push.
    2. AD user mapping is not yet available in UPN DB while UPN DB population is in progress. The AD user mapping being available in the UPN DB depends on the number of users in the umbrella org. For example, 10000 users would need approximately 30 seconds to populate.
    3. The AD user name contains parenthesis such as John(), John()Myers, and ()John Myers. In such cases, the actual user may not be displayed in the dashboard.
      These events are marked with the subject SWA OriginID.
  2. Filtering Support
    1. Only external IP addresses are supported by SWA-based filtering.
    2. SWAs from the same Org (different locations) having the same management IP address will result in combined reporting data.
    3. For LDAP/ISE/Guest-based identities, SWA does not support AD user-based identities.
  3. In some cases, the system may see duplicates or lost reporting entries.

Known Behavior

  • The hybrid reporting feature of SWA can be enabled only if a hybrid policy is enabled.
  • The SWA sends the reporting data from policies configured by Umbrella, to the Umbrella dashboard.
  • Approximately 25% of the local disk space used for reporting, is used to store hybrid reporting data, which is then pushed to Umbrella.
  • When SWA does not push the reporting data to Umbrella, it locally stores only the reporting data that would be needed later for debugging.
  • An SWA continues to send reporting data evaluated by Umbrella policies, even after selective policy push is disabled for that SWA. The Umbrella policy reporting dashboard may display deleted rules for those records if the rule has been deleted from the Umbrella policy.

Add an API Key and Key Secret

The Umbrella API enables you to manage and protect your networks, tunnels, network entities, and users. You can manage access to destinations, and view and update policies. You can create and manage various types of API keys in Umbrella. Use your API key credentials to authenticate requests to the Umbrella API, the legacy Umbrella API, the Umbrella KeyAdmin API, and the Umbrella Identity Provider API.

Note: While generating the API Key and Key Secret, ensure that you select Key Scope as Auth and Registered Appliances as Deployments.


Registered Appliances

In Umbrella, registered devices are displayed at Deployments > Core Identities > Registered Appliances. You can configure SWA policies using Umbrella services.

  • Name: Name of the SWA.

  • Hybrid Reporting:

    • Active: Logs related to policies pushed by Umbrella to SWA are sent to Umbrella.
    • Offline: Logs related to policies pushed by Umbrella to SWA are not sent to Umbrella.
  • Hybrid Policy:

    • Active: Supported Umbrella configurations are pushed to SWA.
    • Offline: Web policies are not pushed to SWA.
  • Policy Sync Status:

    • Never Updated: Umbrella policies have never been pushed to SWA after registration.
    • Success: Umbrella policies are pushed to SWA.



If the Policy Sync Status is Success with a warning icon, hover your mouse over the status to view the error message.

  • Failed: Umbrella policies have not been pushed to SWA because of a failure.



If the Policy Sync Status is Failed, you can view the error message in the UI by hovering your mouse over the Failed status.

  • Policy Sync Time: The time at which the latest policy push sync was done.
  • Version: The Build version of the SWA.
  • Serial Number: Serial number of the SWA
  • Policy Push:
    • Enable: Web policies are pushed to the selected SWAs.
    • Disable: Web policies are not pushed to the selected SWAs.

Secure Web Appliance Data in Umbrella Dashboard

Once you enable the Hybrid Reporting feature in SWA, you can access SWA reporting data in the Umbrella dashboard by navigating to Reporting > Core Reports > Activity Search.

Select Secure Web Appliances in Identity Type.

The management IP of the SWA that is mapped to the External IP Address field, can be used to view transactions from a specific SWA. For more information on applying filters, see Activity Search Report.
Access log fields of the SWA transactions are mapped to the corresponding fields in the Umbrella dashboard and they can be viewed in the Events Details section.

Hybrid Policy < Hybrid Reporting > Configure Web Policies and Destination Lists