DNS Protection Status
After you deploy the Umbrella module in the installed Cisco Secure Client, IPv4 and IPv6 DNS protection status changes appear in the Cisco Secure Client endpoint. If you do not see DNS protection status, the Umbrella module is installed, but your organization's Umbrella profile (OrgInfo.json) is not deployed. For more information, see Install Umbrella Profile.
Table of Contents
Prerequisites
- Administrative privileges on the user device.
Procedure
View status information in the Cisco Secure Client Umbrella module on the user device.
- Open the Cisco Secure Client.
- Click the chart icon at bottom left to open the Statistics menu.
- Navigate to Umbrella to see DNS and IP security information.
For more information, see Roaming Computer Settings and the Umbrella Roaming Security chapter of the Cisco Secure Client (including AnyConnect) Administrator Guide, Release 5.1.
DNS Protection Status Descriptions
| Status | Description | Condition |
|---|---|---|
| Reserved | Checking Connection Status.No active network connections. The Umbrella module waits for an active network connection. | This operating state occurs during the following conditions: - When the module is first activated. - When a network interface change occurs. For example, as detection of a new network adapter, IP changes on an existing adapter, or a new VPN tunnel being established or torn down. |
| Open | You are not currently protected by Umbrella.There is at least one active network connection; however, the Roaming Security agent can not connect to the Umbrella resolvers over port 53/UDP or 443/UDP on any active connection. The user is not protected by Umbrella and traffic events are not reported to Umbrella. The system’s DNS settings revert to their original settings—DHCP or Static. | This operating state occurs during the following conditions: - No UDP port 443 or UDP port 53 connectivity to Umbrella resolvers (IPv4 or IPv6)). - The VPN tunnel may temporarily be in a state of tear down or establishment. |
| Protected | You are protected by Umbrella.A network connection is active, and the Umbrella module is able to connect to Umbrella resolvers over port 53/UDP, but not 443 UDP. The user is protected by Umbrella and traffic events are reported to Umbrella, but the connection is not encrypted. | This state may occur when the module is first activated or when there is a network interface change. |
| Encrypted | You are protected by Umbrella.The Umbrella module has established a connection to Umbrella resolvers over port 443/UDP. The user is protected by Umbrella and traffic events are reported to Umbrella. The DNS queries are encrypted. Internal Domains are forwarded to DHCP-delegated or statically-set DNS servers and are therefore not encrypted. | This operating state occurs during the following conditions. Note: TCP is only used when UDP responses are truncated. - UDP port 443 connectivity to Umbrella resolvers (IPv4 or IPv6). - TCP port 443 and TCP port 53 connectivity to Umbrella resolvers (IPv4 or IPv6). |
| VPN Trusted Network State | Disabled while you are on a trusted network.The Umbrella module DNS protection is not active because the current endpoint network is configured as a Cisco Secure Client VPN trusted network. | This operating state occurs during the following conditions. Note: This setting is true for all roaming package customers and cannot be changed by the administrator. - AnyConnect VPN module is reporting the Trusted Network Detection state as trusted. - AnyConnect VPN tunnel is either not connected or established in full tunnel mode. - The Umbrella dashboard is configured to disable the Umbrella module when the device is on a protected network. For more information, see Protected Network Detection under Roaming Computer Settings: Backoff Settings. |
| Disabled due to Full Tunnel VPN | Disabled while your VPN is active.The Umbrella module DNS protection is not active because the endpoint currently has an active Cisco Secure Client VPN established in full tunnel mode. | This operating state occurs during the following conditions. - Cisco Secure Client VPN module is reporting the Trusted Network Detection state as not trusted. - Cisco Secure Client VPN tunnel is established in full tunnel mode. Policy rule configured with Umbrella requires that the Umbrella module is disabled when a Cisco Secure Client VPN tunnel is established and active. Note: This setting is true for all Umbrella module configurations and cannot be changed by the administrator. |
| No OrgInfo.json State | You are not currently protected by Umbrella.The Umbrella profile is not deployed. The Umbrella module DNS protection is not active because the endpoint currently has an active AnyConnect VPN tunnel established. | This operating state occurs when the OrgInfo.json file is not deployed to the correct directory. For more information, see Manual Installation of Cisco Secure Client (Windows and macOS). |
| Agent Unavailable State | You are not currently protected by Umbrella.Service unavailable. The Umbrella module DNS protection is not active because the Roaming Security agent is not running. | This operating state occurs when the Umbrella agent service is not currently running because of a crash or manual service stop. |
| Missing .NET Dependency State (Windows only) | You are not currently protected by Umbrella.Microsoft 4.0 NET framework is not installed. Roaming Security module DNS protection is not active because the Roaming Security agent is not running. The .NET runtime framework is missing. | This operating state occurs when the Umbrella agent service is not running due to a missing .NET 4.0 runtime. |
| Disabled | An Umbrella administrator disables DNS protection. | This operating state occurs when the Umbrella administrator disables DNS protection on IPv4, IPv6, or both through the instance of Umbrella. |
| Disabled (no network) | (IPv6 only) Cisco Secure Client disables DNS protection over IPv6. | If the Cisco Secure Client Umbrella module detects an IPv6 link-local address while performing an IPv6 connectivity probe, then the client disables DNS protection over IPv6. |
| Not Required | The client is not attempting coverage in this state, as it is not expected nor required. This state applies individually to IPv4 and to IPv6 on Windows. | The client was not able to find a suitable local DNS resolver for the IP Protocol, and therefore is disabled awaiting the discovery of a suitable local DNS resolver. This is most common when on a dual stack network, but only IPv4 resolvers are configured. |
Enable the Umbrella SWG Agent < DNS Protection Status > SWG Protection Status
Updated 2 days ago