Limitations and Range Limits

Umbrella sets limitations and range limits by component, data type, user role, or service. These general limitations affect how you configure, deploy, and interact with Umbrella.


Cisco Umbrella SIG packages are subject to an Average Bandwidth of up to 50 kilobits per second (“kbps”) per user, based on a 95th percentile calculation. For more information, see Average Bandwidth.

To determine your current package, navigate to Admin > Licensing. For more information, see Determine Your Current Package.

Table of Contents

Internet Protocol Versions





  • Supported by DNS layer security.
  • Not supported by secure web gateway (SWG) and cloud delivered firewall (CDFW).
  • Not supported with dynamic IP addresses.
  • Not supported by virtual appliances when configured as an anycast address.
Internet Protocol version 6.
IPv4Supported by all services.Internet Protocol version 4.

Umbrella Components




Destination Lists

  • A destination list is not active until you set a policy for the destination list.
  • A destination list does not support regular expressions in URL paths.

Destination lists may contain fully qualified domain names (FQDN), URLs, or IP addresses.

  • A destination list comment string must be no longer than 256 characters.
  • A destination list may contain URLs or IP addresses. Depends on the Umbrella package type and destination list type (Allow or Block).

For more information, see Cisco Umbrella Packages.

  • A Web destination list has a maximum limit of 5,000 destinations.

For Web policy only.

  • A DNS destination list has no maximum limit; however, 5,000 entries per list is recommended.

For DNS policies only.

Internal Domains

No more than 2000 internal domains may be deployed.

Internal domain count can be increased upon request.

Internal Networks

No more than 5000 internal domains may be deployed.

External Domains/IPs

No more than 5000 external domains or IPs can be deployed.

Roaming Computers

  • Tags are only available for DNS policies.
  • You cannot apply a tag to a roaming client when installing the roaming client.
  • You cannot delete a tag. Instead, remove the tag from a roaming computer.
  • Tags must be less than 40 characters.
  • Tags are only available for roaming computer identities.

Cloud delivered firewall (CDFW)

  • Packets must originate from an RFC1918 IP address and be destined for a public IP address. Otherwise, packets are dropped.
  • If packets are sourced from non-RFC1918 IP addresses, use the Traffic Selector feature in the tunnel setup.
  • The default number of firewall rules which you can add to a firewall policy is 1000. Contact Umbrella Support to increase the default number of rules in your firewall policy.

Source Traffic IP Range

Up to 100 Client Reachable Prefixes (CIDRs) for non-RFC-1918 source traffic can be added per tunnel.

Packets in IPsec tunnels must originate from an RFC-1918 IP address and be destined for a public IP address. Otherwise, packets are dropped. Client Reachable Prefixes overrides this behavior.

IPsec Tunnel Quantity

50 IPsec tunnels per organization.

Higher tunnel quantities are available by request, subject to approval.

IPsec Tunnel Performance

250 Mbps download, 80 Mbps upload, and 50,000 combined packets per second.

Based on GCM encryption with 900 byte average package size.

Intelligent Proxy

Umbrella Intelligent Proxy does not proxy web requests on non-standard ports.

WebSockets and HTTP PATCH

For WebSockets or HTTP PATCH requests, the Umbrella secure web gateway does not perform file inspection.

Umbrella secure web gateway processes WebSockets and HTTP PATCH traffic, applies security categories, and creates destination lists.


With default logging enabled, Umbrella logs all destination requests for an identity.

File Transfer

The maximum file size that the secure web gateway (SWG) can upload is 20 GB.

File Download

The maximum file size that can be downloaded is 5 GB.

If you want to download the file having more than 5 GB size, then reach to administrator who can create a rule to Allow the specific file download URL. The rule must be above the Isolate rule in the ruleset. This allows the file to be downloaded and scanned by the file scanner.

Block Page Bypass

You cannot use the Block Page Bypass feature with a redirected block page.

If configured, Umbrella uses the default appearance of the block page.

Single Sign On

  • Umbrella only integrates single sign on (SSO) to the dashboard.
  • Single sign on (SSO) is not tied to the authorization for a user's access level within the Umbrella dashboard, such as whether the user is an Administrator or a Read-Only user.

You must use Block Page Bypass codes.

Customer CA Signed Root Certificate

6 certificates per organization.

File Scanning (Antivirus, Threat Grid, and AMP)

  • A file must be less than 50 MB.
  • Compressed file scanning supports no more than 16 levels of recursion.
  • AMP: The system computes only the archive hash, not hashes for files inside archives.

Selective Decryption List

  • Accepts no more than 2000 destinations
  • DNS policy—selective decryption list may only contain content categories
  • Web policy—selective decryption list may contain domains, web applications, or content categories
For more information, see Manage Selective Decryption.

Identity Integrations




User Import

  • Active Directory (AD), Azure AD, and Okta—imports no more than one million users.
  • Manual import—imports no more than 4000 rows in a CSV file.
  • Google Workspace (G Suite)—imports no more than 250,000 users.

Group Import

  • Azure AD, Duo Security, Okta, OpenAM, and PingID—imports 200 groups. Contact Support to increase the number of groups which you can import (no more than 3000 groups).
  • Active Directory (AD)—imports 3000 groups. We recommend that you use the selective sync functionality on the Umbrella AD Connector to restrict the number of groups imported.
  • Google Workspace (G Suite)—imports 5000 organization units (OUs) from G Suite. Google Groups are not supported.

Users and Roles

User Role



Block Page Bypass

  • Block Page Bypass users do not have access to Umbrella Investigate.
  • Does not allow a user to edit policies or view reports. Umbrella limits access to the dashboard.
  • If SAML is enabled, Block Page Bypass is not available.

Grants a user the ability to bypass pages that are otherwise blocked by Umbrella policies.

Investigate Only

Access to Umbrella Investigate only.

Read Only

A Read Only user can only view pages and reports. Functionality, including buttons, may not be displayed or available. A user can access Investigate (if applicable), but not create/delete API tokens.

Grants limited access to the Umbrella dashboard.

Reporting Only

A Reporting Only user can only view and run reports.

Full Administrator

  • Create and assign user roles.
  • Create and delete Investigate API tokens.

De-Identification of User

  • At least two administrators are required to use this feature in the dashboard and any administrator can turn it on or off for another account.
  • Users with this role cannot schedule and export reports.
  • No access to the Application Discovery report.
  • Users with this role cannot search by an Active Directory username, roaming computer name, or internal IP name. However, they can click the hash name to view the identity's details or the Top Identities report.
  • No access to API key management and creation.
  • No access to Cisco or self-managed S3 Logs.
Hide identity names when generating a report.





Umbrella Reports:

  • Total Requests
  • Top Destinations
  • Top Categories
  • Top Identities

Data available for one calendar year.

Data retention.

  • Activity Search

Data retained for 30 days.

Up to 10K events displayed.

For organizations with above average volumes of data, Umbrella may be unable to display the Activity Search report within a timeout period of 50 seconds. In such instances, organizations can retrieve their data from an Amazon S3 bucket (Cisco-managed or owned by the organization) or the Umbrella Reporting API.

Data retention, display limits.

  • Security Activity

Data retained for 30 days.

Data retention

  • Activity Volume

Data retained for one calendar year.

Data retention.

  • Admin Audit Log
Data retained for one calendar year. You can access data in 90-day increments.Data retention.
Scheduled Report (email attachment)Accepts up to 10,000 rows of data.
Exported Report (CSV export)Exports no more than 1,000,000 rows of data.

Policy Testing

The Umbrella Policy Tester helps you evaluate your configured DNS policies. For more information, see Test a DNS Policy.




Umbrella Policy Tester

  • Supported by DNS security layer.
  • Evaluates domains. Does not test IP addresses, URLs, or CIDR ranges.

Evaluates configured DNS policies (identities and destinations).

  • Displays up to 20 records for each query.

Policy Features < Limitations and Range Limits > Data Retention