Limitations and Range Limits
Umbrella sets limitations and range limits by component, data type, user role, or service. These general limitations affect how you configure, deploy, and interact with Umbrella.
Cisco Umbrella SIG packages are subject to an Average Bandwidth of up to 50 kilobits per second (“kbps”) per user, based on a 95th percentile calculation. For more information, see Average Bandwidth.
To determine your current package, navigate to Admin > Licensing. For more information, see Determine Your Current Package.
Table of Contents
- Internet Protocol Versions
- Umbrella Components
- Identity Integrations
- Users and Roles
- Reporting
- Policy Testing
Internet Protocol Versions
Feature | Limit | Description |
---|---|---|
IPv6 |
| Internet Protocol version 6. |
IPv4 | Supported by all services. | Internet Protocol version 4. |
Umbrella Components
Feature | Limit | Description |
---|---|---|
Destination Lists |
| Destination lists may contain fully qualified domain names (FQDN), URLs, or IP addresses. |
| ||
| For more information, see Cisco Umbrella Packages. | |
| For Web policy only. | |
| For DNS policies only. | |
Internal Domains | No more than 2000 internal domains may be deployed. | Internal domain count can be increased upon request. |
Internal Networks | No more than 5000 internal networks may be deployed. | |
External Domains/IPs | No more than 5000 external domains or IPs can be deployed. | |
Roaming Computers |
| |
Cloud delivered firewall (CDFW) |
| |
Source Traffic IP Range | Up to 100 Client Reachable Prefixes (CIDRs) for non-RFC-1918 source traffic can be added per tunnel. | Packets in IPsec tunnels must originate from an RFC-1918 IP address and be destined for a public IP address. Otherwise, packets are dropped. Client Reachable Prefixes overrides this behavior. |
IPsec Tunnel Quantity | 50 IPsec tunnels per organization. | Higher tunnel quantities are available by request, subject to approval. |
IPsec Tunnel Performance | 250 Mbps download, 80 Mbps upload, and 50,000 combined packets per second. | Based on GCM encryption with 900 byte average package size. |
Intelligent Proxy | Umbrella Intelligent Proxy does not proxy web requests on non-standard ports. | |
WebSockets and HTTP PATCH | For WebSockets or HTTP PATCH requests, the Umbrella secure web gateway does not perform file inspection. | Umbrella secure web gateway processes WebSockets and HTTP PATCH traffic, applies security categories, and creates destination lists. |
Logging | With default logging enabled, Umbrella logs all destination requests for an identity. | |
File Transfer | The maximum file size that the secure web gateway (SWG) can upload is 20 GB. | |
File Download | The maximum file size that can be downloaded is 5 GB. | If you want to download the file having more than 5 GB size, then reach to administrator who can create a rule to Allow the specific file download URL. The rule must be above the Isolate rule in the ruleset. This allows the file to be downloaded and scanned by the file scanner. |
Block Page Bypass | You cannot use the Block Page Bypass feature with a redirected block page. | If configured, Umbrella uses the default appearance of the block page. |
Single Sign On |
| You must use Block Page Bypass codes. |
Customer CA Signed Root Certificate | 6 certificates per organization. | |
File Scanning (Antivirus, Threat Grid, and AMP) |
| |
Selective Decryption List |
| For more information, see Manage Selective Decryption. |
Identity Integrations
Feature | Limit | Description |
---|---|---|
User Import |
| |
Group Import |
|
Users and Roles
User Role | Limit | Description |
---|---|---|
Block Page Bypass |
| Grants a user the ability to bypass pages that are otherwise blocked by Umbrella policies. |
Investigate Only | Access to Umbrella Investigate only. | |
Read Only | A Read Only user can only view pages and reports. Functionality, including buttons, may not be displayed or available. A user can access Investigate (if applicable), but not create/delete API tokens. | Grants limited access to the Umbrella dashboard. |
Reporting Only | A Reporting Only user can only view and run reports. | |
Full Administrator |
| |
De-Identification of User |
| Hide identity names when generating a report. |
Reporting
Feature | Limit | Description |
---|---|---|
Umbrella Reports:
| Data available for one calendar year. | Data retention. |
| Data retained for 30 days. Up to 10K events displayed. For organizations with above average volumes of data, Umbrella may be unable to display the Activity Search report within a timeout period of 50 seconds. In such instances, organizations can retrieve their data from an Amazon S3 bucket (Cisco-managed or owned by the organization) or the Umbrella Reporting API. | Data retention, display limits. |
| Data retained for 30 days. | Data retention. |
| Data retained for one calendar year. | Data retention. |
| Data retained for one calendar year. You can access data in 90-day increments. | Data retention. |
| Data retention not supported. | Data retention. |
Scheduled Report (email attachment) | Accepts up to 10,000 rows of data. | |
Exported Report (CSV export) | Exports no more than 1,000,000 rows of data. |
Policy Testing
The Umbrella Policy Tester helps you evaluate your configured DNS policies. For more information, see Test a DNS Policy.
Feature | Limit | Description |
---|---|---|
Umbrella Policy Tester |
| Evaluates configured DNS policies (identities and destinations). |
|
Policy Features < Limitations and Range Limits > Data Retention
Updated 5 months ago