Manage Tunnels

Umbrella integrates with network devices that forward traffic from IPsec tunnels to the Umbrella data centers—the tunnel headend IP addresses—and connect to the Umbrella Cloud-Delivered Firewall (CDFW) and Secure Web Gateway (SWG). Umbrella can manage tunnels established by supported devices, and observe and protect IPSec (Internet Protocol Security) IKEv2 (Internet Key Exchange, version 2) traffic sent to Umbrella.

To monitor and secure IPsec tunnel traffic in Umbrella, add a network tunnel identity providing an ID for the tunnel, a pre-shared key (PSK), and tunnel IP addresses. Then, set up and deploy the tunnel in the network device. Once traffic flows from the tunnel to Umbrella, you can view the traffic in your organization's logs and the Umbrella Activity Search report. Add the network tunnel identity to an Umbrella Web and Firewall (CDFW) policy rule to further apply controls to the monitored tunnel traffic.

Check Device Compatibility

  • Before you add a network tunnel identity to Umbrella, check that your device can create a compatible IPsec Tunnel. For more information, see Check Device Compatibility.

Add Network Tunnel Identity

  • Add a network tunnel identity to Umbrella to monitor the traffic sent from a tunnel. For more information, see Add Network Tunnel Identity.

Network Tunnel Configuration

  • Before you configure a network tunnel in a device, view the IPsec tunnel parameters supported by Umbrella. For more information, see Supported IPsec Parameters.
  • When you set up a network tunnel, configure the tunnel with an Umbrella head-end data center to connect the network tunnel to Umbrella. For more information see, Connect to Cisco Umbrella Through Tunnel.
  • Umbrella provides various instructions to set up a tunnel in a network device. For more information, see Network Tunnel Configuration.

Add Tunnel Identity to Umbrella Policies

You manage a network tunnel identity through the Umbrella Web and Firewall policies. The firewall policy only configures criteria for traffic sent from a network tunnel. To monitor web traffic through the tunnel, add the network tunnel identity to a Web policy rule.

View Network Tunnel Status and Traffic Logs

Enable Block Page Bypass in a Policy < Manage Tunnels > Check Device Compatibility