Policy Features

Table of Contents

Policy Conflict Management and Policy Order

  • Identification Profiles, Access Policies, Decryption Policies, and Custom and External URL Categories configured from Umbrella to Secure Web Appliance cannot be edited or deleted.
  • SWA policies or profiles take precedence over the policies translated from Umbrella.
  • The sequence of the policy rules in Umbrella will be retained during policy translation to SWA.

Note: You can edit or delete Umbrella pushed policies after disabling the hybrid policy option under Network > Umbrella Settings in Secure Web Appliance.

Block Page Management

Translate Umbrella’s Block Page Appearances associated with the first ruleset to End-User Notification (Security Services > End-User Notification) in Secure Web Appliance.

Note : Changes in the selected Block Page of the first ruleset are pushed to Secure Web Appliance every 3 hours.

  1. To translate the Block Page settings, navigate to Policies > Policy Components > Block Page Appearance.
  1. Configure the Block Page.
  2. Select the Block Page under Ruleset settings.

Cisco Umbrella Seamless ID

The Cisco Umbrella Seamless ID enables the appliance to pass the user identification information to the Cisco Umbrella Secure Web Gateway (SWG) after successful authentication. Umbrella SWG checks the user information in the Active Directory based on the authenticated identification information received from the Secure Web Appliance. Umbrella SWG considers the user as authenticated and provides access to the user based on the defined security policies.

The Secure Web Appliance passes the user identification information to the Cisco Umbrella SWG using the HTTP headers; X-USWG-PKH, X-USWG-SK, and X-USWG-Data.


  • Umbrella Seamless ID headers overwrite the headers with the same names on the Secure Web Appliance if any.
  • Umbrella Seamless ID feature supports an authentication scheme with Active Directory only. This feature does not support LDAP, Cisco Identity Services Engine (ISE), and Cisco Context Directory Agent (CDA).
  • The Cisco Umbrella SWG does not support FTP and SOCKS traffic.

For more instructions, refer to:
Configure Cisco Umbrella Seamless ID.
Configure Routing Destination for Cisco Umbrella SWG.

Configure Web Policies and Destination Lists < Policy Features > Limitations and Range Limits