Guides
ProductDeveloperPartnerPersonal
ProductDeveloperPartnerPersonal

Set Up Web Security

Suggest Edits

Umbrella web security provides deep control and visibility for HTTP and HTTPS, while the Umbrella cloud-delivered firewall (CDFW) inspects all ports and protocols. You can deploy Umbrella web security in several different ways. A CDFW deployment requires an IPsec tunnel. Before setting up web security or the cloud-delivered firewall, we recommend that you deploy DNS-layer security for a fast and effective way of protecting all your users and devices.

Umbrella supports various deployment mechanisms for sending traffic to the Umbrella secure web gateway (SWG):

  • Umbrella AnyConnect Roaming Security Module (recommended)
  • IPsec tunnel (recommended)
  • PAC file
  • Proxy chaining

Note: When transitioning from another web proxy and to maintain a similar deployment design, you can use a PAC file or proxy chaining.

Note: The Umbrella cloud-delivered firewall requires an IPsec tunnel.

Table of Contents

Step 1: Add a Network Identity (Optional)

Note: If you have not previously added a Network Identity to Umbrella when setting up the DNS-layer security, you must add one to Umbrella. This action registers a fixed network for PAC file or proxy chaining deployments.

  1. Log into Umbrella.
  2. Add a Network identity.

An identity is an internet entity that Umbrella protects through policies and monitors through reports. For more information, see Add a Network Identity.

Step 2: Set Up an IPsec Tunnel (Recommended)

Note: A CDFW deployment requires an IPsec tunnel. Step 2 is optional for SWG deployments.

You can send traffic to Umbrella through a Network tunnel from an IPsec compatible network device. Umbrella uses the IPsec (Internet Protocol Security) protocol for tunneling traffic and supports IKEv2 (Internet Key Exchange, version 2). For more information, see Supported IPsec Parameters.

The secure web gateway supports policy by source IP address when used with Internal Networks, and by user or group when integrated with your identity provider (IdP) through SAML. For more information about Internal Networks, see Manage Internal Networks.

For more information about network devices and IPsec tunnel setup, see Network Tunnel Configuration.

Data Center Selection
When you deploy an IPsec tunnel, you must choose the primary and secondary data centers. Umbrella implements automatic failover between data centers in a region, and to a regional disaster recovery data center should both data centers in a region become unavailable.

Prerequisites

  • Log into Umbrella.
  • Add a Network tunnel identity.

Set Up a Network Device

  1. Identify the closest IPsec-enabled Umbrella data centers. For more information, see Connect to Cisco Umbrella Through Tunnel.
  2. Configure a network device or router to send traffic through the IPsec tunnel.
  3. Optionally, configure Security Assertion Markup Language (SAML) authentication. For more information, see Configure SAML Integrations.
  4. Optionally, integrate SAML with Active Directory users and groups. For more information, see Active Directory Policy Enforcement and Identities.

With an IPsec tunnel created and a network device or router configured, you can forward internet traffic to the cloud-delivered firewall (CDFW) and secure web gateway (SWG). As you add new tunnels, Umbrella automatically applies enabled firewall and web policy rules.

The Umbrella cloud-delivered firewall (CDFW) filters web traffic using port, protocol, and IP address access control settings. Depending on your subscription, the CDFW can apply layer 7 application controls, and intrusion detection system (IDS) or intrusion prevention system (IPS). You can manage the cloud-delivered firewall through the Umbrella firewall policy. For more information, see Manage the Firewall Policy.

Step 3: Set Up a PAC File, Proxy Chaining, or Roaming Computers

Set Up a PAC File

While on a registered network (added as a Network identity), you can use a PAC file with the Umbrella secure web gateway. The PAC file is only available for the Web policy.

Note: Umbrella does not support off-network PAC files.

A proxy auto-config (PAC) file describes proxy server routing information for the browser. A PAC file is a text file that contains JavaScript. A browser runs the JavaScript in the PAC file to forward destination requests to a proxy. The Umbrella hosted PAC file directs the browser to send internet traffic to the Umbrella secure web gateway. You can customize the Umbrella PAC file to bypass certain traffic from reaching the secure web gateway. For more information, see Customize Umbrella's PAC File.

Data Center Selection
With an Umbrella PAC file deployment, your browser uses anycast routing to choose the best available Umbrella data center.

Prerequisites

  • Log into Umbrella.
  • Network identity added.
  • Web policy ruleset and rules added. Add the Network identity to a Web policy ruleset.

Install and Configure a PAC File

  1. From the Web policy, copy the Umbrella proxy auto-config file URL.
  2. Paste the PAC file URL into your browser's proxy configuration settings.
  3. Configure Security Assertion Markup Language (SAML) authentication. For more information, see Configure SAML Integrations.
  4. Integrate SAML with Active Directory groups and users. For more information, see Active Directory Policy Enforcement and Identities.

For more information about setting up a PAC file, see Manage Umbrella's PAC File.

Note: You can only use a PAC file with fixed networks registered in Umbrella (Network identity). PAC files are not supported for roaming computers, tunnels, or other connection mechanisms.

Set Up Proxy Chaining

If you have an on-premises web proxy, it can forward web traffic to the Umbrella SWG.

Data Center Selection
Using anycast routing, proxy chaining deployments automatically choose the best available Umbrella data center.

Prerequisites

  • Log into Umbrella.
  • Network identity added. The Network identity must match the public IP of your on-premises proxy.
  • Web policy ruleset and rules added. Add the Network identity to a Web policy ruleset.

Configure Proxy Chaining and SAML Authentication

  1. Configure an on-premises proxy to use the settings for one of the anycast routing methods: fully qualified domain name (FQDN) or TCP by IP address. In the on-premises proxy settings, assign the secure web gateway IP address associated with the anycast method. For more information about setting up proxy chaining with Umbrella, see Manage Proxy Chaining.
  2. Configure Security Assertion Markup Language (SAML) authentication. For more information, see Configure SAML Integrations.

Note: Umbrella only supports proxy-chain traffic for Network deployments. You cannot send proxy-chain traffic through IPsec tunnels. Network tunnels do not support features such as X-Forwarded-For (XFF) to HTTP headers. For information on how to configure an X-Forwarded-For (XFF) to HTTP headers, see your proxy documentation.

Set Up AnyConnect Umbrella Roaming Security Module (Recommended)

The Cisco AnyConnect Umbrella Roaming Security Module provides access to the Umbrella DNS-layer security and secure web gateway from any macOS or Windows roaming computer, both on and off network. The AnyConnect Umbrella Roaming Security Agent forwards traffic to Umbrella for enforcement (block domains, malware, phishing) at the DNS layer. The AnyConnect Umbrella Secure Web Gateway Agent forwards web traffic to Umbrella for URL inspection, filtering, and application visibility.

Licensing
Most Umbrella subscriptions include the AnyConnect Umbrella Roaming Security Module. The AnyConnect Umbrella Roaming Security Module does not require the use of a Cisco VPN, and it is highly compatible with third-party VPNs.

Data Center Selection
The AnyConnect Umbrella Roaming Security Module automatically chooses the best available Umbrella data center.

Install and Configure the AnyConnect Roaming Security Module:

  1. Log into Umbrella.
  2. Navigate to Deployments > Core Identities > Roaming Computers.
  3. Download, install and configure the AnyConnect Umbrella Roaming Security Agent and AnyConnect Secure Web Gateway Agent. For more information, see The AnyConnect Plugin: Umbrella Roaming Security.
  4. Add the Roaming Computers identity to a policy.
  5. Configure Users and Groups and the Active Directory connector. For more information, see Active Directory Policy Enforcement and Identities.

Note: Umbrella does not support SAML authentication with the Umbrella AnyConnect Roaming Security Module. The AnyConnect Roaming Security Module passively gathers user and group information from the operating system.

Step 4: Add DNS, Web, and Firewall Policies

Umbrella policies define how security and access controls are applied to identities. Policies determine which traffic is inspected and whether a destination is blocked or allowed.

Core Umbrella policy types:

  • DNS Policy—provides DNS-layer visibility, security, and enforcement with the ability to selectively proxy risky domains for added security.
  • Firewall Policy—provides filtering and forwarding of your web traffic.
  • Web Policy—provides URL-layer visibility, security, and enforcement of your web traffic.

For more information about policies, see Umbrella Policies Overview.

Step 5: Test Your DNS and Web Policies

You can evaluate the configuration of your DNS, Web, and Firewall policies. To get started, run an Umbrella policy tester, load an Umbrella test URL in a browser, or view the reports for the identities.

Test file analysis and inspection:

Test DNS and Web policies:

View Reports and Monitor Your Identities and Traffic
You can view the traffic sent from your identities, audit administrative changes in the system, and monitor potential threats in your networks through the Umbrella Admin Audit Log, Activity Search, and Security Activity reports. For newly added identities, the first report may take up to one hour to appear. After the initial delay, DNS queries appear in reports in a few seconds. For more information, see Get Started with Reports.

Point Your DNS to Cisco Umbrella < Set Up Web Security > Configure the Secure Web Gateway

Updated 5 months ago