The Umbrella User Guide Developer Hub

Welcome to the Umbrella User Guide developer hub. You'll find comprehensive guides and documentation to help you start working with Umbrella User Guide as quickly as possible, as well as support if you get stuck. Let's jump right in!

Get Started    

Sites and Internal Networks

In the context of virtual appliances (VAs), Umbrella sites represent the physical location of your network, and specifically the internet egress point—the DNS egress point.

Each egress requires separate VAs. For more information, see Deploy Virtual Appliances.

Having separate Umbrella sites is important for identifying the physical location of the VAs, the association of network traffic, and logical automatic updating of the VAs.

Table of Contents

Before You Begin

If you intend to implement Active Directory integration, in addition to Umbrella virtual appliances (VAs), see Connect Multiple Active Directory Domains to Umbrella. Use cases and guidelines differ slightly.

Sites and VAs are only required for DNS-based deployments. When using an Umbrella Cloud-Delivered Firewall (CDFW) deployment alone, sites and VAs are not required.

Manage Umbrella Sites

If you are deploying VAs at multiple locations and if the internal IP space of each site location overlaps or is shared, you must set up multiple Umbrella sites. For each office with VAs, a separate Umbrella site can be added to group VAs together with a label. Note that you must do this when the IP space overlaps.

  1. Navigate to Deployments > Configuration > Sites and Active Directory.
  1. Hover over a Site and then click the Edit icon. The Site modal appears.
  1. From the Site pulldown menu, choose a site, and click Save.

Internal Networks

The IP address is utilized in Umbrella reports and analytics, and is used when creating policies for security and category filtering. For more information about policies, see Manage DNS Policies and Manage the Web Policy.

Internal Network Associations

Each Internal Network must be associated with either a Site, Network, or Network Tunnel depending on your Umbrella deployment method.


For use with Umbrella Virtual Appliances to identify DNS traffic based on the internal source IP.


For use with Umbrella Secure Web Gateway to identify web requests based on the internal source IP. Requires a proxy chaining configuration with X-Forwarded-For headers enabled. See the Manage Proxy Chaining documentation for more information.

Network Tunnel

For use with Umbrella Secure Web Gateway features to identify web traffic based on the internal source IP. Requires a Network Tunnel (IPSec) connection to Umbrella. See the Network Tunnel Configuration documentation for more information.

Manage Internal Networks

Adding an IP address or range of IP addresses to Umbrella creates a new "Identity" from which traffic can be identified and filtered.

  1. Navigate to Deployments > Configuration > Internal Networks and click Add.
  1. Enter a Name for the internal network and an IPv4 Address or address range.
  1. Select Site, Network, or Network Tunnel for Internal Network Association.
  1. From the dropdown menu, choose a site, network, or network tunnel to associate with this internal network.
    Note: If you are associating an internal network with a network tunnel, you can choose a specific network tunnel or associate it with all of your tunnels.
  1. If you have endpoints with IPv6 addresses in a site, you can add them to the network. Select This network has an IPv6 address and enter the IPv6 address for the network.
    Note: Umbrella does not support IPv6 addresses for networks or network tunnels associated with Internal Networks.
    Note: Umbrella supports only dual-stack networks. An IPv6 network must co-exist with an IPv4 network, and you cannot create an IPv6-only network.
  1. Click Save.

Reroute DNS < Sites and Internal Networks > Update Virtual Appliances

Updated 19 days ago

Sites and Internal Networks

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.