The Umbrella User Guide Developer Hub

Welcome to the Umbrella User Guide developer hub. You'll find comprehensive guides and documentation to help you start working with Umbrella User Guide as quickly as possible, as well as support if you get stuck. Let's jump right in!

Get Started    

Network Tunnel Configuration

You can establish an IPsec (Internet Protocol Security) IKEv2 (Internet Key Exchange, version 2) tunnel from any network device and as new tunnels are added, Umbrella-based rules are automatically applied for easy setup and consistent enforcement.

Note: Organizations have a default limit of 50 network tunnels. To increase this limit, contact support or your account manager.

IPsec tunnels created for the cloud-delivered firewall automatically forward traffic on ports 80 and 443 to the Umbrella secure web gateway (SWG). You can use IPSec tunnels for deploying SWG even if you choose not to use the IP/Port/Protocol controls in the CDFW.

RFC 1918

The Umbrella cloud-delivered firewall (CDFW) expects an RFC 1918 IP address as the source IP address for outbound packets. If you use routable IP addresses on your internal network, you must contact Umbrella Support and provide the range of IP addresses that you use. Without this information, Umbrella cannot determine the IP address and may drop packets. For information about address allocation and private networks, see RFC 1918.


  • Umbrella SIG data center (DC) public IP address, to which the tunnel will connect. For the latest Umbrella SIG DC locations and their IPs, see Connect to Cisco Umbrella Through Tunnel.
  • An Umbrella organization ID. See Find Your Organization ID.
  • A router (ISR-G2, ISR4K or CSR, or Cisco ASA) with a security K9 license to establish an IPsec tunnel. Other devices may work but have not been tested.
  • A valid Cisco Umbrella SIG Essentials subscription or a free SIG trial.
  • Allow ports on any upstream device: UDP ports 500 and 4500.

Establishing a Tunnel

With the certificate or passphrase credentials generated in the Umbrella portal, establish an IPsec IKEv2 tunnel to the Umbrella head-end <umbrella_dc_ip> ( <umbrella_dc_ip> represents the public IP address in sample commands). Umbrella recommends setting your MTU size to 1360 to optimize performance.

Throughput and Multiple Tunnels

Each tunnel is limited to approximately 250mbps. To achieve higher throughput, you will need to establish multiple tunnels (by default, organizations are limited to 50 tunnels; to increase this limit, contact support or your account manager). To use multiple tunnels to the best advantage, some means of dividing traffic among tunnels is recommended. These include load balancing with ECMP (Equal-cost multi-path routing) or assigning traffic through policy-based routing. For basic information about ECMP, refer to RFC 2991.

Network Tunnel Identities

A unique set of Network Tunnel credentials must be used for each IPsec tunnel. Two IPsec tunnels cannot connect to the same datacenter with the same credentials. Using unique credentials for every tunnel prevents inadvertent outages should one tunnel get re-routed to a nearby datacenter via anycast failover.

This product is intended to be compatible with many different types of network devices. If you have a device that isn’t listed here, feel free to try it, but we may not be able to provide thorough assistance.

Supported IPSec Parameters < Network Tunnel Configuration > Manual: vEdge

Updated about 12 hours ago

Network Tunnel Configuration

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.