Umbrella Integration with Secure Web Appliance

About Secure Web Appliance (SWA)

The Cisco Secure Web Appliance (SWA) intercepts and monitors Internet traffic and applies policies to help keep your internal network secure from malware, sensitive data loss, productivity loss, and other Internet-based threats. The integration of Cisco Umbrella SWG and Secure Web Appliance (SWA) facilitates the deployment of common web policies between the two products. For more information, see Cisco Secure Web Appliance.

Table of contents

Integrate Umbrella with Secure Web Appliance (SWA)

  1. Ensure that the prerequisites are met on Umbrella.
  2. Generate an API key and Key secret on Umbrella.
  3. Complete the registration on Secure Web Appliance.
  4. Confirm the registration on Umbrella.


In Secure Web Appliance:

  • For a successful connection to Umbrella, update the Cert bundle to the latest version.
  • To configure the translated policy from Umbrella, update the Content Categories to the latest version
  • Manually enable the HTTPS Proxy in Secure Web Appliance if HTTPS Inspection is enabled in Umbrella Ruleset.
  • If AD is integrated with Umbrella, configure the same Active Directory (AD) realm in Secure Web Appliance. Cisco recommends that you maintain the health of the AD Connector and Domain Controller.


  1. Policy translation is triggered in the following scenarios:
  1. Ruleset name change.
  2. Name change in the Destination list selected in Rule.
  3. Name change of selective decryption list selected in HTTPs inspection.
  4. Adding/removing categories in the selective decryption list of HTTPs inspection.
  5. Selective decryption list consisting of only categories is selected in HTTPs inspection.
  6. Adding/removing AD User or Groups in Ruleset and Rules.
  7. Integrating/removing AD in the Umbrella dashboard.
  1. If Ruleset Identities are the same in multiple rulesets, then consistent HTTPs inspection settings translation are triggered only for the Ruleset with the highest priority of the same identity.

  2. Format for 'End-User Notification Pages → Notification Type: Redirect to Custom URL' text box selected under page Security Services → End-user Notification support only well-formed hostname or IPv4 address. If we push other format URL configured in the Block Page of Umbrella to SWA, the policy push fails with the below error message alert: An http/https URL must consist of a well-formed hostname or IPv4 address, may optionally include a port, but may not contain a query string ('?...').'.", 'code': '400', 'explanation': '400 = Bad request syntax or unsupported method.

  3. If AD Groups are selected in Rulesets and Rules are not matching, the access policy is not created for that rule.

  4. Categories and Domains selected in Selective Decryption List are set to Passthrough for Umbrella pushed decryption policies in SWA. No access policy is applied to the pre-defined and custom URL categories in SWA. But in Umbrella, Rules are applied to the same configuration.

  5. If Microsoft 365 compatibility is enabled in Umbrella, it is set to Passthrough for Umbrella pushed decryption policies in SWA. So all categories of Microsoft 365 endpoints get passthrough.

  6. If Trusted AD is not configured in WSA and group is selected for that AD in Umbrella, an error message to configure AD is displayed on SWA.

Add an API Key and Key Secret

The Umbrella API enables you to manage and protect your networks, tunnels, network entities, and users. You can manage access to destinations, and view and update policies. You can create and manage various types of API keys in Umbrella. Use your API key credentials to authenticate requests to the Umbrella API, the legacy Umbrella API, the Umbrella KeyAdmin API, and the Umbrella Identity Provider API.

Note: While generating the API Key and Key Secret, ensure that you select Key Scope as Auth and Registered Appliances as Deployments.


Register Secure Web Appliance with Umbrella

In Umbrella, successfully registered devices are displayed at Deployments > Core Identities > Registered Appliances.


You can now configure SWA policies using Umbrella services.

Uninstalling Umbrella < Umbrella Integration with Secure Web Appliance > Configure Web Policies and Destination Lists