Implementing Umbrella SIG

Implementing Umbrella SIG
Edurado Salazar, Technical Lead

Luis Silva, Customer success Specialist
Ivan Gonzalez, Senior Service Delivery Manager
29 November 2022
News &
Upcoming events
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
Meet our Cisco VIPs Part 1: Women who Rock!
We started with 3 outstanding women:

Maren Mahoney, Kathy New
& Stephanie Knoop.
Check them out:

https://bit.ly/women-vip
Become an event Top Contributor!
Participate in Live Interactive

Technical
Events and much more
http://bit.ly/EventTopContributors
Rate content at the Cisco Community
Help us to recognize the quality content in the community
Encourage and acknowledge people who

generously share their
Rate documents, time and expertise
Videos & blogs!
Cisco Community Experts
Eduardo Salazar Luis Silva Ivan Gonzalez

Technical Lead Customer Success Specialist Senior Service Delivery Manager
CCIE #36825 CCIE #61053
Thank You For
Joining Us Today!
Download Today’s Presentation

https://bit.ly/slidesSIGumbrella
Submit Your Questions Now!
Use the Q&A panel to submit your

questions and the panel of experts
will respond.
They will be answered eventually
Please take a moment to complete

the survey at the end of the event
Implementing Umbrella SIG
Cisco Community
Eduardo Salazar – Ivan Gonzales – Luis Silva

November 2022
SIG Deployment
1
overview
2 Deployment best practices
Agenda 3 Considerations
4 Troubleshooting
5 Demo
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
10
SIG Deployments overview
• Deployment methods for key features
DNS Security Cloud Delivered Secure Web

Firewall (CDFW) Gateway (SWG)
▪ DNS forwarders
▪ Virtual Appliances ▪ IPSec Tunnel ▪ Anyconnect
▪ Network devices ▪ IPSec Tunnel
▪ Anyconnect ▪ Pac File
▪ Roaming Client ▪ Proxy Chain
Umbrella Resolvers Umbrella Source Outbound IP:

208.67.220.220 – 208.67.222.222 146.112.0.0/16 – 155.190.0.0/16
UMB Identity
SIG Deployment – Anyconnect AC RC

AD
• This integration allows AnyConnect to authenticate and redirect web traffic securely in
both off-prem as well as on-prem scenarios.
• SWG is primarily intended for protecting roaming users, however it can also be used
when the device is accessing the Internet from within the company’s internal network.
RC sync
Org ID
Device Name
Device ID SWGconfig.json
Device ID
ORG ID
Config sync Exception
UMB Proxy address
DNS
Umbrella Cloud
Web(http,https)
UMB Identity
SIG Deployment – IPSEC Tunnel Internal

SAML
Example
Data center region code US-1
Umbrella Source IP
• You can establish an IPsec (Internet 146.112.0.0/16 – 155.190.0.0/16
Protocol Security) IKEv2 (Internet Key
Exchange, version 2) tunnel from any Los Angeles Santa Clara
network device to enforce CDFW and 146.112.67.8 146.112.66.8
Primary Secondary
SWG policies.
• Forward traffic on ports 80 and 443 to In case of primary failure,
Secure web gateway (SWG). uses secondary DC in the
same region
• You can define traffic to enforce

additional controls with firewall policies at DR Site
Dynamic failover no
Layer 3/4/7 and IPS. configuration required
Dallas TX
Automatic
Branch
UMB Identity
SIG Deployment – PAC Public IP

SAML
• This deployment option allow to send browser web traffic to Umbrella SWG by integrating Proxy
Auto-config to inspect traffic before reach the destination.
• PAC file downloads and usage are limited to fixed networks registered in Umbrella
Umbrella Proxy IP
146.112.0.0/16 – 155.190.0.0/16
Web traffic over TCP 80/443
UMB Identity
SIG Deployment – Proxy Chaining Public IP Internal SAML
• Commonly use as a method for migrating existing on-prem proxy solutions.

• Infrastructure Umbrella URLs must be bypass on the On-Prem Proxy
WCCP compatible device

Mode (Router – ASA)
Transparent Mode
Google.com
FQDN
anycast Facebook.com
TCP anycast
Explicit mode
Cisco Umbrella
Secure Web Gateway
Web Security Appliance
On-Prem proxy
SIG Deployment Types & Traffic Flow
Diagram
Redirection Methods
Umbrella Cloud DC Egress IP
NAT 146.112.0.0/1
Tunnel 6&
Non-Web traffic not blocked by FW
155.190.0.0/1
IPsec CDFW rules or IPS - e.g. Port 21 6
L7 &
IKEv2 IPS Internet/SaaS
Web traffic
(80 & 443)
allowed by
CDFW
RBI
AC SWG
HTTP/s
DL
P
SWG
PAC Out-band CASB
File
Proxy Chaining
Cloud
malware
detection
Umbrella Policy Flow
DNS CDFW SWG CASB

DNS policies • CDFW evaluates • Scans data at
SWG evaluates
are evaluated anything not rest for malware
80/443 traffic not
first, any traffic blocked by DNS
blocked by DNS • Inspects data
allowed is • IPS inspects all for corporate
evaluated next* or CDFW
traffic compliance
• Any 80/443 traffic (DLP)
*Also applies to traffic
where allow rule is not not blocked is sent
explicitly configured
to SWG
Best Practices - Policies
• Recommended to setup different rules-set for scenarios when we need to apply different
enforcement based on location or when is required to apply different ruleset settings like:
• HTTPS inspections
• Tenant Controls (Microsoft, Google and Slack)
• File Type Control and File Inspection
• SAML
• Logging
• Rulesets / Rules are match on 3 conditions to define the action
• Identities
• Destinations (Content Categories / Destination list / Applications)
• Schedule
Rulesets
Rules OR
AND
Ruleset
Settings
• Identities enforce with web policies must be exempt from Intelligent proxy on your DNS policies.
• HTTPS inspection
• Recommended to enable HTTPS inspection for proper web policy enforcement.
• Block traffic only
• Enable HTTPS inspection
• Selective Decryption lists use-cases

• Certificate pinning
• Exclusion of non-browser apps that uses a User-Agent string that looks like a browser
from triggering SAML
• Development Apps that use separate Certificate Store that does not contain the
Umbrella Certificate.
• Optionally, the Uncategorized category is now available as part of your web policies. This could
help as a method to define a restrictive action in your Default policy.
• Warn Page and Remote Browser Isolation may be use if any Security Concerns.
SWG Category Lookup
URL Found
example.com/sports Sports
Not found Found

Domain Online
example.com Communities
Not found
Uncategorized
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential https://talosintelligence.com/
• O365 compatibility mode
• Feature aligns with MS best practices that recommends to bypass SSL Inspection and Proxy
Authentication of Optimize and Allow endpoint category data from the Office 365 URLs and IP
address ranges.
• Removes performance / privacy concerns related to decryption of traffic
• Prevents these domains from triggering SAML authentication which may help bypass SAML
problems for non-browser MS apps.
• Keep in mind that since O365 endpoints are bypass, the following Umbrella feature will not apply:
• File Inspection
• File type control
• AD user/Group rules identities can’t be used unless IP surrogate is configured for SAML
• Protected File Bypass
• In Scenarios where "File Inspection" is enabled, password protected files will be blocked by the Umbrella
policy by default.
• This files will be blocked By the Umbrella because they can not be uncompressed or Scanned.
• Blocked password Protected files will be displayed within the "Protected File" category in the
Umbrella reports.
• There are two options to allow these files:
• Enable the option in the "global settings"
• Include the URL/ Domain as a "Destination list" and enable the action "Security Overwrite" in the rule.
Best Practices- Anyconnect
• During the initial implementation phase, we recommend using the "Selective enablement" feature to
control which computers will redirect the Web traffic using the Roaming Security SWG module.
• Once SWG is enabled Globally this option can be used to disable SWG for Specific computers.
• TAGs can be used to grouped the computers where SWG was enabled with this feature.
• Recommended version for Anyconnect SWG deployments is at least 4.10 MR3
• Confirm that the updated Umbrella IP ranges are permitted on the network from where AC SWG
connection is established.
• For bandwidth intensive or IP restricted critical business apps/sites that require to exclude traffic
from proxy you can configure External Domains under Deployment/Domain Management
• Internal domains – Applies to DNS and SWG
• External domains – Applies to SWG only
• Support to bypass IPs under domain management for the AC.
• It is important to understand the SWG module Anyconnect On-Prem requirements:

• Enable the “Trusted Network Detection” feature when it is required for the AC to move to standby when inside
the internal network.
• Two additional functionalities were added to the “Trusted Network Detection” feature "VA backoff" and
"Trusted Network Domain"
• Active Directory/Azure AD integration provide user

attribution for user and group policy
enforcement and visibility that helps during
report investigation and analysis of incidents.
• Configure lockdown mode with AnyConnect

Umbrella deployment to prevent users from
changing AC related services or uninstalling
AnyConnect
Best Practices – Tunnel
• For enabling greater throughput, you could bypass the Umbrella infrastructure (146.112.0.0/16
and 155.190.0.0/16) so web traffic from Network or AnyConnect SWG deployment remain
outside the IPSec tunnel.
• For tunnel deployments that require SAML authentication we need to make sure that the following URL
gateway.id.swg.umbrella.com (146.112.255.200) is not bypassed from the tunnel.
• Use the recommended/supported VPN security parameters from our official documentation.
• Meraki MX introduced the support for Umbrella SD-WAN Connector to reduce the complexity
when configuring tunnels to Umbrella SIG and providing redundancy for the traffic.
• Automatic failover and better controls to monitor performance/latency of the connection.
• Due to potential rate-limiting issues when using VAs inside the tunnel it is recommend to steer
traffic outside the tunnel if using VAs. VAs do not do DNS caching and send high query volumes.
• CDFW expects a private RFC 1918 address as the source IP for outbound packets. If you use
non-RFC 1918 addresses, you can add them under Client Reachable Prefixes when configuring
your tunnel. This overrides the default behavior, which allows all traffic destined for RFC 1918
addresses to return through the tunnel.
• ASA version 9.17 and FTD version 7.1 now support IKEv2 FQDN identity that can be used for the
creation of Umbrella SIG tunnels
• ASA IPSec profile configuration should include the extra command with tunnel identity set ikev2
local-identity email-id xxxxxxx@xxxxxxxxx-xxxxxxx.umbrella.com
• Please refer to the following document to confirm ASA/FTD model compatibility with latest version
https://www.cisco.com/c/en/us/td/docs/security/asa/compatibility/asamatrx.html#reference_upj_nkl
_x4b
• A unique set of network tunnel credentials must be used for each IPsec tunnel. Using unique
credentials for every tunnel prevents inadvertent outages should one tunnel get re-routed to a
nearby datacenter through anycast failover
Internet
• Exclusion of web traffic from being redirect to
Umbrella SWG must be done in the customer’s VPN
device by using the following recommendations:
• ISR – ASA Recommended to use Route-based VPN Source IP:
146.112.x.x & 155.190.x.x (Umbrella)
tunnels and configure exclusions with PBR.
• Firepower version 6.7+ introduced the support of
Route-based VPN tunnels to configure exclusions with
PBR.
Umbrella Cloud
• Meraki MX
1. Non-Meraki VPN peer: There is no option to bypass IPSEC TUNNEL
traffic from SIG tunnels
Example Source IP:
2. SD-WAN Connector: Applications, domain (SD-WAN 70.149.x.x
license required), Destination IP and Ports.
• 3rd Party VPN device – Depends on the routing and
VPN capabilities from the vendor. SD-WAN ON/OFF NETWORK DEVICES
• To provide user attribution you can implement SAML authentication with
an Identity Provider. This can be configured to the tunnel identity for all
web traffic behind this connection or apply this to only a specific subnet
by using the “Internal Network” identity.
• We recommend using IP Surrogates when the user's private IP address
is visible, your tunnels don't use NAT or where networks incorporate a
Proxy Chain with XFF. If the user’s private IP address is shared by
multiple users (for example, Citrix or VDI environments) then using cookie
surrogates is recommended and can be configured with the Internal
Network Bypass feature
• If your organization has overlapping IP addresses at different branch

locations, you must create additional Umbrella Sites and map the tunnels
to their respective Sites.
Best Practices – AD connector
• Configure Selective Sync to specify AD Groups of interest for the purpose of policy creation in Umbrella.
• Create a CiscoUmbrellaADGroups.dat file in the C:\ drive
• List the AD groups that need to be synchronized in distinguished name (DN) format in this file
• You can add Active Directory Groups to the exception list which helps the AD connector to ignore login events
generated by all users and computers belonging to the specified group and any sub-groups and exclude them
from the AD mappings
Best Practice – Azure AD and Okta provisioning
• Pre-provisioning of users and groups from Azure AD over SCIM without requiring an AD
Connector.
• These identities can then be used with AnyConnect/ERC (DNS/SWG) and SAML (SWG)
deployments.
• This is for SAML and AnyConnect deployments and will not support VA deployments.
Considerations - Anyconnect
• Due to know issues in previous versions, we do not recommend to deploy SWG in old version no
longer available in Cisco.com
• To resolve Captive Portal SWG compatibility, it is recommended to upgrade Anyconnect to
version 4.10 MR5 (4.10.05095).
• Changes to Domain management/External Domains do not apply for scenarios with the AC behind
the tunnel.
• For deployments using a combination of Umbrella PAC files and AC SWG on-network, it is
important to consider that Umbrella PAC file will take precedence for redirecting browser traffic.
PAC file identities will be used to match policies and reporting.
Considerations - Tunnels
• Certain devices (3rd party and Cisco devices such as ASA with version older than 9.17 or
FTD running version below 7.1) will use the Public IP address (not NATed) as the IKE ID for
the authentication. Currently it is only possible to set a tunnel with the same egress IP as
IKE ID to a CDFW Data Center Region.
• Throughput / Bandwidth limitation per tunnel is currently at 250 Mbps. You can increase the
throughput by deploying more IPSEC tunnels to different CDFW Data Center Regions.
• SIG subscription are fixed for 50 tunnels total per ORG ID. For deployments that require to
increase this number, opening a support ticket/engineering to increase the number
Considerations - Tunnels
• Meraki SD-WAN deployment limit is dynamic and dependent on the number of networks in
the Meraki organization.
• Meraki Orgs with >=20 Networks (MX deployed sites) will have 1 additional SD-WAN
deployment available. This limit increases for every additional 20 networks up to a
Maximum of 400 networks or 20 SD-WAN deployments.
• Each Umbrella SD-WAN connector can handle up to 250Mbps which is shared across the
networks connected to the same deployment.
• Exclusion for redirection from Meraki SD-WAN deployment are limited to destination IP and
port, with SD-WAN license it is possible by domain and application. Exclusions by source
are not supported.
Considerations – Azure AD and Okta provisioning
• It is not supported to have the same set of identities from 2 different sources (AD and
Azure AD).
• In the case you have some identities in on-prem AD and some only on Azure AD, then you
will need to Selectively Sync these identities from the respective sources.
• There is no limit to the number of users that can be provisioned from Azure AD/Okta. For
groups, a maximum of 200 groups can be provisioned from Azure AD/Okta to an Umbrella
dashboard.
• Azure AD/Okta cannot provide user identity integration for Umbrella Virtual Appliances.
http://welcome.umbrella.com
Troubleshooting
nslookup –type=txt debug.opendns.com
• Validating if Umbrella DNS protection is working.
• For AC SWG deployment with AD integration, it helps identifying the user hash.
Umbrella Data Center information used for DNS added-layer
Indicates if DNS traffic is forward via an Umbrella Virtual Appliance
Identifies the AD user hash when deploying Umbrella with AD integration
Identifies the Internal IP from endpoint for Umbrella deployments which capture Internal IP information.
Ex: Virtual Appliance or Network Device
Provide the Organization ID where DNS traffic is sent to match policies. This should match with the ID
of the URL from your UMB dashboard
This is used to determine the DNS policy that is matching with the identities sent by the endpoint.
Public IP address information. For network deployments this should match with IP register in Umbrella
Identifies if Umbrella encryption is working for deployment that support DNScrypt. Ex: VA or AC RC
https://policy-debug.checkumbrella.com
Troubleshooting
• How to confirm which SWG ruleset is matched
https://policy-debug.checkumbrella.com
Troubleshooting
• Confirm correct DC location and expected customer public facing IP.
Troubleshooting
• SWG Policy Tester
• The tool helps testing policies and rules for
the web traffic that matches with criteria
based on identity and destination.
• The tool can be found in the Umbrella
Dashboard under
Policies > Management > Web Policies / Policy
Tester
https://support.umbrella.com/hc/en-
Troubleshooting us/articles/360043386131
• Anyconnect DART bundle helps identifying the following for troubleshooting:
• Registration and sync process to Umbrella APIs.
• Traffic being intercepted by the SWG module.
• Information of Exception lists (Internal/External Domains).
• Identifies if Trusted Network Detection is configured.
Troubleshooting
• HAR files can be collected to investigate issues related to:
• Diagnose issues with sites not loading properly
• Identify possible causes with latency/performance
• HTTP codes found during communication
• 200 - This indicates the response completed successfully
• 302 - This indicates that there was a blocked redirect.
• 502 - This indicates a connection timeout, TLS handshake failures, rate limiting due to
traffic spikes
• 452 – Indicates a possible “Replay attack” due to an incorrect timestamp on the endpoint.
1
2
Time to finish loading the

page
HTTP status code response
https://gateway.id.swg.umbrella.com
Troubleshooting /auth/cookie.do
• For SWG deployment using SAML, this helps identifying when the user successfully
authenticated, and a session cookie is created.
Before
SAML
SAML
authenticated
https://support.umbrella.com/hc/en-
us/articles/360040209751-SWG-
Troubleshooting SAML-Troubleshooting-Tools
• Use of SAML tracer to track SAML requests to determine authentication or cookie related issues.
Troubleshooting https://software.cisco.com/download/home/286
312181/type/286328329/release/1.2.1?i=!pp
• SWG Diagnostic Client
• Helps to compare traffic and investigate latency between SWG and DIA
• Capture HAR files for testing sites
• Download of the SWGconfig.json from the endpoints
Troubleshooting
• Activity Search Report provide a new option

under Customize/Columns to identify the
Policy/Rule for the URL requests
Demo
Submit Your
Questions Now!
Use the Q&A panel to submit your

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential questions, our expert will respond
51
Ask Me Anything
ASK ME ANYTHING
Till December 2nd, 2022
Eduardo, Luis & Ivan
Participate: https://bit.ly/amaSIGumbrella
Collaborate within our Social Media
Twitter Facebook
• @Cisco_Support • Cisco Community
http://bit.ly/csc-twitter http://bit.ly/csc-facebook
Learn About Upcoming Events

We invite you to review our
Social Media Channels
YouTube App LinkedIn

• Cisco Community • Cisco Technical Support • Cisco Community
• http://bit.ly/csc-youtube • http://bit.ly/csc-linked-in
Learn About Upcoming Events 54
Cisco has support communities in other languages!
If you speak Spanish, Portuguese, Japanese, Russian or Chinese we invite you to participate & collaborate
NEW Communauté Cisco

Korean French
Comunidad de Cisco
Spanish
シスココミュニティ
Japanese
Comunidade da Cisco
Portuguese 思科服务支持社区
Chinese
More IT Training
Videos and
Technical
Seminars on the
Cisco Learning
Network
View Upcoming Sessions Schedule
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential https://cisco.com/go/techseminars 56
Thank you for Your
Time!
Please take a moment to complete

the survey
Thanks For Joining today!

Implementing Umbrella SIG

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Implementing Umbrella SIG

Uploaded by

Copyright:

Available Formats

Implementing Umbrella SIG

Edurado Salazar, Technical Lead

We started with 3 outstanding women:

Check them out:

Participate in Live Interactive

Encourage and acknowledge people who

Eduardo Salazar Luis Silva Ivan Gonzalez

Download Today’s Presentation

Use the Q&A panel to submit your

They will be answered eventually

Please take a moment to complete

Eduardo Salazar – Ivan Gonzales – Luis Silva

2 Deployment best practices

DNS Security Cloud Delivered Secure Web

Umbrella Resolvers Umbrella Source Outbound IP:

SIG Deployment – Anyconnect AC RC

SIG Deployment – IPSEC Tunnel Internal

• You can define traffic to enforce

SIG Deployment – PAC Public IP

Web traffic over TCP 80/443

SIG Deployment – Proxy Chaining Public IP Internal SAML

• Commonly use as a method for migrating existing on-prem proxy solutions.

WCCP compatible device

DNS CDFW SWG CASB

• Selective Decryption lists use-cases

SWG Category Lookup

Not found Found

• It is important to understand the SWG module Anyconnect On-Prem requirements:

• Active Directory/Azure AD integration provide user

• Configure lockdown mode with AnyConnect

• If your organization has overlapping IP addresses at different branch

Umbrella Data Center information used for DNS added-layer

Indicates if DNS traffic is forward via an Umbrella Virtual Appliance

Identifies the AD user hash when deploying Umbrella with AD integration

Time to finish loading the

• Activity Search Report provide a new option

Use the Q&A panel to submit your

Learn About Upcoming Events

YouTube App LinkedIn

NEW Communauté Cisco

Please take a moment to complete

You might also like