Professional Documents
Culture Documents
Implementing Umbrella SIG
Implementing Umbrella SIG
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
Meet our Cisco VIPs Part 1: Women who Rock!
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
Become an event Top Contributor!
http://bit.ly/EventTopContributors
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
Rate content at the Cisco Community
Help us to recognize the quality content in the community
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
Cisco Community Experts
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
Thank You For
Joining Us Today!
Agenda 3 Considerations
4 Troubleshooting
5 Demo
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
10
SIG Deployments overview
• Deployment methods for key features
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
UMB Identity
• This integration allows AnyConnect to authenticate and redirect web traffic securely in
both off-prem as well as on-prem scenarios.
• SWG is primarily intended for protecting roaming users, however it can also be used
when the device is accessing the Internet from within the company’s internal network.
RC sync
Org ID
Device Name
Device ID SWGconfig.json
Device ID
ORG ID
Config sync Exception
UMB Proxy address
DNS
Umbrella Cloud
Web(http,https)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
UMB Identity
Example
Data center region code US-1
Umbrella Source IP
• You can establish an IPsec (Internet 146.112.0.0/16 – 155.190.0.0/16
Protocol Security) IKEv2 (Internet Key
Exchange, version 2) tunnel from any Los Angeles Santa Clara
network device to enforce CDFW and 146.112.67.8 146.112.66.8
Primary Secondary
SWG policies.
• Forward traffic on ports 80 and 443 to In case of primary failure,
Secure web gateway (SWG). uses secondary DC in the
same region
Dallas TX
Automatic
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Branch
UMB Identity
• This deployment option allow to send browser web traffic to Umbrella SWG by integrating Proxy
Auto-config to inspect traffic before reach the destination.
• PAC file downloads and usage are limited to fixed networks registered in Umbrella
Umbrella Proxy IP
146.112.0.0/16 – 155.190.0.0/16
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
UMB Identity
Transparent Mode
Google.com
FQDN
anycast Facebook.com
TCP anycast
Explicit mode
Cisco Umbrella
Secure Web Gateway
Web Security Appliance
On-Prem proxy
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
SIG Deployment Types & Traffic Flow
Diagram
Redirection Methods
Umbrella Cloud DC Egress IP
NAT 146.112.0.0/1
Tunnel 6&
Non-Web traffic not blocked by FW
155.190.0.0/1
IPsec CDFW rules or IPS - e.g. Port 21 6
L7 &
IKEv2 IPS Internet/SaaS
Web traffic
(80 & 443)
allowed by
CDFW
RBI
AC SWG
HTTP/s
DL
P
SWG
PAC Out-band CASB
File
Proxy Chaining
Cloud
malware
detection
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Umbrella Policy Flow
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Best Practices - Policies
• Recommended to setup different rules-set for scenarios when we need to apply different
enforcement based on location or when is required to apply different ruleset settings like:
• HTTPS inspections
• Tenant Controls (Microsoft, Google and Slack)
• File Type Control and File Inspection
• SAML
• Logging
• Rulesets / Rules are match on 3 conditions to define the action
• Identities
• Destinations (Content Categories / Destination list / Applications)
• Schedule
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Best Practices - Policies
Rulesets
Rules OR
AND
Ruleset
Settings
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Best Practices - Policies
• Identities enforce with web policies must be exempt from Intelligent proxy on your DNS policies.
• HTTPS inspection
• Recommended to enable HTTPS inspection for proper web policy enforcement.
• Block traffic only
• Enable HTTPS inspection
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Best Practices - Policies
• Optionally, the Uncategorized category is now available as part of your web policies. This could
help as a method to define a restrictive action in your Default policy.
• Warn Page and Remote Browser Isolation may be use if any Security Concerns.
URL Found
example.com/sports Sports
Not found
Uncategorized
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential https://talosintelligence.com/
Best Practices - Policies
• O365 compatibility mode
• Feature aligns with MS best practices that recommends to bypass SSL Inspection and Proxy
Authentication of Optimize and Allow endpoint category data from the Office 365 URLs and IP
address ranges.
• Removes performance / privacy concerns related to decryption of traffic
• Prevents these domains from triggering SAML authentication which may help bypass SAML
problems for non-browser MS apps.
• Keep in mind that since O365 endpoints are bypass, the following Umbrella feature will not apply:
• File Inspection
• File type control
• AD user/Group rules identities can’t be used unless IP surrogate is configured for SAML
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Best Practices - Policies
• Protected File Bypass
• In Scenarios where "File Inspection" is enabled, password protected files will be blocked by the Umbrella
policy by default.
• This files will be blocked By the Umbrella because they can not be uncompressed or Scanned.
• Blocked password Protected files will be displayed within the "Protected File" category in the
Umbrella reports.
• There are two options to allow these files:
• Enable the option in the "global settings"
• Include the URL/ Domain as a "Destination list" and enable the action "Security Overwrite" in the rule.
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Best Practices- Anyconnect
• During the initial implementation phase, we recommend using the "Selective enablement" feature to
control which computers will redirect the Web traffic using the Roaming Security SWG module.
• Once SWG is enabled Globally this option can be used to disable SWG for Specific computers.
• TAGs can be used to grouped the computers where SWG was enabled with this feature.
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Best Practices- Anyconnect
• Recommended version for Anyconnect SWG deployments is at least 4.10 MR3
• Confirm that the updated Umbrella IP ranges are permitted on the network from where AC SWG
connection is established.
• For bandwidth intensive or IP restricted critical business apps/sites that require to exclude traffic
from proxy you can configure External Domains under Deployment/Domain Management
• Internal domains – Applies to DNS and SWG
• External domains – Applies to SWG only
• Support to bypass IPs under domain management for the AC.
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Best Practices- Anyconnect
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Best Practices – Tunnel
• For enabling greater throughput, you could bypass the Umbrella infrastructure (146.112.0.0/16
and 155.190.0.0/16) so web traffic from Network or AnyConnect SWG deployment remain
outside the IPSec tunnel.
• For tunnel deployments that require SAML authentication we need to make sure that the following URL
gateway.id.swg.umbrella.com (146.112.255.200) is not bypassed from the tunnel.
• Use the recommended/supported VPN security parameters from our official documentation.
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Best Practices – Tunnel
• Meraki MX introduced the support for Umbrella SD-WAN Connector to reduce the complexity
when configuring tunnels to Umbrella SIG and providing redundancy for the traffic.
• Automatic failover and better controls to monitor performance/latency of the connection.
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Best Practices – Tunnel
• Due to potential rate-limiting issues when using VAs inside the tunnel it is recommend to steer
traffic outside the tunnel if using VAs. VAs do not do DNS caching and send high query volumes.
• CDFW expects a private RFC 1918 address as the source IP for outbound packets. If you use
non-RFC 1918 addresses, you can add them under Client Reachable Prefixes when configuring
your tunnel. This overrides the default behavior, which allows all traffic destined for RFC 1918
addresses to return through the tunnel.
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Best Practices – Tunnel
• ASA version 9.17 and FTD version 7.1 now support IKEv2 FQDN identity that can be used for the
creation of Umbrella SIG tunnels
• ASA IPSec profile configuration should include the extra command with tunnel identity set ikev2
local-identity email-id xxxxxxx@xxxxxxxxx-xxxxxxx.umbrella.com
• Please refer to the following document to confirm ASA/FTD model compatibility with latest version
https://www.cisco.com/c/en/us/td/docs/security/asa/compatibility/asamatrx.html#reference_upj_nkl
_x4b
• A unique set of network tunnel credentials must be used for each IPsec tunnel. Using unique
credentials for every tunnel prevents inadvertent outages should one tunnel get re-routed to a
nearby datacenter through anycast failover
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Best Practices – Tunnel
Internet
• Exclusion of web traffic from being redirect to
Umbrella SWG must be done in the customer’s VPN
device by using the following recommendations:
• ISR – ASA Recommended to use Route-based VPN Source IP:
146.112.x.x & 155.190.x.x (Umbrella)
tunnels and configure exclusions with PBR.
• Firepower version 6.7+ introduced the support of
Route-based VPN tunnels to configure exclusions with
PBR.
Umbrella Cloud
• Meraki MX
1. Non-Meraki VPN peer: There is no option to bypass IPSEC TUNNEL
traffic from SIG tunnels
Example Source IP:
2. SD-WAN Connector: Applications, domain (SD-WAN 70.149.x.x
license required), Destination IP and Ports.
• 3rd Party VPN device – Depends on the routing and
VPN capabilities from the vendor. SD-WAN ON/OFF NETWORK DEVICES
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Best Practices – Tunnel
• To provide user attribution you can implement SAML authentication with
an Identity Provider. This can be configured to the tunnel identity for all
web traffic behind this connection or apply this to only a specific subnet
by using the “Internal Network” identity.
• We recommend using IP Surrogates when the user's private IP address
is visible, your tunnels don't use NAT or where networks incorporate a
Proxy Chain with XFF. If the user’s private IP address is shared by
multiple users (for example, Citrix or VDI environments) then using cookie
surrogates is recommended and can be configured with the Internal
Network Bypass feature
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Best Practices – AD connector
• Configure Selective Sync to specify AD Groups of interest for the purpose of policy creation in Umbrella.
• Create a CiscoUmbrellaADGroups.dat file in the C:\ drive
• List the AD groups that need to be synchronized in distinguished name (DN) format in this file
• You can add Active Directory Groups to the exception list which helps the AD connector to ignore login events
generated by all users and computers belonging to the specified group and any sub-groups and exclude them
from the AD mappings
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Best Practice – Azure AD and Okta provisioning
• Pre-provisioning of users and groups from Azure AD over SCIM without requiring an AD
Connector.
• These identities can then be used with AnyConnect/ERC (DNS/SWG) and SAML (SWG)
deployments.
• This is for SAML and AnyConnect deployments and will not support VA deployments.
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Considerations - Anyconnect
• Due to know issues in previous versions, we do not recommend to deploy SWG in old version no
longer available in Cisco.com
• To resolve Captive Portal SWG compatibility, it is recommended to upgrade Anyconnect to
version 4.10 MR5 (4.10.05095).
• Changes to Domain management/External Domains do not apply for scenarios with the AC behind
the tunnel.
• For deployments using a combination of Umbrella PAC files and AC SWG on-network, it is
important to consider that Umbrella PAC file will take precedence for redirecting browser traffic.
PAC file identities will be used to match policies and reporting.
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Considerations - Tunnels
• Certain devices (3rd party and Cisco devices such as ASA with version older than 9.17 or
FTD running version below 7.1) will use the Public IP address (not NATed) as the IKE ID for
the authentication. Currently it is only possible to set a tunnel with the same egress IP as
IKE ID to a CDFW Data Center Region.
• Throughput / Bandwidth limitation per tunnel is currently at 250 Mbps. You can increase the
throughput by deploying more IPSEC tunnels to different CDFW Data Center Regions.
• SIG subscription are fixed for 50 tunnels total per ORG ID. For deployments that require to
increase this number, opening a support ticket/engineering to increase the number
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Considerations - Tunnels
• Meraki SD-WAN deployment limit is dynamic and dependent on the number of networks in
the Meraki organization.
• Meraki Orgs with >=20 Networks (MX deployed sites) will have 1 additional SD-WAN
deployment available. This limit increases for every additional 20 networks up to a
Maximum of 400 networks or 20 SD-WAN deployments.
• Each Umbrella SD-WAN connector can handle up to 250Mbps which is shared across the
networks connected to the same deployment.
• Exclusion for redirection from Meraki SD-WAN deployment are limited to destination IP and
port, with SD-WAN license it is possible by domain and application. Exclusions by source
are not supported.
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Considerations – Azure AD and Okta provisioning
• It is not supported to have the same set of identities from 2 different sources (AD and
Azure AD).
• In the case you have some identities in on-prem AD and some only on Azure AD, then you
will need to Selectively Sync these identities from the respective sources.
• There is no limit to the number of users that can be provisioned from Azure AD/Okta. For
groups, a maximum of 200 groups can be provisioned from Azure AD/Okta to an Umbrella
dashboard.
• Azure AD/Okta cannot provide user identity integration for Umbrella Virtual Appliances.
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
http://welcome.umbrella.com
Troubleshooting
nslookup –type=txt debug.opendns.com
• Validating if Umbrella DNS protection is working.
• For AC SWG deployment with AD integration, it helps identifying the user hash.
Identifies the Internal IP from endpoint for Umbrella deployments which capture Internal IP information.
Ex: Virtual Appliance or Network Device
Provide the Organization ID where DNS traffic is sent to match policies. This should match with the ID
of the URL from your UMB dashboard
This is used to determine the DNS policy that is matching with the identities sent by the endpoint.
Public IP address information. For network deployments this should match with IP register in Umbrella
Identifies if Umbrella encryption is working for deployment that support DNScrypt. Ex: VA or AC RC
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
https://policy-debug.checkumbrella.com
Troubleshooting
• How to confirm which SWG ruleset is matched
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
https://policy-debug.checkumbrella.com
Troubleshooting
• Confirm correct DC location and expected customer public facing IP.
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Troubleshooting
• SWG Policy Tester
• The tool helps testing policies and rules for
the web traffic that matches with criteria
based on identity and destination.
• The tool can be found in the Umbrella
Dashboard under
Policies > Management > Web Policies / Policy
Tester
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
https://support.umbrella.com/hc/en-
Troubleshooting us/articles/360043386131
• Anyconnect DART bundle helps identifying the following for troubleshooting:
• Registration and sync process to Umbrella APIs.
• Traffic being intercepted by the SWG module.
• Information of Exception lists (Internal/External Domains).
• Identifies if Trusted Network Detection is configured.
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Troubleshooting
• HAR files can be collected to investigate issues related to:
• Diagnose issues with sites not loading properly
• Identify possible causes with latency/performance
• HTTP codes found during communication
• 200 - This indicates the response completed successfully
• 302 - This indicates that there was a blocked redirect.
• 502 - This indicates a connection timeout, TLS handshake failures, rate limiting due to
traffic spikes
• 452 – Indicates a possible “Replay attack” due to an incorrect timestamp on the endpoint.
1
2
• For SWG deployment using SAML, this helps identifying when the user successfully
authenticated, and a session cookie is created.
Before
SAML
SAML
authenticated
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
https://support.umbrella.com/hc/en-
us/articles/360040209751-SWG-
Troubleshooting SAML-Troubleshooting-Tools
• Use of SAML tracer to track SAML requests to determine authentication or cookie related issues.
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Troubleshooting https://software.cisco.com/download/home/286
312181/type/286328329/release/1.2.1?i=!pp
• SWG Diagnostic Client
• Helps to compare traffic and investigate latency between SWG and DIA
• Capture HAR files for testing sites
• Download of the SWGconfig.json from the endpoints
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Troubleshooting
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Demo
Submit Your
Questions Now!
ASK ME ANYTHING
Till December 2nd, 2022
Eduardo, Luis & Ivan
Participate: https://bit.ly/amaSIGumbrella
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 52
Collaborate within our Social Media
Twitter Facebook
• @Cisco_Support • Cisco Community
http://bit.ly/csc-twitter http://bit.ly/csc-facebook
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Learn About Upcoming Events 54
Cisco has support communities in other languages!
If you speak Spanish, Portuguese, Japanese, Russian or Chinese we invite you to participate & collaborate
シスコ コミュニティ
Japanese
Comunidade da Cisco
Portuguese 思科服务支持社区
Chinese
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 55
More IT Training
Videos and
Technical
Seminars on the
Cisco Learning
Network
View Upcoming Sessions Schedule
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential https://cisco.com/go/techseminars 56
Thank you for Your
Time!
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 58