Brksec 2023

#CLUS
What's new
in Umbrella
Cisco's Secure Internet Gateway
Jonny Noble,
Manager, CloudSec Technical Marketing
BRKSEC-2023
#CLUS
The Traditional Model
Network
Internet / SaaS / IaaS
Centralized
Security
Single place to enforce
policies and protection
MPLS VPN
Branch office HQ Roaming/mobile
#CLUS BRKSEC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Disruption: To the cloud
Network
Internet / SaaS / IaaS
Decentralized
Security SD WAN DIA/DCA
Protect at data center,

cloud, and branch edge
Branch office HQ Roaming/mobile
Resulting Security Challenges
Gaps in visibility Volume and complexity Limited security

and coverage of security tools resources
Users and Apps Have Adopted the Cloud…
Security must too
49% 82%
of the workforce admit to not
will be mobile1 using the VPN2 Security controls
must shift to the cloud
70% 70%
increase in of branch offices
SaaS usage3 have DIA4
Sources:
1. “Securing Portable Data and Applications for a Mobile Workforce” SANS, 2015
2. “Your Users Have Left the Perimeter. Are You Ready?” IDG, 2016
3. “Keeping SaaS Secure” Gartner, 2016
4. “Securing Direct-To-Internet Branch Offices: Cloud-Based Security Offers Flexibility and Control,” Forrester, 2015
Agenda
What's new in Umbrella, Cisco's Secure Internet Gateway
• Introduction to Umbrella SIG
• Enforcing DNS for Added Layer Protection
• Umbrella’s Secure Web Gateway
• Cloud Delivered Firewall
• Bringing it all Together
• Summary
Session Abstract
• This session includes look at all security services provided by Cisco
Umbrella, Cisco's secure internet gateway, and illustrates the benefits
enabled by cloud-delivered security with practical examples.
• The session covers the following services:
• DNS-layer with selective proxy
• Full proxy SWG
• Firewall as service
• Cloud access security brokerage (CASB) service
• You’ll learn how Umbrella enables branch transformation, increases
security posture with leading DNS-layer (added layer) protection, allows
for secure XaaS adoption and supports customers' cloud-first strategies.
Who am I?
• I manage the Technical Marketing Engineering team for Cloud Security at Cisco,
with expertise in web security, cloud-based security, and Cisco Umbrella
• I have vast experience in customer-facing disciplines in leading global hi-tech
organizations over the last 20 years
• In the past I managed all training activities for ScanSafe within Cisco, including
defining, creating and implementing partner and customer training and certification
programs; creating and providing all training content and tools for customers,
partners, and Cisco employees world-wide (including eLearning, on-line, and “on
demand” content), and management of on-line certification exams
• I also have rich experience in presenting breakout sessions and proctoring labs at
Cisco Live events and representing Cisco at numerous other customer and partner
events, trade shows, and exhibitions
• I hold a degree in Sociology & Psychology, a Business MBA, and am CISSP certified
For Your Reference…
• Additional information for your reference

can be found on slides with this icon
Cisco Webex Teams
Questions?
Use Cisco Webex Teams to chat
with the speaker after the session
How
1 Find this session in the Cisco Live Mobile App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space
Webex Teams will be moderated cs.co/ciscolivebot# BRKSEC-2023

by the speaker until June 16, 2019.
#CLUS © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Related & Overlapping Sessions
BRKSEC-2342 Branch Router Security Thursday, 10.30am
BRKSEC-2019 Risky Business: Help Reduce Risk by Gaining Visibility and Control of Cloud App Usage Thursday, 1pm
BRKSEC-2069 Meraki Integrations with the Cisco Security Architecture Thursday, 1pm
Deliver Protection Everywhere
HQ Roaming/mobile Branch DIA/DCA

Boost existing security Enable off-network Transform edge security
“SIG […] could potentially offset
or displace some or all of the
bulk of on-premises solutions of
yesterday (especially for branch
office locations).”
– Gartner
Cloud-delivered
firewall
Web SaaS usage
gateway controls (CASB)
DNS-layer Correlated
security threat intel
Cisco
Umbrella
SD-WAN ON/OFF NETWORK DEVICES
Agenda
• Summary
It all Starts with DNS
Traffic redirection - DNS Policy
DNS based redirection Resolvers Internet
Selective Proxy
Where Does Umbrella Fit?
Malware
C2 Callbacks
Phishing
Network and endpoint

First line It all starts with DNS
NGFW
Network and endpoint Precedes file execution
Netflow and IP connection
Proxy
Endpoint Used by all devices
Sandbox Router/UTM
AV AV AV AV AV
Port agnostic
HQ BRANCH ROAMING
DNS-layer Enforcement
A good place to start
• Deploy protection in minutes for fastest time

to value
• Block malware, phishing, command and Safe Blocked
request request
control, and unacceptable requests anywhere
• Stop threats at the earliest point and contain
malware if already inside
• Amazing user experience — faster internet
access; only risky domains are proxied
• Consistent experience on- and off-network
• HTTP/S content scanned by selective proxy
Umbrella’s View
of the Internet
180B 90M
requests daily active
per day users
17K 160+
enterprise countries
customers worldwide
BRKSEC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Umbrella: In the Sweet Spot
Recursive DNS
Any device Authoritative DNS
root
com.
domain.com.
User request patterns Authoritative DNS logs

Used to detect: Used to find:
• Compromised systems • Newly staged infrastructures
• Command and control callbacks • Malicious domains, IPs, ASNs
• Malware and phishing attempts • DNS hijacking
• Algorithm-generated domains • Fast flux domains
• Domain co-occurrences • Related domains
• Newly registered domains
Statistical Models
4M+ live events per second
11B+ historical events
Guilt by inference
 Co-occurrence model
 IP Geo-Location model Patterns of guilt
 Secure rank model  Spike rank model
 Sender rank model  Natural Language
Processing rank model
Guilt by association  Live DGA Prediction
 Predictive IP Space Modeling
Umbrella Data Centers Co-located at Major IXPs
Umbrella Datacenters
• Amsterdam • Milan
• Berlin • Mumbai
• Bucharest • New York
• Chicago • Palo Alto
• Copenhagen • Paris
• Dallas • Prague
• Denver • Sao Paulo
• Dubai • Seattle
• Frankfurt • Singapore
• Hong Kong • Sydney
• Johannesburg • Tokyo
• London • Toronto
• Los Angeles • Vancouver
• Melbourne • Warsaw
• Miami • Washington DC
Fast and Reliable
1000s of peering sessions Anycast IP routing
Connect to the cloud
Flexible deployment options
DNS-based deployment
Tunnel-based deployment
Endpoint Cisco networking Other network devices
AnyConnect Roaming client ISR 1K/4K WLAN controller Catalyst 9K* DNS/DHCP servers
iOS Chromebook Meraki SD-WAN ASA Wireless APs

MR/MX (Viptela)*
*Future
Protecting Roaming Users
No longer the weakest link…
If already licensed for AnyConnect…

• Install latest version of AnyConnect
• Enable Umbrella Roaming module
If not using AnyConnect…

• Install standalone roaming client
• Standalone lightweight agent
AnyConnect module Umbrella standalone
roaming client
Agenda
• Summary
Umbrella Web Gateway: Full Web Proxy
App Visibility
• Building more complete web gateway & Control
functionality in our cloud platform
• Gain deeper visibility and control
of web traffic anywhere users go
• Flexibility to choose level of traffic
sent to Umbrella: Selective or full proxy
• Multiple connection methods:
IPSec tunnel, proxy chain, PAC Content File
files, AnyConnect client1 Control Full web Inspection
& Blocking
• O365 bypass supported via MS API2 proxy
• Further functionality to be delivered
in phases as it’s developed Data Loss
Prevention1
1. Future capability
2. No option yet in UI, enabled by support
Key Requirements for SWG Services
Visibility Protection Control
App Discovery Antivirus / App Blocking Web Content

(Shadow IT) Anti-Malware (AMP) & Control Filtering
Full URL Malware Sandboxing Time-Based & Data Loss

Logging (Threat Grid) File-type Controls Prevention (DLP)
Future
Not Just an “Upgrade” of Selective Proxy
Selective Proxy Full Proxy
Deliver standard full web

Increase protection while
traffic proxy capabilities
Purpose maintaining the ease of VS (visibility, control, & threat)
DNS-layer of deployment
to complete SIG
Inspect selected Inspect all web traffic

(only for “grey” domains) in-depth (AV, AMP)
Capabilities web traffic in-depth
VS and enable granular
(AV, AMP) control and reporting
Flexible Connection Methods
PAC &
Tunnel Proxy Chain AnyConnect *
Using IPSec Web traffic
For endpoints
*Future
HQ & Branch HQ & Branch Roaming
SIG Deployment Methods
Selective Proxy
Traffic redirection – SIG Policy

Traffic orchestrator
Umbrella DNS DNS based redirection DNS
IPSec
Web
Internet
Web Proxy Chaining
Web PAC File Full proxy
Web
Roaming*
*Will be supported in the future
Deployment Methods
Supported Methods Requirements Identities
Proxy Chaining
• Transparent via WCCP • Web Proxy or Secure Web Gateway • Network Identity
• Manual upstream proxy configuration with proxy capabilities (eg. Cisco WSA) • SAML: Username/User Group*
• Device capable of forwarding XFF • XFF Header: Internal IP
header (for internal IP identity only)
• AD Connector: Username/User Group
PAC File
• Local or GPO • Group Policy Management (Windows) • Network Identity
• WPAD • Tool capable of configuring PAC setting • SAML: Username/User Group *
• Custom PAC file hosting in an enterprise environment • AD Connector: Username/User Group -
• Umbrella PAC file Future
IPSec
• Shares the same tunnel • Device capable of supporting • Network Identity
configuration as CDFW IPSec tunnel configuration • SAML: Username/User Group *
(eg. ASA, CSR, ISR etc)
• AD Connector: Username/User Group -
• Umbrella Certificates Future
AnyConnect - Future
• TBD • TBD • TBD * Supported IdPs:
Okta, Ping Identity, Azure AD, ADFS
Allow Specific URLs
New functionality: Destination allow lists
• 4096 Characters max length

for URLs
• Selective proxy has ability only
to block URLs
HTTPS Inspection
• The Umbrella root cert must

be installed on all endpoints
protected by the policy
• Includes selective decryption
with categories for exclusion
• Enforces policy at the Domain
level when without decryption
• Option to decrypt only blocked
requests so block pages
display properly
Full URL Visibility in Logs
Log Export
• Full proxy logs included in
standard log export
• Exported to Cisco or customer’s
own S3 bucket
• Comprehensive list of supported
fields
• Recommended to use log format
version 4
SAML and User Provisioning
End-user authentication
Supported IdPs User Provisioning SAML Identities
SAML authenticated Apply policy to SAML

users have to be groups or users
matched from list of
provisioned users:
• Manual csv import
• AD sync via AD
Connector
• In future:
automatically
populated from
SAML assertion
Agenda
• Summary
Use-case for Cloud Delivered Firewall
Customer Concerns: guest Wi-Fi
Connecting with Sharing files illegally Accessing

infected devices (music, movies) inappropriate content
These activities negatively impact an enterprise’s security posture

• Linked to security ratings like those provided by BitSight
• Ultimately increase their cyber insurance premiums
Cloud-delivered Firewall
Internet
• Provides firewall functionality at the

cloud edge Source IP: 146.112.x.x (Umbrella)
• Protection at the first hop for DIA

branch offices and guest networks NAT
• Ability to enforce beyond DNS

across all ports and protocols
HTTP/S
• Currently L3/L4; plans to expand to
L7 and more advanced functionality CDFW SWG
Umbrella Cloud
• Guest Network gets NAT’d behind
a Cisco IP address in the cloud IPSEC TUNNEL Example Source IP: 70.149.x.x
rather than enterprise’s IP

Key Requirements for CDFW Services
Visibility Protection Control
Full Logging L4 Port Protocol SNORT-Based

& Statistics Protection AVC
L7 SNORT based Time-Based

IDS/IPS Policies
Future
Cloud Firewall At-A-Glance
Tunneling
Capabilities
• L3/L4 firewall; L7 capabilities in future update
• Supported today on IPSec tunnel, future updates
Global
will include support for AnyConnect coverage Identity
• Outbound firewall only
Identities
• Network Tunnel used as primary identity
• SAML support will be included in future update
Infrastructure
• Multi-geo datacenter support
• Auto-DC failover
Logging and Reporting
• Firewall logs included as part of Activity Search
Logging and Policy
• Log export supported via S3 reporting
Inbound vs Outbound Firewall
Use cases Internet
Inbound Outbound
Inbound
VPN Access Control
Branch to branch VS Security features
WAF DLP Compliance
Outbound
IDS/IPS Proxy features
Full Traffic Processing
Selective Proxy
Traffic redirection – SIG Policy

Traffic orchestrator
Umbrella DNS DNS based redirection DNS
Umbrella DNS*
All other IPSec Firewall
Web
Internet
Web Proxy Chaining
Web PAC File Full proxy
Web
Roaming*
All other
*Will be supported in the future
Firewall Policy
Order of operation is the same as with ACL
L3/L4 capabilities
CloudFW Reporting Provides Context & Filtering
Filter by IPs, ports, protocols OR see IP details in Investigate

Log Export
• Full FW logs included in standard
log export
• Exported to Cisco or customer’s
own S3 bucket
• Comprehensive list of supported
fields
• Recommended to use log format
version 4
IPsec Tunnel
Architecture
Tunnel Definition in Umbrella Dashboard
Defined Tunnels in Dashboard
Tunnel Support
Supported Devices Additional Details
RSA cert-based PSK support • IKEv2 Encryption

authentication • Cisco ISR, CSR • Tunnel supports SWG
• Cisco ASA and CDFW services
• Viptela vEdge
• Cisco ISR • Based on “Hybrid”
• Viptela cEdge
Anycast
• Cisco CSR • Meraki MX
• No limit on number of
• Third-party devices • Third-party devices tunnels that can be
created
https://docs.umbrella.com/deployment-umbrella/docs/working-with-tunnels
Datacenter Headend Deployment – June 2019
10 data centers worldwide and growing
Initial focus on N. America

EMEA, and APJ locations
Capacity and Availability
Primary Data Center
Capacity
• 150 Mbps/tunnel currently supported
LAX SJC
with plans to increase capacity in stages 146.67.112.2 146.67.112.2
(Head end IP)
• 90% of branch locations using Viptela
utilize less than 100 Mbps In case of DC failure,
Umbrella service issues
• If customer needs more than 150 Mbps, another DC in the same
multiple tunnels can be deployed region will serve the old
DC’s IP address.
Availability No requirement to
change Head End IP in
• 99.9% guaranteed uptime; hybrid tunnel configuration.
Anycast is used for availability
Branch
Failover Conditions
Device Issues
• There are situations when the tunnel Umbrella

DC
originating device gets failed due to
hardware issues
• In this case, usually there is a hot
standby router that takes over
Corporate
• Tunnels moves from old device to the Small/ data center
new device home office
Waltham office SF office
Failover Conditions
Path Issues
• There are situations when the path Umbrella

DC
of the IPSec tunnel experiences some
issues
• In this case, either the SD-WAN device
selects a different path,
or the routers (in the path) update Corporate
themselves with the new routes Small/ data center
home office
• Tunnels moves from old path to a

new path
Branch
Failover Conditions
Datacenter (DC) Issues
2 Umbrella
DC 2
• There are situations when the Umbrella Umbrella
DC 1
service itself experiences issues 1 3
• In this case, there are multiple instances

in each DC to handle customer traffic
• If the entire DC has issues, it is taken
Corporate
out automatically and another DC in Small/ data center
the same region starts serving the home office
old DC’s IP address (hybrid anycast)

• Tunnels moves from old DC to a new DC
(hybrid Anycast)
Agenda
• Summary
Policy Outcome Flow
• DNS policies are evaluated first,
DNS any traffic allowed is evaluated next*
• CDFW evaluates anything not
CDFW
blocked by DNS
• Any 80/443 traffic sent to SWG
(unless blocked in firewall policy)
• SWG evaluates 80/443

SWG traffic not blocked by
DNS and CDFW
*Also applies to traffic where allow rule is not explicitly configured
Policy Verdicts
Policies
Internet
DNS blocks:
Domains in a Destination List
CDFW allows:
Allows port 80/443
Outcome
1. DNS policy evaluated NAT
Blocked Site Blocked Site IP
2. DNS returns IP of the block page
3. CDFW blocks connection
DNS CDFW SWG
Umbrella Cloud
2
Block page IP
Blocked site 1
Policies
Internet
DNS blocks:
CDFW blocks:
Blocks a range of IPs
Outcome
Blocked Site Blocked Site IP
2. DNS returns IP of the block page,
3. Policy evaluated by CDFW
DNS CDFW SWG
Umbrella Cloud
2 4 CDFW block
Block page IP
Blocked site 1 3
Policies
Internet
DNS allows:
CDFW blocks:
Blocks a range of suspicious IPs,
including one matching a domain in
the DNS Destination List
NAT
Outcome DEST. LIST 172.2.2.2
1. DNS policy evaluated

2. Destination IP(s) returned DNS CDFW SWG
3. Request for site IP Umbrella Cloud
evaluated by CDFW 2
Destination
IP returned
4 CDFW block
4. CDFW blocks connections Request

Allowed Domain 1 3
for IP
Policies
Internet
DNS allows:
Destination List, some sites
matching shopping 4a SWG allow
CDFW allows:
All 80/443 and port 21
4a
SWG allows/blocks:
NAT
Shopping
DEST. LIST 80/443/21 SHOPPING
Outcome 80/443
3b
1. DNS policy evaluated DNS CDFW SWG

2. Destination IP(s) returned Umbrella Cloud
Destination
3. CDFW policy evaluated, any 2
IP returned
4b SWG block
80/443 request sent to SWG Shopping site 1 3a

Ports 80/443/21
4. SWG blocks or allows request
5. SWG allows/blocks Shopping
Policies Non-HTTP Policy Verdict
Internet
DNS allows:
Domains in a Destination List, some
sites matching shopping 4a
SWG allow
CDFW allows: CDFW Allow
All 80/443 and port 21
4a
SWG allows/blocks:
NAT
Shopping Port 21
DEST. LIST 80/443/21 SHOPPING
Outcome 80/443
3b
1. DNS policy evaluated DNS CDFW SWG

2. Destination IP(s) returned Umbrella Cloud
Destination
3. CDFW policy evaluated, any 2
IP returned
4b SWG block
80/443 request sent to SWG, any 1 3a

port 21 request sent direct Shopping site Ports 80/443/21
4. CDFW Allows port 21

5. SWG allows/blocks Shopping SD-WAN ON/OFF NETWORK DEVICES
Policies
Internet
DNS grey list:
Selective Proxy enabled
CDFW blocks:
Range of IPs
Outcome
2. Intelligent Proxy IP returned DOMAIN DOMAIN
3. CDFW policy evaluated

DNS CDFW SWG
4. CDFW blocks requested domain IP
Umbrella Cloud
2
Intelligent 4 CDFW block
Proxy IP
Intelligent
Grey list domain 1
Proxy IP
3
Policies
Internet
DNS grey list:
Application Allow: Google Drive
CDFW allows: 4a SWG allow
80/443
SWG allows/blocks:
Google Drive (via AVC)
4a
NAT
Outcome GOOGLE DRIVE 80/443 GOOGLE DRIVE
1. DNS policy evaluated 80/443

3b
2. Intelligent Proxy IP returned DNS CDFW SWG
3. CDFW policy evaluated, any Umbrella Cloud

Intelligent
80/443 request sent to SWG 2
Proxy IP
4b SWG block
4. SWG allows/blocks Google Drive Google Drive 1

Intelligent 3
Proxy IP
Policy Decision Verdicts Summary
DNS Policy CDFW Policy SWG Policy Final
Traffic Verdict Verdict Verdict Verdict
Block N/A Block - CDFW
Block
Allow N/A Block – DNS
HTTP Allow
Allow Allow/Block Allow/Block - SWG
Selective Proxy
Allow Allow/Block Allow/Block - SWG
Allow Allow/Block N/A Allow/Block - CDFW
Non-HTTP Block N/A N/A Block – DNS
Selective Proxy Allow/Block N/A N/A
SD-WAN (Viptela) Integration
Secure direct internet access (DIA) locations
Today: Send DNS requests to Umbrella
• Deploy to hundreds of devices in minutes, within a

single dashboard Internet/SaaS
• Gain DNS-layer protection at branch office locations
• Create policies and view reports on a per-VPN basis Umbrella
Today: Deploy tunnels to forward DIA traffic
• Apply additional inspection/security (firewall, proxy) DIA
MPLS
Next: Automated provisioning to Umbrella
Data Center SD-WAN fabric Branch
• Scale security with future SaaS/web traffic growth
via minimal-touch provisioning in single dashboard
SaaS Usage Controls
• Today: Addressing Shadow IT

• In EFT:
• Cloud anti-malware, providing
cloud app data security
• In future:
• Cloud DLP, providing cloud app
data protection
CASB – API Access (cloud to cloud)
Protecting the enterprise’s sanctioned apps
Protection against
Public
APIs • Compromised accounts,
anomalies, and insider threats
• Data exposures and leakages
• Compliance violations
• Overprivileged applications
(via Applications Firewall)
• Mis-use of corporate
Cisco NGFW / Umbrella credentials with third-party
apps via O-Auth
Managed Managed Managed Unmanaged Unmanaged Unmanaged

Users Devices Network Users Devices Network
App Discovery & Blocking
Addressing Shadow IT
• Integrated CASB technology

from Cloudlock
• Solve 3 biggest challenges
related to shadow IT:
• View SaaS app activity
• Understand risk info for apps
• Block unapproved apps
App Discovery & Blocking - Workflow
1 Identify apps in App Discovery
Select the “Edit app controls”
2 link under the app
3 Splash screen appears

4 Apply Application Settings to appropriate Policy
Service Status Page
https://status.umbrella.com
Now includes
• Tunnel Head-End
Agenda
• Summary
Fastest
and most reliable
cloud infrastructure
Broadest Most open

coverage of malicious platform for
destinations and files integration
Easiest Most predictive

connect-to-cloud intelligence to stop
deployment threats earlier
Closing Comments
We are building the most comprehensive SIG with widest

coverage, while keeping it simple to deploy and manage
Come to see a demo of the topics seen in this session at “The

Park” in WoS, or at the Innovation Forum (NDA customers)
Speak with your Cisco Security representative who can assist with
starting a conversation with product experts and our Products team
Start an Umbrella trial and protect a complete production

network and see value within minutes: signup.umbrella.com
Complete your
online session • Please complete your session survey
evaluation after each session. Your feedback
is very important.
• Complete a minimum of 4 session
surveys and the Overall Conference
survey (starting on Thursday) to
receive your Cisco Live water bottle.
• All surveys can be taken in the Cisco Live
Mobile App or by logging in to the Session
Catalog on ciscolive.cisco.com/us.
Cisco Live sessions will be available for viewing
on demand after the event at ciscolive.cisco.com.
Continue your education
Demos in the
Walk-in labs
Cisco campus
Meet the engineer

Related sessions
1:1 meetings
Thank you
#CLUS
#CLUS

Brksec 2023

Enviado por

Dados do documento

Título original

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

Brksec 2023

Enviado por

Direitos autorais:

Formatos disponíveis

#CLUS

Branch office HQ Roaming/mobile

Security SD WAN DIA/DCA

Protect at data center,

Branch office HQ Roaming/mobile

Gaps in visibility Volume and complexity Limited security

• Additional information for your reference

Webex Teams will be moderated cs.co/ciscolivebot# BRKSEC-2023

BRKSEC-2342 Branch Router Security Thursday, 10.30am

HQ Roaming/mobile Branch DIA/DCA

SD-WAN ON/OFF NETWORK DEVICES

Network and endpoint

• Deploy protection in minutes for fastest time

User request patterns Authoritative DNS logs

Endpoint Cisco networking Other network devices

iOS Chromebook Meraki SD-WAN ASA Wireless APs

If already licensed for AnyConnect…

If not using AnyConnect…

App Discovery Antivirus / App Blocking Web Content

Full URL Malware Sandboxing Time-Based & Data Loss

Selective Proxy Full Proxy

Deliver standard full web

Inspect selected Inspect all web traffic

HQ & Branch HQ & Branch Roaming

Traffic redirection – SIG Policy

Web PAC File Full proxy

*Will be supported in the future

• 4096 Characters max length

• The Umbrella root cert must

Supported IdPs User Provisioning SAML Identities

SAML authenticated Apply policy to SAML

Connecting with Sharing files illegally Accessing

These activities negatively impact an enterprise’s security posture

• Provides firewall functionality at the

• Protection at the first hop for DIA

• Ability to enforce beyond DNS

SD-WAN ON/OFF NETWORK DEVICES

Full Logging L4 Port Protocol SNORT-Based

L7 SNORT based Time-Based

Use cases Internet

Traffic redirection – SIG Policy

Web PAC File Full proxy

Filter by IPs, ports, protocols OR see IP details in Investigate

Supported Devices Additional Details

RSA cert-based PSK support • IKEv2 Encryption

Initial focus on N. America

Anycast is used for availability

• There are situations when the tunnel Umbrella

Waltham office SF office

• There are situations when the path Umbrella

• Tunnels moves from old path to a

Waltham office SF office

• In this case, there are multiple instances

old DC’s IP address (hybrid anycast)

DNS any traffic allowed is evaluated next*

• CDFW evaluates anything not

• SWG evaluates 80/443

*Also applies to traffic where allow rule is not explicitly configured

SD-WAN ON/OFF NETWORK DEVICES

SD-WAN ON/OFF NETWORK DEVICES

1. DNS policy evaluated

4. CDFW blocks connections Request

SD-WAN ON/OFF NETWORK DEVICES