Post

Cisco Umbrella

Posted
By Sena Perdiana 4 min read


Cisco Umbrella is a cloud-based security platform that provides secure web gateway (SWG) and domain name system (DNS) filtering services to protect users and devices from online threats, malware, and malicious websites.



Deployment Type

x

Basically there’s 2 ways to use Cisco Umbrella, the first one being the DHCP and DNS Server option where all the endpoint just set the Umbrella’s Public OpenDNS IP as the DNS Server. This deployment requires our Public IP Address to be registered on the Umbrella’s Dashboard to work and it doesn’t show the internal IP Address of each request made from the client.

The second type is by using Umbrella’s Virtual Appliance deployed on the premise to forward client’s DNS Requests to the Umbrella. This doesn’t require the registration of Public IP Address as the Umbrella can already identify the traffic coming from the UVA (Umbrella’s Virtual Appliance). This also offers a lot more granular data such as the Internal Private IP Addresses or even the Active Directory Users and Groups of each event.



First Type - Direct Connection to Umbrella Public OpenDNS

Open the Cisco Umbrella on dashboard.umbrella.com

x


On Deployments » Networks, add and input the Public IP Address

x


Afrer that just configure Umbrella’s OpenDNS as the DNS Server on the clients

x


Now any DNS query made by the client will be answered by Umbrella and also recorded here, but as we can see it’s pretty limited because all we can see is the Public IP Address and nothing more

x



Second Type - With Umbrella Virtual Appliance

With this type, we need to deploy the minimum of two virtual appliances for redundancy. On Deployments » Sites and Active Directory, select Download

x


Download the OVA and deploy it as usual

x


After it boots, press ctrl+b to go into configuration

x


Give it IP configuration

x

  • config va name : to change the hostname of the VA
  • config va interface : to give it ip address and gateway
  • config localdns : to add Local DNS so all the DNS queries for local domain can be directed here. Very important as if this is not configured, all internal queries will not be resolveable


This is the after the configuration is set

x


Repeat the process for the deployment of the second VA


Following the local dns configuration on CLI earlier, we also need to add the internal domain on Umbrella. This will tell Umbrella everytime there’s an internal query, fallback to the Local DNS configured on VA.

x


Now both VAs should show up on Umbrella on Sites and Active Directory

x


Testing the Umbrella Virtual Appliance

Doing a nslookup to the internet and internal domain on the VA’s IP Address shows that the DNS Server is able to resolve the request

x


Now configure all the clients in the domain to use the VA as the DNS Server

x


And after that all the DNS Queries made will be answered by Umbrella and also recorded. As seen here even the Internal IP Address is shown on the report

x



Installing Active Directory Connector

To get more than just the Internal IP Addresses, we will install the AD Connector and import the AD’s Users and Groups.
On Deployments » Sites and Active Directory, select Download on both Active Directory Components

x


On the Domain Controller, create a new user with Domain Admin Privilege named OpenDNS_Connector

x


Then run the donwloaded Windows Configuration Script

x


After that, run the Active Directory Connector

x


After a minute, both Domain Controller and AD Connector should show up on Umbrella

x


And on Users and Groups, the Users and Groups on Active Directory should also be imported

x


And now all the traffic should not only show the Internal IP Addresses, but also the Active Directory’s Attributes like Users, Groups, or Computers giving us a lot more detailed reports

x



Enabling Intelligent Proxy

Cisco Umbrella Intelligent Proxy provides secure web gateway (SWG) capabilities, including URL filtering, malware protection, and cloud-delivered firewall, to protect users and devices from internet threats.

To enable Intelligent Proxy, on Polices » All Policies, enable Intelligent Proxy on Advanced Settings

x

Also download and install the Root CA Certificate to make sure there’s no SSL warning on the client side


Now if the client trying to access an unsafe website, umbrella will block it

x


And on Activity Search, we can see all the blocked traffic accessed by the client, showing the unsafe websites along with the blocked sites set by the policy, which in this case is facebook

x


Security, Cisco Umbrella
Umbrella
This post is licensed under CC BY 4.0 by the author.