Umbrella Configuration on SD-WAN
The Umbrella Integration feature enables cloud-based security service by inspecting the Domain Name System (DNS) query that is sent to the DNS server through the device.
You can configure Umbrella policy with a configuration wizard. The wizard is a UI policy builder that consists of the following components:
- Configure Umbrella API Token
- Define Domain list
- Configure Umbrella DNS
- Apply Umbrella DNS Security Policy to a Template
- Monitor Umbrella Feature
Configure Umbrella API Token
- In Cisco vManage NMS, select the Configuration ► Security tab ► Custom Options on the right side to configure the Umbrella API Token as shown in the following screenshot.
2. Enter token number in the Umbrella Token field.
3. Click Save to configure the Umbrella API Token.
Defining Domain Lists
To define Domain-List, use the vManage security configuration wizard:
1. In Cisco vManage NMS, select the Configuration ► Security tab ► Custom Options in the right side.
2. Click on Lists in the Custom Options drop-down. A Define Lists wizard appears.
3. Click on New Domain List to create a new domain list or select the domain name and click on pencil icon on the right side for the existing list.
4. Enter the Domain List Name, Domain and click Save to create the list.
Configure Umbrella DNS Policy
To configure umbrella through DNS Security, use the vManage security configuration wizard:
1. In Cisco vManage NMS, select the Configuration ► Security tab in the left side panel.
2. Click Add Security Policy. The Add Security Policy wizard appears.
3. The Add Security Policy configuration wizard opens, and various use-case scenarios display.
4. In Add Security Policy, select Direct Internet Access.
5. Click Proceed to add a Umbrella DNS Security policy in the wizard.
6. In the Add Security Policy wizard, select DNS Security tab to create a new DNS Security policy.
7. Click the Add DNS Security Policy drop-down and select from the following options:
- Create New - A DNS Security - Policy Rule Configuration wizard appears and continue with Step 8.
- Copy from Existing - A Copy from Existing DNS Security Policy wizard appears. Select a Policy from the drop-down and enter Policy Name and copy the policy to a device.
8. If you are creating a new policy using Create New, a DNS Security - Policy Rule Configuration wizard appears.
9. Enter a policy name in the Policy Name field.
10. The Umbrella Registration Status displays the status about the API Token configuration.
11. Click on Manage Umbrella Registration to add a token.
12. Select Match All VPN option if you need to keep the same configuration for all the available VPNs and continue with step 13.
Or select Custom VPN Configuration if you need to add target VPNs to your policy. A Target VPNs wizard appears.
To add target VPNs, click Target VPNs in the Add DNS Security Policy wizard.
Click Save Changes to add the VPN.
13. Select the domain bypass from the Local Domain Bypass List drop-down as shown.
14. Configure the DNS Server IP from the following options:
- Umbrella Default
- Custom DNS
15. Click on the Advanced tab to enable or disable the DNSCrypt. By default, the DNSCrypt is enabled.
16. Click Save DNS Security Policy to configure DNS Security policy. The Configuration ► Security screen is then displayed, and the DNS Policy list table includes the newly created dns security policy.
Applying DNS Umbrella Policy to a IOS XE Router
1. In vManage NMS, select the Configuration ► Templates screen.
2. In the Device tab, from the Create Template drop-down, select From Feature Template.
3. From the Device Model drop-down, select one of the IOS XE devices.
4. Click the Additional Templates tab located directly beneath the Description field. The screen scrolls to the Additional Templates section.
5. From the Security Policy drop-down, select the name of the Umbrella DNS Security Policy you configured in the above procedure.
6. Click Create to apply Umbrella policy to a device.
Monitoring Umbrella Feature
You can monitor the registered VPNs, DNSCrypt status, packet counts for required timestamps on a umbrella configured router using the following steps.
To monitor the status of Umbrella DNS Configuration on IOS XE device:
1. From the Monitor ► Network screen, select an IOS XE device.
2. In the left panel, under Security Monitoring, select Umbrella DNS Re-direct tab. The Umbrella DNS Re-direct wizard displays showing how many packets are redirected to configured DNS server.
3. Click on Local Domain Bypass to monitor the packet counts showing how many packets are bypassed to DNS server.