browse
Overview
The information in this document is meant to cover the configuration steps on how to deploy Application-Based PBR on the FTD when establishing a SIG IPsec VTI Tunnel to Umbrella, so we can exclude or include traffic on a VPN based on applications using PBR.
The configuration example found below focuses on how to exclude certain applications from the IPsec VPN while sending everything else over the VPN.
Full information about PBR on FMC can be found here.
Pre requisites:
-
- Access to Umbrella Dashboard.
- Admin access to the FMC running 7.1.0+ to deploy the configuration to the FTD version 7.1.0+. PBR based on apps is supported only on version 7.1.0 and higher.
- (Preferred) knowledge on FMC/FTD configuration, and Umbrella SIG.
- (Optional but highly recommended) Umbrella Root Certificate installed, this is used by SIG when the traffic is either proxied or blocked. For further details of the Root Certificate installation, click here.
Limitations:
-
-
You cannot have both application and destination address defined in an ACE.
- While defining the ACL for the policy match criteria, you can select multiple applications from a list of predefined applications to form an Access Control Entry (ACE).
Currently, you cannot add to or modify the predefined applications list. - For those applications not listed on the pre-defined applications list on the FMC or any unexpected behavior with an application, IPs should be used instead of applications in the PBR.
- For a list of full limitations please referrer to the PBR's documentation.
-
Application-Based PBR
-
Start by configuring the IPsec tunnel on the FMC as well as on the Umbrella Dashboard.
The instructions of how to perform this configuration can be found here.
- Trusted DNS server(s).
- Make sure the DNS server the end user's device behind the FTD is using, is listed as a trusted DNS server under "Devices -> Platform Settings -> DNS -> Trusted DNS Servers". If the devices are using a DNS server that is not listed as below, the DNS snooping will fail and therefore the PBB based on apps won't work. Optionally but not recommended for security reasons, you can toggle on the "Trust Any DNS server" so adding the DNS server(s) will not be required.
Note: If VAs are used as internal DNS resolvers, they must be added as "Trusted DNS Servers"
- Make sure the DNS server the end user's device behind the FTD is using, is listed as a trusted DNS server under "Devices -> Platform Settings -> DNS -> Trusted DNS Servers". If the devices are using a DNS server that is not listed as below, the DNS snooping will fail and therefore the PBB based on apps won't work. Optionally but not recommended for security reasons, you can toggle on the "Trust Any DNS server" so adding the DNS server(s) will not be required.
- Create an extended ACL that will be used by the FTD for the PBR process, in order to decide whether traffic is sent to Umbrella for SIG or if it's excluded from the IPsec and not sent to Umbrella at all.
Note: A deny ACE on the ACL means the traffic is excluded from SIG.
A permit ACE on the ACL means the traffic is sent over the IPsec and can apply a SIG policy (CDFW, SWG, etc).
In the following example we are excluding the applications "Office365", "Zoom" and "Cisco Webex" with a deny ACE. The rest of the traffic is being sent to Umbrella for further inspection.
Go to "Object -> Object Management -> Access List -> Extended".
Define the source network and ports as you normally would, and then add the applications to participate on the PBR.
Screenshot of full ACL. First ACE will "deny" for those applications mentioned above, and the second ACE is a permit any any to send the rest of the traffic over the IPsec. -
Create the PBR under "Devices -> Device Management -> Click on the FTD Device -> Routing -> Policy Based Routing".
Ingress Interface: that is the interface where the local traffic is coming from.
Matching ACL: extended ACL created on previous step, ACL "PBR_ACL_1".
Send To: IP Address
IPv4 Addresses: next-hop when the PBR finds a permit statement, so the traffic is routed to the IP you add here. In our case, this is the umbrella's IPsec IP. If your VTI VPN's IP is 10.1.1.1, then the Umbrella's IPsec IP would be anything inside that same network, 10.1.1.2 for example. -
Deploy the changes on the FMC.
Verification
- On the testing PC located behind the FTD, check:
- The traffic from the PC is actually being sent over the IPsec to Umbrella.
Go to: https://policy-debug.checkumbrella.com/ - Try going to any of the sites that are excluded on the PBR/ACL config and make sure the Umbrella's Root CA is not presented, meaning the connection is not being proxied:
- Try going to any other site that is not based on the applications excluded from the PBR and make sure Umbrella is indeed proxying the connection:
Note: In order to avoid issues with a warning page not being trusted, make sure the Umbrella Root CA Certificate is installed.
- The traffic from the PC is actually being sent over the IPsec to Umbrella.
- On the FTD's CLI you can run a few commands to confirm the configuration was properly pushed and working:
- show run route-map (checks the PBR config):
- show run interface gigabitEthernet 0/1 (checks the PBR is applied to the proper interface)
- show run access-list PBR_ACL_1, show object-group id FMC_NSG_17179869596 (confirms the domains added to the ACL for exclusion)
- packet-tracer input inside tcp 172.16.72.10 1234 fqdn office.com 443 detailed (verifies the outside interface is used as output and not the VTI one)
- show run route-map (checks the PBR config):
- On the Umbrella Dashboard, under activity search, we can see that web traffic going to office.com was never sent to umbrella, while traffic going to espn.com was sent.