There are several cases in which searching for a Cisco Umbrella roaming client in the "Filter by Identity" field of the Reporting section of the Umbrella dashboard will yield different results than one might expect. This article will help you understand under which scenarios you should see information from the identity for an Umbrella roaming client.
The Umbrella roaming client is also referred to as Roaming Computers in the dashboard reporting.
Normally, you would see an Umbrella roaming client's status for reporting be shown under the identity for that Umbrella roaming client. However, depending on where the Umbrella roaming client is in regard to the network and the way policy is set, the exceptions are as follows.
Virtual Appliances and Active Directory
If the Umbrella roaming client is connected to a network with Virtual Appliances (VAs), the Umbrella roaming client automatically disables itself, and you do not have the ability to search Reports for that Umbrella roaming client identity. You will be able to search by the Active Directory user, computer, or the Internal IP address of the computer.
You can tell if you're being protected by a VA by looking in the tray icon (Mac or Windows), or by checking the security status in the dashboard at Identities > Roaming Computers.
Disable Behind Protected Networks
If the Umbrella roaming client is being protected by a network (that has been added to your Umbrella dashboard) via the “Disable Behind Protected Networks” feature, the Umbrella roaming client essentially disables itself and does not show up as coming from the Umbrella roaming client in the dashboard. There is no way to filter granularly.
To enable or disable this feature:
- Navigate to Identities > Roaming Computers.
- Click the (Roaming client settings) icon.
- Check Disable DNS redirection while on an Umbrella Protected Network and click Save.
If the Umbrella roaming client is set NOT to disable via the “Disable Behind Protected Networks” feature but is behind an Umbrella network wherein the network's policy is higher in the Policy Hierarchy than the Umbrella roaming client, you will be able to search for the Umbrella roaming client; however, the Identity in the Reporting section will show as the network in question, but in reality it is showing you the Umbrella roaming client's reports. In this case, the identity which shows up in Reports reflects which policy was used to enforce the content filtering or security settings.
In this example, I'm searching for an Identity, but instead of showing the identity in the "Identity" field in reporting, it's showing the Network of the policy for which it matched.