Customize Your Policy
If you followed the instructions in the previous steps to protect your network and point your DNS to Umbrella, then your network or device should now be protected. That was pretty simple, right?
This page is a general overview of the policy manager. We'll try to break down each component of policies into a step by step process.
Policies control the level of protection and logging, including which types of sites should be filtered. The policy wizard is the best way to start applying policies to the Identities you've created. The policy wizard is designed to be a step-by-step process helping you to answer the question "What do you want this policy to do?"
If you followed the instructions in the previous step, then your network or device should now be protected. That was pretty simple, right?
This page is a general overview of the Policy manager. Throughout the following pages, each component of Policies will be broken down into a step by step process.
Getting Started with Policies
First, select the identities that you want to be protected by this policy:
The next step in the policy is simply answering the question "What should this policy do?"
There are several choices and depending on which ones you select, you'll take a different path to setting up the features and services of Umbrella that will give you the most benefit. As you go down the path to configuring the policy, we've made it easier than ever to edit settings within the wizard and not have to leave the setup flow.
Once you're done configuring settings, there's a review screen that lets you review what changes have been made and make changes before saving the policy.
By default, there's always a single policy—the default policy. This policy applies to all identities when no other policy above it covers that identity. In other words, the Umbrella default policy is a catch-all to ensure all identities within your organization receive a baseline level of protection. If you only wish to have one policy, you can simply edit the Summary for this policy rather than create a new policy.
NOTE: Policies apply to Identities on a first match basis and are not additive. The matching policy closest to the top of the order will apply. Policies are drag and drop to order! We also have a guide that outlines best practices around this. See Best Practices for Defining Policies.
Step 1: Create Your First New Policy
To start, Policies > Policy List, you'll see the Default Policy. You can select this policy or clicking the [+] icon starts you off on creating a new policy and the first thing you'll be asked is what you to protect.
Select any or all of the identities that you've set up. If you chose Default Policy, all identities will be selected and you'll be brought to the Summary Screen right away. This is because the default policy is already configured and being applied to any identities that have been created.
The first step in editing a policy is to select the identities to which the policy will be applied. This will determine to whom these settings will apply. This can be any combination of Identities available in your account. Categories (such as AD Computers or Roaming Computers) can be drilled down to more selectively choose Identities to apply to a policy. If you only have a single identity—the Network—select that identity.
NOTE: If you are editing the Default Policy from the Summary screen, the ability to edit Identities is restricted because the Default Policy applies to all Identities.
Select the identities you wish to apply this policy to and click Next.
Step 2: Pick What You Want This Policy To Do.
Next, you'll be asked what you want this policy to do. The options are below- if an option listed isn't available for you, contact your account representative for more information.
The four options shown correspond to policy features: security settings, IP layer enforcement, content category blocks and custom destination lists.
- Enforce Security at the DNS Layer—These are settings related directly the blocking of domains based on whether they are malicious and provides a base level of security protection. We recommend always selecting this.
- Enable IP Layer Enforcement—IP Layer Enforcement goes beyond simple domain-only security to blocking domains (only for roaming client identities)
- Limit Content Access—These settings filter types of content based on your Organization's acceptable use policies.
- Apply Destination Lists—If you have particular domains you'd like to allow or block, add them to a destination list. There are two by default, block or allow, and you can create more to organize groups of domains. The two defaults are the "Global" lists, meaning they apply to any policy.
NOTE: A Global Destination List, whether Block or Allow, applies to all policies and all identities, or in other words, it is 'Global' across your organization's configuration. To define a more specific list, please create a new list and add domains only to that, then apply that list to individual sets of identities.
Underneath the options for what the policy should do, there's Advanced Settings, which can be dropped down:
These include the Intelligent Proxy, SSL Decryption, the "Allow-Only mode" (previously known as 'white list mode') and logging options.
The Intelligent Proxy may also be activated on select packages, and this allows for URL-based malware filtering for domains with legitimate content where some pages may contain malicious files.
It's important to note that if you choose to not have the Intelligent Proxy enabled, some options for what the policy will do are not available as they're not possible without the proxy. We encourage anyone who's not using the Intelligent Proxy as a part of their policies to try it out.
For more information about the Intelligent Proxy, and exactly how it works, including key information about enabling HTTPS inspection, see Enable the Intelligent Proxy.
The "Allow-Only" mode should be used only in cases where you wish to allow access to a small subset of domains and block all other domains. Since the result of enabling this feature is to effectively block the internet except for that part you've defined to allow, please use caution if enabling this feature.
Logging settings are:
- "Log All Requests" for full logging, whether for content, security or otherwise
- "Log Only Security Events" for security logging only, which gives your users more privacy (this is a good setting for people with the roaming client installed on person devices)
- "Don't Log Any Requests" to disable all logging. If you select this option, most reporting for identities with this policy will not be helpful as nothing is logged to report on.
Once you've picked what the policy should do, click Next. For the purposes of this document, we'll pick all of the options available under "What should this policy do?"
Depending on what you pick, once you click Next you'll see a progress meter with the number of steps remaining until you've fully configured the policy. You can use these to jump around if you need to make changes.
Step 3. Setting Your Settings Detail
These settings determine which security type threats are blocked. For more information on what each of these categories represents, read here: https://docs.umbrella.com/product/umbrella/understanding-the-security-categories/
By default anything with the shield icon and a checkmark is enabled:
To edit the settings, click Edit Settings and this will allow you to enable or disable specific individual settings, the checkmark is then something to be enabled or disabled:
The default setting is already selected and if you'd like to add or select another setting just use the drop down (as shown below):
You can also directly edit whichever setting you select without having to jump to a window showing the Security settings section just by clicking Add New Setting. A window will appear allowing you to add a new setting directly:
If you have any custom integrations, these are listed at the bottom of the Security section. Only custom integrations enabled and configured under your account will appear here:
Once you've picked what you'd like, click Next.
These settings allow the selection of content categories to be blocked for the Identities selected in Step 1 of the Policy Editor. By default, no content categories are blocked, so adjust according and give your setting an appropriate name. There are High, Moderate and Low with the ability to create a Custom setting of content categories or select an existing Custom list.
To create a new one, select the Custom dropdown, click Create New Setting and define it right there in the wizard:
A list of all categories and details for each is here.
As with security settings, you can add a new content setting and modify an existing one directly from within the wizard.
Apply Destination Lists
Destination lists allow the customization of filtering by creating a list of domains that are explicitly blocked or allowed. Note that each destination list can be set to be a block list (default) or an allow list.
Allow list entries will always take precedence over block list entries. For example:
- Blocking domain.com and adding mail.domain.com to the allowed list will still allow mail.domain.com.
- Adding domain.com to the Allow List and blocking sub.domain.com will still allow sub.domain.com.
- Allowing a domain that has been blocked by either Security or Category settings will also trump those block lists.
We recommend adding domains in the format "domain.com" rather than www.domain.com to ensure *.domain.com is included (a wildcard is implicit). However, if you only wish to block subdomain.domain.com, then be more specific when you define the entry here.
Creating a destination list is simple: first, pick the type of list you want, then add the domains you would like to have allowed or blocked and give the list a name.
Destination lists are not saved until the Save is clicked, although it appears in the list view after entering it.
All of these Policy Settings can also be edited from the left-hand menu, under Policy Settings.
Block Page Settings outlines how to configure a unique block page for your users, as well as how to bypass that block page if need be. Each setting is broken down below.
- Block Page Settings—These settings let you customize the block page appearance, redirect to a custom domain, and more.
- Bypass Users—Users who can log in to bypass block pages on this policy. A Bypass User must be checked on a policy in order for it to be active.
- Bypass Codes—Codes who can log in to bypass block pages on this policy. A Bypass Code must be checked (as above) on a policy in order for it to be active.
Block Page Settings—This setting allows for the customization of the block page. Choose a generic message across all block pages, or customize the message per type of block page. The block can also redirect to a custom URL.
If not redirecting to a custom URL, a contact form can be added to allow blocked users to contact the administrator at the email provided.
If you do not wish to change anything, just use the Umbrella Default Appearance, but this setting also allows for the customization of the block page.
You can edit an existing block page by hovering over the name and picking the small 'edit' pen icon:
Pick the button for "Use a Custom Appearance", then select "Create new Appearance" from the dropdown:
The settings when you create or edit a page setting to first give an easy to remember name to your setting, such as "Corporate Block Policy."
Choose a generic message across all block pages, or customize the message per type of block page by selecting whether Blocked requests should be treated the same or differently.
The block can also redirect to a custom URL.
If not redirecting to a custom URL, a contact form can be added to allow blocked users to contact the administrator at the email provided.
Finally, a custom logo can be uploaded to be displayed on the block page in place of the Umbrella logo.
A bypass user can log in (when added to the policy) to bypass the selected type of block pages. The option to bypass the block page is encountered when the block page is presented and the user can then authenticate in order to bypass it. For people without these credentials, the block remains in place.
Click Create New to create a new bypass user.
Note: The user must already exist on the Umbrella dashboard to be added as a Bypass User.
To add a user, navigate to Settings > Accounts.
If you wish, the bypass can only by applied to specific category filters or destination lists. Note that it is not possible for a bypass user to bypass a security block.
Again, it's essential that this bypass user be applied to the policy that matches the identity that will hit the block page.
Bypass codes can be created to allow blocked users to bypass the block page. The bypass code is available for a specified period of time.
When enabled (with the check mark) on the policy, the selected categories and/or domains can be bypassed. Ensure to set an expiration for the code or the default is that it will expire within an hour.
Again, it's essential that this code be applied to the policy that matches the identity that will hit the block page.
Once you've set your block page and bypass settings, click Next.
Step 4: Set Policy Details
Lastly, you'll reach the Policy Summary. It covers all of the modifications to the policy you just made. If you want to change anything, click the relevant Edit button and you'll jump right back to that step, or disable the feature directly from the Summary screen. When you've made the change, you can jump back to the summary directly without having to click through all the other steps (neat, right?).
You should give the policy a name before saving it. You can also modify any advanced settings directly from this screen. Once you've got everything the way you want it, just click Save.
And that's it—you've got your first policy all set up. As you set up additional identities and configurations for Umbrella, you may need to tweak your policy. When you open an existing policy, it will go directly to the Summary screen, and you can jump between steps in order to make the change you need to make immediately without having to do redo the entire wizard.
Next up: View Reports