The Umbrella Policy Tester can be used to determine whether a given destination will be blocked or allowed by Cisco when visited by a given identity. However, there are a few circumstances under which the Policy Tester currently will not return accurate (or any) information for a given destination. This article outlines these restrictions.
The policy tester general overview can be found here at Umbrella Policy Tester.
The following policy tester results may be incorrect:
Secure Web Gateway
Secure Internet Gateway
Umbrella (DNS Added Layer)
- Destinations which are blocked by the Intelligent Proxy will be incorrectly reported as "Allowed" by the Policy Tester. This includes the following as well
- Custom URL block lists
- Proxy-blocklist or greylist domains
- File inspection blocks
- Destination type "Application" (i.e. Dropbox, Box, Facebook, etc by name) which are blocked will be incorrectly reported as "Allowed" by the Policy Tester.
- When a network is also applied to a web policy, the web policy may incorrectly show. The policy tester is not supported at this time for networks which are also a part of web policies.
- Tests which do not supply all relevant identity information may show incorrect results. For example, a roaming computer with AD integration turned on while on a protected network: the test will fail if only the AD user is supplied but the roaming computer wins policy decisions.
- Destinations blocked due to content categories will show as allowed if they are entered with upper and lower case letters or are capitalized. For example, if you are blocking the "nudity" category, the domain playboy.com will show as blocked while Playboy.com will appear as allowed.
- "Dynamic DNS" destinations will be blocked if that security category is selected, but will be incorrectly reported as "Allowed" by the Policy Tester.
- Destinations allowed by application control may incorrectly show as blocked in the policy tester.
- Destinations that are blocked by the Umbrella Enforcement API for Custom Integrations will be incorrectly reported as "Allowed" by the Policy Tester.
- Destinations that are blocked by the Umbrella AMP Threat Grid Integration will be incorrectly reported as "Allowed" by the Policy Tester.
- Destinations that are blocked due to a CNAME will be incorrectly reported as "Allowed" by the Policy Tester.
- Destinations which are IP addresses are unsupported in the Policy Tester at this time.
- Destinations which are URLs are unsupported in the policy tester at this time.
- Destinations blocked for resolving to a malicious IP will be incorrectly reported as "Allowed" by the policy tester.
- "Potentially Harmful" destinations will be blocked if that security category is selected, but will be incorrectly reported as "Allowed" by the Policy Tester.
- Destinations where automated DDOS protections temporarily prevent DNS from responding for the affected domain are not visible by the Policy Tester.
- Destinations blocked under the content category "German Youth Protection" will be incorrectly reported as "Allowed" by the Policy Tester. This category will not be mentioned in the results of the Policy Tester.
- Destinations blocked due to "Cryptocurrency" security classification will incorrectly appear as "Allowed" even when blocked by security settings.
- Blocks due to DNS Tunneling VPN categories will not correctly show results in the policy tester. They will incorrectly show as allowed.
- Chromebook devices behind a Virtual Appliance may show incorrect policy. Chromebook (UCC) identity blocks will override Virtual Appliance applied policies, but Virtual Appliance blocks will override UCC allows.
- Members of AD groups where the group are not synced to Umbrella (including groups part of a parent or child domain and groups which are members of groups not selectively synced to Umbrella) will be shown as matching the shown policy in the policy tester. The user policy will not apply in the cloud. Confirm by adding the single user to your policy and confirm it applies correctly within 5 minutes.
- Destinations that are on the Internal Domains list. The Policy tester does not take the Internal Domains list when reporting a test result.
- Categories that do not appear at http://community.opendns.com/domaintagging/ may not show the correct category on the policy tester. Only one source of categorizations are represented.
- The Policy Tester is limited to showing 20 results when searching for an identity
- AD user is a member of a Nested AD group but only the Parent AD group is selected in identities when creating DNS policy. Policy Tester lookup will fail to match correct policy.