This article details various best practices related to Cisco Umbrella.
- Umbrella Service Health and System Status
- Network registration
- Firewall and proxy configuration
- The rollout phase
- Install the CA root CA, for use with the Intelligent Proxy and block pages
- Virtual Appliances
- Active Directory Integration
- Roaming Clients
- Third Party Integrations
- Two factor authentication
- Contacting Support
- Bookmark http://188.8.131.52/ and https://184.108.40.206/#/ so you can check the Umbrella System Status pages even if local DNS is not available.
- Subscribe to the Cisco Umbrella Service Status page at https://220.127.116.11/#/ to receive notifications about Service Degradations, Service Outages, and/or Maintenance & Events.
- Follow the Service Updates subpages of https://support.umbrella.com/hc/en-us/categories/204185887-Service-Updates
- Service Notifications: https://support.umbrella.com/hc/en-us/sections/206593887-Service-Notifications
- Announcements: https://support.umbrella.com/hc/en-us/sections/206896108-Announcements
- Service Updates: https://support.umbrella.com/hc/en-us/categories/204185887-Service-Updates
- Periodically check the Cisco Umbrella Dashboard "Message Center" for product alerts and notifications.
All IP addresses and IP address CIDR ranges associated with your organization should be registered with Umbrella. For more information, please see https://docs.umbrella.com/product/umbrella/protect-your-network/
- Configure local firewalls to allow Umbrella IP address CIDR ranges.
- If using an HTTP proxy, make sure it is configured as per: https://support.umbrella.com/hc/en-us/articles/230563527-Using-Umbrella-with-an-HTTP-proxy
- Where possible, roll out gradually and test before deploying en masse. To test new functionality, apply a policy to a subset of users and computers. If the test is successful, apply the policy to a greater number of users and computers.
- Use the Policy Tester to verify intended policy functionality for identities and individual domains.
- Verify functionality by visiting test pages with a browser. For details, see:
- Create one or more Scheduled Reports to help monitor your environment for security-related events. For details about this, see: https://docs.umbrella.com/product/umbrella/scheduled-reports-overview-and-setup
- Include the Root CA in your rollout, especially if using or planning to use the Intelligent Proxy features. It's also a good idea to install it anyway, as sites blocked when they are https:// (eg: https://facebook.com) will generate errors without it. https://docs.opendns.com/product/umbrella/cisco-certificate-import-information/
- If using virtual appliances, make sure the Internal Domains list is filled out in advance of deploying: https://docs.umbrella.com/product/umbrella/appx-d-internal-domains/
- If using virtual appliances on VMWare, use VMXNET3 adapters as per: https://support.umbrella.com/hc/en-us/articles/231266208
- If using virtual appliances, periodically check each VAs console via the VMWare or Hyper-V host. On the right hand side, all Services and Connectivity entries should show up as green.
- Configure internal DNS servers as detailed here: https://support.umbrella.com/hc/en-us/articles/230902428-Best-Practices-for-DNS-Settings-on-Internal-DNS-Servers-When-Deploying-Umbrella
- If using integrations such as Check Point, Cisco AMP Threat Grid, &etc, add any domains you wish to never have blocked to the Global Allow List (or to other domain lists as per your Umbrella policies):
- The home page for your organization e.g. mydomain.com
- Domains representing services you provide that might have both internal and external records. e.g. mail.myservicedomain.com, portal.myotherservicedomain.com
- Lesser-known cloud applications you depend on heavily that Umbrella may not be aware of or include in their automatic domain validation e.g. localcloudservice.com
- If integrated with Active Directory, add service accounts to the AD User Exceptions list: https://support.umbrella.com/hc/en-us/articles/231266088
- If using Roaming Clients, make sure the Internal Domains list is filled out as per: https://docs.umbrella.com/product/umbrella/appx-d-internal-domains/
- Check to make sure all your Roaming Clients are on the same version on the Umbrella Dashboard at "Identities -> Roaming Computers".
- If using Cisco AnyConnect, use the Umbrella Roaming Security Module rather than the standalone Roaming Client.
- If using a Roaming Client on an Airline wifi, see: https://support.umbrella.com/hc/en-us/articles/231647487-Roaming-Client-and-Airline-wifi-best-practices
Detailed logs are only kept for 30 days, then they are broken down into aggregated report data. If you wish to keep a copy of the more detailed data longer than 30 days, set up an Amazon S3 bucket to export your data to at "Settings -> Log Management".
MSP PSA Integration:
- If you are an MSP integrated with a PSA, verify that the "PSA INTEGRATION" icon shows up as green.
- Implement two-step authentication (also known as two factor authentication for Umbrella users as per https://docs.umbrella.com/deployment-umbrella/docs/enable-two-step-verification
- Implement two-step authentication for Umbrella MSP users, as per https://support.umbrella.com/hc/en-us/articles/230759147-Configuring-Two-step-Verification-for-MSP-Administrators
- After logging in to the Umbrella dashboard, submit a request to the Umbrella support team via the webform at: https://support.umbrella.com/hc/en-us/requests/new
- Customers who have purchased telephone support from Cisco Umbrella will see a telephone icon at the top right hand corner of the Umbrella dashboard screen. Clicking on the telephone icon will display the telephone number for Support.
- Provide complete details about any problems or questions you have.
- Particularly valuable is the output of the diagnostic tool: https://support.umbrella.com/hc/en-us/articles/234692027-Umbrella-Diagnostic-Tool