browse
Overview
This article details various best practices related to Cisco Umbrella.
- Cisco Umbrella Service Health and System Status
- Network registration
- Firewall and proxy configuration
- The rollout phase
- Install the CA root CA, for use with the Intelligent Proxy and block pages
- Virtual Appliances
- Active Directory integration
- Roaming Clients
- Third Party integrations
- Logging
- Managed Services Console
- Two factor authentication
- Contacting Support
Cisco Umbrella Service Health and System Status
- Bookmark http://208.69.38.170/ and https://146.112.59.2/#/ so you can check the Umbrella System Status pages even if local DNS is not available.
- Subscribe to the Cisco Umbrella Service Status page at https://146.112.59.2/#/ to receive notifications about Service Degradations, Service Outages, and/or Maintenance & Events.
- Follow the Service Updates and Announcements pages of the Cisco Umbrella Knowledge Base.
- Periodically check the Cisco Umbrella Dashboard "Message Center" for product alerts and notifications.
Network Registration
All IP addresses and IP address CIDR ranges associated with your organization should be registered with Umbrella. For more information, please see the Umbrella documentation.
Local firewalls and proxies
- Configure local firewalls to allow Umbrella IP address CIDR ranges.
- If using an HTTP proxy, make sure it is configured.
The rollout phase
- Where possible, roll out gradually and test before deploying en masse. To test new functionality, apply a policy to a subset of users and computers. If the test is successful, apply the policy to more users and computers.
- Use the Policy Tester to verify intended policy functionality for identities and individual domains.
- Verify functionality by visiting test pages with a browser. For details, see: How To: Successfully test to ensure you're running Umbrella correctly.
- Create one or more Scheduled Reports to help monitor your environment for security-related events. For details about this, see the Umbrella documentation.
Intelligent Proxy / Block Page
- Include the Root CA in your rollout, especially if using or planning to use the Intelligent Proxy features. It's also a good idea to install it anyway, as sites blocked when they are https:// (eg: https://facebook.com) will generate errors without it.
Cisco Umbrella virtual appliances (VA's)
- If using virtual appliances (VA's), make sure the Internal Domains list is filled out in advance of deploying.
- If using virtual appliances on VMWare, use VMXNET3 adapters as per.
- If using virtual appliances, periodically check each VA's console via the VMWare or Hyper-V host. On the right side, all Services and Connectivity entries should display as green.
- Configure internal DNS servers as detailed here: What is the recommended configuration for internal DNS Servers when Deploying Umbrella?
Third Party Integrations
- If using integrations such as Check Point or Cisco AMP Threat Grid, add any domains you wish to never have blocked to the Global Allow List (or to other domain lists as per your Umbrella policies):
- The home page for your organization (mydomain.com).
- Domains representing services you provide that might have both internal and external records (mail.myservicedomain.com, portal.myotherservicedomain.com).
- Lesser-known cloud applications you depend on heavily that Cisco Umbrella may not be aware of or include in their automatic domain validation (localcloudservice.com)
Active Directory Integration
- If Cisco Umbrella is integrated with Active Directory, add service accounts to the AD User Exceptions list.
Roaming Clients
- If using Roaming Clients, make sure the Internal Domains list is filled out.
- Make sure that all your Roaming Clients are on the same version on the Cisco Umbrella Dashboard at Identities > Roaming Computers.
- If using Cisco Secure Client (formerly AnyConnect), use the Umbrella Roaming Security Module rather than the standalone Roaming Client.
- If using a Roaming Client on an Airline wifi, see Roaming Client and Airline/Hotel WiFi Best Practices.
Logging
Detailed logs are only kept for 30 days, then they are broken down into aggregated report data. If you wish to keep a copy of the more detailed data longer than 30 days, set up an Amazon S3 bucket to export your data to at Settings > Log Management.
Managed Services Console Best Practices
Managed Services Console MSP Professional Services Automation (PSA) Integration:
- If you are an MSP integrated with a PSA, verify that the "PSA INTEGRATION" icon displays as green.
Two factor authentication
- Implement two factor authentication for Cisco Umbrella users.
- Implement two-step authentication for Cisco Umbrella MSP administrators.
How to contact and work with the Cisco Umbrella Support team
- After logging in to the Umbrella dashboard, submit a request to the Umbrella support team via the webform at: https://support.umbrella.com/hc/en-us/requests/new
- Customers who have purchased telephone support from Cisco Umbrella will see a telephone icon at the top right corner of the Cisco Umbrella Dashboard. Clicking on the telephone icon will display the telephone number for Support.
- Provide complete details about your problems or questions.
- Use the output of the Umbrella Diagnostic Tool for your Support case.