Umbrella's cloud-delivered firewall provides firewall services without the need to deploy, maintain and upgrade physical or virtual appliances at each site. Umbrella’s cloud-delivered firewall (CDFW) provides visibility and control for internet traffic across all branch offices. However, there are a few known limitations with CDFW.
- IPSEC traffic over CDFW tunnel is not supported, but do support SSL/TLS tunnels over CDFW. SSL over IPSec is supported in CDFW, however, we forward that to SWG and it drops that. We’re planning to build a feature that allows admins to bypass SWG by Destination IP address.
- 250 Mbps throughput per tunnel.
- IP Fragmentation is not supported with CDFW.
- Using SWG PAC File with CDFW is not supported.
- Only TCP, UDP and ICMP are supported. Others are dropped.*
*traceroute in ICMP is not fully visible though our infrastructure.
- NAT does not support pin-holing or inbound (towards branch) ports. So Active FTP is not supported, only Passive FTP. There is no capability to statically open inbound ports either.
- Only 1 child SA is supported today
- Path MTU Discovery (PMTUD) is not supported in the CDFW Tunnel
- Pings maybe dropped if multiple devices are sending to the same destination.