Articles in this section

See more

SWG Advanced Application Control

Avatar
kapeterodns
  • Updated
Follow

Overview 

App Discovery now includes Advanced App Controls for users with the Secure Web Gateway (SWG) enabled. Please see: Advanced Application Control for further details. Some functionality examples include:

  • Block file uploads to the cloud storage platforms such as Dropbox 
  • Block file uploads to media applications such as YouTube
  • Block Social Media posts to sites such as Facebook and Twitter
  • Block Webmail attachments in emails from being uploaded

The requirements for Advanced Application Control include:

  • Cisco Umbrella SIG Essentials subscription
  • SWG must be enabled
  • This is not available for DNS policies
  • This is not available for the Intelligent Proxy

 

Configuration

There are two ways to configure the Advanced Application Control: 

1) From the Policy settings: 

Select and expand required Policy > Click 'Application Settings' > Search for An Application (e.g Dropbox) > Click the Gear Icon to Enable Advanced App Controls. 

Screenshot_2020-03-08_at_22.14.41.png

2) From the App Discovery report: 

Navigate to Reporting > App Discovery > Select the required App > Select the Link 'Edit app Controls'

Advancedappcontrols.png 

Reporting 

Activity Search will show the “Application Block” along with the name of the app, e.g Box Uploads

 

Troubleshooting and Raising a Support Case 

If the Advanced Application control functionality is failing, please check the following:

  • The Application settings are configured in the required Web Policy. You can check the SWG policy by visiting: http://policy-debug.checkumbrella.com

  • HTTPS Inspection is enabled in the Web Policy. Advanced App Control will only work if HTTPS inspection is enabled.

  • The domain is not exempt from HTTPS inspection: Expand the Web policy > Select the 'Edit' link below 'HTTPS Inspection'.

  • The domain (e.g Dropbox.com) is not listed in the 'External Domains & IPs' lists (found under Configuration > Domain Management > External Domains & IPs). Any domains or IPs on this list will bypass the SWG and route to your local resolver. This list applies to PAC file and AnyConnect deployments.
  • SWG must be enabled for this feature to work, the Intelligent Proxy is not supported.

  • When an application is blocked, the Umbrella block page will not be displayed. Instead, an in-app error message will be displayed.

If you need to raise a support case, please email 'umbrella-support@cisco.com' with the following details:

  • The output of http://policy-debug.checkumbrella.com
  • The expected policy and identity (e.g. Network name, SAML user, etc)
  • The expected outcome and Application setting (e.g block uploads to Dropbox)

 

Related articles

Comments

1 comment

Sort by Date Votes
  • Avatar
    marko.tanaskovic

    please update the web link to Advanced Application control, it returns a 404 non existant error.

    0
    Comment actions Permalink

Please sign in to leave a comment.