browse
Overview
On March 31, 2021, a new feature called "Rule-Based Policy" will be made Generally Available to Umbrella Secure Internet Gateway (SIG) customers. Umbrella SIG customers will gradually be transitioned to Rule-Based Policy from their legacy web policies over the course of several weeks. Customers will receive a date and window for when these changes will be applied to their Umbrella organization and will be messaged through the customer’s Umbrella dashboard. This will not impact Umbrella DNS customers or any of the Umbrella DNS policy settings.
More information about this transition can be found here: Transitioning to Rule-Based Policies: What To Expect
This FAQ is meant to address quick questions from both new and experienced Umbrella users about the shift from legacy web policies to rulesets. For more in-depth documentation please see the updated Umbrella Admin Guide here.
Frequently Asked Questions
Q. What Is A Web Policy?
Not to be confused with legacy web policies. A web policy is the collection of all rulesets in an Umbrella organization.
Q. What Is A Ruleset?
A ruleset is a logical container for a set of rules and settings which apply to those rules within the ruleset.
Q. Why Rulesets?
A ruleset may represent a certain geography, a group of offices, specific users, etc. that must be managed differently than the rest of the organization.
Q. What Settings Can Be Configured In A Ruleset?
The following settings are available in rulesets and will apply only to the rules within the ruleset:
- Ruleset Name
- Ruleset Identities
- Block Page
- Tenant Controls
- File Analysis
- File Type Control
- HTTPS Inspection
- PAC File
- Ruleset Logging
- SAML
- Security Settings
For an explanation of the various ruleset settings, please see the online documentation here: Configure a Ruleset.
Q. What Are Rules?
A rule is a statement that defines what action to take when an identity and destination match.
Q. Why Rules?
Rules allow for varying types of access control to be applied very specifically or broadly. Such that a rule with lower priority may block access to a wide swath of web sites for all users on a network, a rule with higher priority may allow access to web sites for a specific group of users on that same network that would have otherwise been blocked. This can be accomplished within the same ruleset without having to create a new ruleset to accommodate the specific group of users.
What Identities Are Supported?
Both rulesets and rules support the following identities:
- AD user
- AD group
- Roaming computer (i.e. AnyConnect endpoint)
- Internal network
- Tunnel
- Network
Q. What Destinations Are Supported?
Only rules use destinations, and support the following:
- Content categories
- Application settings
- Destination lists
Q. What Actions Are Supported?
Rules may be configured to use one of the following actions:
- Allow
- Block
- Warn
- Isolate
Q. What Settings Can Be Configured In A Rule?
The following settings can be configured for rules:
- Rule Name
- Action
- Identity
- Destination
- Time/Day Schedule
For more information on these settings, please see the online documentation here: Add Rules to a Ruleset.
Q. How Are Rulesets Evaluated?
Rulesets are evaluated in a top-down hierarchy against one or more available identities, where the ruleset with the highest priority is evaluated first. If none of the available identities match the ruleset, then the ruleset with the next highest priority is evaluated against the available identities, and so on. If no ruleset matches the available identities, then the default ruleset is used.
Q. How Are Rules Evaluated?
Like rulesets, rules are also evaluated in a top-down hierarchy. However, rules are evaluated against one or more available identities and one or more given destinations. Simply put, rule selection is made when there is an identity AND destination match. Once a rule has been selected, the action configured on the rule is applied (i.e. allow, block, or warn).
Q. Once A Ruleset Is Selected, Do Rules Apply To The Same Identity That Matched The Ruleset?
A rule can match the same identity that matched the ruleset, but not in all cases. When Umbrella receives a web request, it gathers all the possible identities present before it evaluates the rulesets in a web policy. Such as, even though a user, JDoe, issues a web request from their office, Umbrella sees the public IP forwarding the web request (i.e. network identity), as well as the user (i.e. JDoe), and all of the groups JDoe is a member of.
Once a ruleset is found to match any of the available identities, then too are the rules within the ruleset evaluated against the same available identities. Because rules have the additional requirement of matching on destination, the actual identity used by a rule may differ from the identity which matched the ruleset.
Using the example of JDoe above, consider the following:
- JDoe is working from Network B
The organization JDoe belongs to has configured the following web policy:
- Ruleset 1 is configured for Network A
- Ruleset 2 is configured for Network B
- Ruleset 3 is configured for Network C
Because JDoe is working from Network B, only Ruleset 2 will be applied to their web traffic. As the web policy is evaluated, Ruleset 1 will not match, and Ruleset 3 will not be evaluated because Ruleset 2 will win the selection process.
Now that Ruleset 2 is selected, consider the following:
- JDoe is a member of Marketing
Ruleset 2 is configured as such:
- Rule 1 is configured for identity ASmith, destination Domain B, with the action of Allow.
- Rule 2 is configured for identity Marketing, destination SomeSocialApp, with the action of Allow.
- Rule 3 is configured for identity Network B, destination Content Categories containing Domain B and SomeSocialApp, with the action of Block.
The following outcomes would be observed:
- JDoe attempting to access Domain B would have Rule 3 applied and be blocked from accessing Domain B.
- JDoe attempting to access SomSocialApp would have Rule 2 applied and be allowed to access SomeSocialApp.
In the above outcomes, even though Ruleset 2 was selected due to matching the identity Network B, JDoe’s group membership allowed them to access an application that was otherwise blocked for Network B. Note that this was accomplished by ordering the priority of the rules from the most specific identity to the least specific identity (i.e. user > group > network).
Because Network B is less specific than Marketing (a group), if rules 2 and 3 were reversed, JDoe would not be able to access SomeSocialApp because Rule 2 has a higher priority than Rule 3. First match wins!
Q. How Do I Know Which Rule Was Used In A Transaction?
The Activity Search report now captures the ruleset and rule which was used in a transaction and can be found under Full Details for URL requests.
Note: the field is currently labeled “Policy/Rule” but will be changing to “Ruleset/Rule” as we transition all current Umbrella SIG customers from legacy web policies to rulesets.
Q. Where Can I Find Online Documentation For Rulesets?
The new Umbrella Admin Guide detailing rulesets can be found here: Manage Web Policies.