End of Life for IP Layer Enforcement Feature of the Umbrella Roaming Clients.
Cisco Umbrella announces that IP Layer Enforcement will be end of life on July 31, 2022. IP Layer Enforcement is an optional feature for roaming clients made available with the Umbrella Intelligent Proxy for select Cisco Umbrella packages.
IP Layer Enforcement will no longer be included in Cisco Umbrella packages ordered by customers from and after August 31, 2021. For customers who previously ordered a package that contained the IP Layer Enforcement option, the feature will continue to work until July 31, 2022. Cloud-side services required to operate IP Layer Enforcement will be shut down on July 31, 2022.
Cisco Umbrella DNS Essentials and DNS Advantage packages provide a simple to deploy, easy to manage powerful DNS security solution. These DNS packages will continue to protect DNS subscribers against malicious servers for all connections - even to unknown, uncategorized domains that resolve to a malicious IP address - that begin with an Umbrella DNS request (through DNS layer enforcement).
Cisco Umbrella Secure Internet Gateway (SIG) packages include even more advanced security coverage across all traffic (DNS, IP, web, and more). SIG includes a Secure Web Gateway (“SWG”) to analyze all traffic on web ports (IP or domain destinations), and a Cloud Delivered Firewall (“CDFW”) that layers on a cloud-based firewall in addition to SWG. This enhances the portfolio of Cisco cloud security efficacies far beyond DNS with IP Layer Enforcement, and beyond the requirement of endpoint software to deliver more-than-DNS protection. We encourage anyone who requires more-than-DNS coverage to consider the Umbrella SIG package.
Protect your network stack with Cisco Umbrella and speak with your Cisco Umbrella account manager today to learn more about the Cisco Secure Internet Gateway solution.
AnyConnect Version Support
IP Layer Enforcement will be supported on AnyConnect through the end of life date on version 4. Version 5.x will not support IP Layer Enforcement. The Cisco Secure Client branded client will not contain IP Layer Enforcement support. Existing AnyConnect users must continue use of the AnyConnect 4.x client to make use of IP Layer Enforcement functionality through the end-of-life date.
Cisco Secure Endpoint (formerly AMP) provides on-device protection against direct to IP threats. This includes functionality called "DFC" which evaluates new connections for new processes. This functionality is slated to grow to further supplant Umbrella IPLE functionality. Contact your account manager to discuss adding Cisco Secure Endpoint to your ELA.
SIG provides coverage for all web traffic on SWG and all public Internet traffic with Cloud Firewall. Over 95% of IPLE blocks are web traffic that is covered by SWG! (web traffic over TCP 443 and 80). This functionality is provided by SWG and is not powered by IPLE.
View Your Organization's IPLE Added Value
To calculate the current IP Layer Enforcement blocks for your organization per million log lines, perform the following steps:
- Log into the Umbrella Dashboard and open the Activity Search report.
- Navigate to the "IP Layer Enforcement" log type (changing from "All")
- Export a CSV of 1,000,000 rows and download the exported report
- Filter out all lines that do not contain a category of "Malware" or "Botnet"
- Exclude "Unauthorized IP Tunnel Traffic". This category is traffic hitting the IPSec tunnel that is not an enforcement list. It is automatically dropped from our services.
- Note the traffic port. Ports 443 and 80 would have been fully covered by our SIG Essentials package.
- The total number of blocks is your organization's block count. Compare this to the total DNS requests in your "Total Requests" report to calculate a percentage of efficacy.