Last updated July 28, 2022
Starting August 1st, customers of Cisco Umbrella and OpenDNS in Russia and Belarus will see the following behavior changes. These behavior changes also apply to other regions for which Cisco Umbrella implements IP-based geo-blocking:
- DNS service for queries originating from IP addresses identified as coming from Russia, Belarus, Crimea, Luhansk, Donetsk and other sanctioned regions with geo-blocking will not have security or content filtering policies applied. Reporting will also be disabled. The DNS queries will still receive a valid response and will be treated with the same service level as traffic from the rest of the world.
- When used for DNS, the Umbrella roaming security module and AnyConnect Umbrella roaming module will continue to resolve DNS traffic.
- Roaming client sync and internal domains lists should continue to sync with the dashboard and provide the expected behavior (sending internal domains to the internal DNS server). This may change in the future.
SWG and SIG Customers:
- Umbrella secure web gateway servers will not accept traffic where the originating IP comes from Russia, Belarus, Crimea, Luhansk, Donetsk and other sanctioned regions with geo-blocking. The way this is implemented will cause connections coming from these regions to see Cisco Umbrella servers as being offline or unavailable. Traffic will not be accepted or processed.
- The default AnyConnect Umbrella module configuration will cause it to connect directly to the internet when Umbrella is unavailable. Some specific customer configurations may operate in a ‘fail closed’ mode, which would cause users to lose internet access.
- The external domains list will continue to sync, for now, to get updates from Umbrella. This may change in the future.
- The default Umbrella PAC file will cause it to connect directly to the internet when Umbrella is unavailable. Some specific customer configurations (e.g., those without a default route) may ‘fail closed’, causing users to lose internet access.
- IPsec tunnels will be disconnected either by IP blocking or revocation of IKE credentials. The behavior and user experience is dependent on the specific customer configuration. Some configurations may revert to direct internet connection, others may revert to MPLS, and others may cause users to lose internet access.
- Once IP-based geo-blocking is fully implemented for a country, Umbrella Dashboard and API access will also be blocked.
- Q: What if my users in the affected regions connect to a corporate VPN outside of the affected regions, which in turn connects to Umbrella?
A: Our geo-blocking is IP-based, based on the source IP address seen by the Umbrella service.
- Q: Why is Cisco doing this?
A: Please visit The War in Ukraine: Supporting our Customers, Partners and Communities for more information.
- Q: What if my users are getting blocked but they aren’t in one of the affected regions?
A: Please contact support, and we will be happy to investigate.
- Q: How accurate is your geo-blocking data?
A: We use industry leading geolocation services to determine the country for a given IP address.
- Q: What do I do if the location associated with my IP address is wrong?
A: We recommend submitting a correction request to the following services:
- https://www.maxmind.com/en/geoip-location-correction (primary service used for Umbrella)