This quick start guide is meant to help you get up and running with Umbrella DNS protection quickly and easily with a simple installation and policy setup.
There are many additional options and configurations that can be deployed depending on how in-depth you want to go during the free-trial period. You can learn more in the Cisco Umbrella DNS User Guide in our support documentation.
Before you start
Make sure you communicate to the appropriate people or teams that you will be making DNS changes and get permission to make these changes before you start.
Check that you are not already pointing to Umbrella DNS by going to welcome.umbrella.com. You will see a message that tells you if your device is or is not already using Umbrella DNS servers.
The basic steps
There are three core components of a simple deployment of Cisco Umbrella DNS:
1. Register a network by adding a Network identity
An identity is an entity that you enforce policy against and report on.
2. Point your DNS to Cisco Umbrella
You need to explicitly point your operating system or hardware firewall/router DNS settings to Umbrella’s name server IP addresses and turn off the automatic DNS servers provided by your ISP. Umbrella supports both IPv4 and IPv6 addresses.
3. Add a policy
Through policies, you are able to define how security and access controls are applied to identities, determining whether traffic is inspected and either blocked or allowed.
1. Register your network
To use Umbrella, you need to point the DNS settings in your operating system or hardware firewall/router to Umbrella’s IP addresses and turn off the automatic DNS servers provided by your ISP. Umbrella supports both IPv4 and IPv6 addresses. Several systems allow you to specify multiple DNS servers. We recommend that you only use the Cisco Umbrella servers.
The Umbrella IPv4 addresses are:
The Umbrella IPv6 addresses are:
Determine the IP address of your network
Go to http://www.whatismyip.com.
Your IP address and location are displayed. Both IPv4 and IPv6 IP addresses are displayed.
— or —
In Umbrella, navigate to Deployments > Core Identities > Networks.
You’ll find your IP address listed at the top of the page. If you don’t see your IP address, click the i(Information) icon.
Set up the Network Identity
Navigate to Deployments > Core Identities > Networks and click Add.
Give your Network identity a meaningful Network Name. Giving your identity a good network name will help you find it easily when you later add a policy against it through the Policy wizard.
Note: Dynamic IP addresses are only supported for IPv4. For more information on the different steps needed if you have a Dynamic IP address, see Networks with Dynamic IP Addresses.
Select an internet protocol: IPv4, IPv6, or Mixed IPv4 & IPv6.
Select a protocol based on the Umbrella IP address to which you have configured your router.
Add the network’s IP address and choose a subnet mask.
The network must be unique within Umbrella. If Umbrella displays the Network already exists error message, create a support case here.
Once the service validates your IP address, the network is listed at Deployments > Core Identities > Networks.
Initially, Umbrella lists your new network identity’s status as Inactive. Network status only changes to Active when DNS traffic is sent to Umbrella from the network.
The policy applied to your new identity depends on your policy configurations. If you have a policy configured that includes network identities, Umbrella applies that policy; otherwise; Umbrella applies the Default policy.
2. Point your DNS to Umbrella
Change the DNS Settings on Your Relevant Network Device
You need only do this on your edge DNS equipment, typically a DNS or DHCP server, or a router—this could be your DSL router or cable modem if that’s the only router in your network.
For instructions on how to configure computers (including laptops) or routers, see Point Your DNS to Cisco Umbrella.
Note: The client on which you test must have either retrieved a new set of DNS servers from the DNS/DHCP server or router, or have had its DNS settings changed manually for you to be able to verify successfully.
Test Your Network
Verify that your DNS connections are routed through Cisco Umbrella’s global network by navigating to the following page in your client’s browser: https://welcome.umbrella.com/. You should see the “Welcome to Umbrella” page below.
Note: You may need to restart your client’s network interface or your computer.
To test your security settings, navigate to http://examplemalwaredomain.com/.
3. Add and configure a Security Policy
Navigate to Policies > Management > All Policies and click Add.
When the All Policies page opens for the first time, it only lists the Default policy. You can add a new policy or edit the Default policy. If you edit the Default policy, the Summary page opens, from which you can edit the Policy.
Note: The Default policy applies to all identities. You cannot remove identities from the Default policy.
Select the identities you wish to apply this policy to and then click Next.
This can be any combination of identities available to you. Identity categories, such as AD Computers or Roaming Computers, can be clicked through to choose identities more selectively.
If you have created tags, you can also select these. While listed under identities, a tag is not an identity, but rather a grouping of roaming computer identities. For more information about tags, see Best Practices for Policy Creation.
Determine what you want this policy to do
Select the policy components you’d like to enable, then click Next.
Selecting an option here makes that component available for configuration in the Policy wizard’s later steps. However, selecting an option here does not necessarily activate that feature as some features require additional configuration.
Listed options correspond to policy features:
- Enforce Security at the DNS Layer—These are settings related directly to the blocking of domains based on whether they are malicious and provides a base level of security protection. Recommended.
- Inspect Files—Selectively inspect files in the cloud, not on-premise, so there is no need for additional hardware. The inspection is done with Cisco AMP and an antivirus. Unavailable, if the intelligent proxy is disabled. For more information, see Manage File Inspection.
- Limit Content Access—These settings filter types of content. Recommended.
- Control Applications—These settings block access to applications. Recommended.
- Apply Destination Lists—If you have particular domains you’d like to allow or block, add them to a destination list. There are two by default, blockor allow, and you can create more to organize groups of domains. The two defaults are the Global lists, meaning they apply to any
Note: A Global Destination List, whether Block or Allow, applies to all policies and all identities. It is ‘global’ across all your organization’s configurations. To define a specific list, create a new list and add domains only to that list, then apply that list to individual sets of identities.
Advanced Settings: Expand this section to configure the intelligent proxy and related features, SafeSearch, Allow-Only mode, and logging. Click for information about advanced settings.
The Policy Wizard
Next the Policy Wizard will open and you’ll see a progress meter with the number of steps remaining until you’ve fully configured the policy. Available steps correspond to your policy component selections.
Configure Security Settings
These settings determine which categories of security threat Umbrella blocks. For more information about security category, see Manage Security Settings.
When you first access Security Settings, default settings are applied. The blue shield icon indicates a selected and enabled security category.
You can leave the security settings as is, select different settings, or edit settings and create a new one if needed. When done click Next.
Content Category Settings
Content categories organize destinations—in this case, websites—into categories based on the type of information served by the website; for example, gambling, social networking, or alcohol. Select content categories to block identity access to destinations that serve up content of that type. When an identity attempts to access a destination that is blocked because of a DNS content setting, an Umbrella block page appears. For a list of all categories and a definition for each, see Content Categories.
Select a category level of High, Moderate, or Low. Low categories are included with Moderate and both Moderate and Low category presets are included in High.
As with security settings, you can add a new content setting and modify an existing one directly from within the wizard.
When done click Next.
Other Configuration Settings
Depending on your initial policy selections you may have other settings to configure. Learn more about them below:
Configure Block Pages
Block Page Settings let you configure a block page that appears when a request is made to access a blocked page. You can also create a bypass so that access can be granted to the block page. You can customize the block page’s appearance and redirect to a custom domain.
Note: Not all categories can be bypassed. If a user is blocked for a Security or Malware category, the site is considered malicious and should not be accessed under any circumstances.
If you do not wish to change anything, just use the Umbrella Default Appearance, and click Next.
The Policy Summary
Last, you’ll reach the Policy Summary. It covers all the modifications to the policy you just made. If you want to change anything, click the relevant Edit button and you’ll jump right back to that step, or you can disable the feature directly from the Summary screen. When you’ve made the change, you can jump back to the summary directly without having to click through all the other steps.
Give your policy a meaningful name. Click Save. Your policy is complete.
Get started with Reports
Now that you’ve pointed your DNS to Cisco Umbrella and set a policy, you can check your Cisco Umbrella reports to gain insights into your company’s internet and cloud application activities and see the risks Umbrella has blocked.
Depending on the amount of your network traffic, you may need to wait a few days to see results.
Learn how to use Umbrella’s built-in reports and get detailed information on reports and schedules.