SASE – Configuring Umbrella Security – Basic Setup – DNS Server Forwarding

Today I want to create a quick blog post that goes over setting up Umbrella in a few different ways, you may notice that these will be long posts, so I will have to break this into a few different posts over the coming weeks.

If you are new to Cisco Umbrella, well here is a quick explanation of what it is and how it works:

Cisco Umbrella offers flexible, cloud-delivered security. It combines multiple security functions into one solution, so you can extend data protection to devices, remote users, and distributed locations anywhere. Umbrella is the easiest way to effectively protect your users everywhere in minutes.

That was the quick definition but what does it do?
Umbrella provides multiple services, features, and capabilities that help Security Teams protect users. There are a few more features that work very well for users that are remote.

  • DNS Security
  • Secure Web Gateway
  • Cloud-Delivered Firewall
  • Cloud Access Security Broker
  • Remote Browser Isolation

Enough with definitions here is what we are going to do

How to setup Umbrella (DNS Security)

In this example I will be going over only DNS protection, this may be very familiar to most readers out there. But there are a few ways DNS traffic can be protected:

From your DNS Server (Usually a dedicated DNS Server or AD Servers already running DNS)

This one could be the easiest one to make sure you have DNS working for all devices in your company

Locate your DNS Service Console

Usually, this one will be under Start Menu –> Administrative Tools –> DNS


Once you are there Right-Click your Server name –> Select Properties –> Go to the Forwarders Tab

Here we are going to make sure we click on Edit –> Then we will enter the Umbrella Servers –> and – Click ok

Here is how everything should look if it worked properly


Umbrella Configuration

We are going to do a few things in Umbrella, and we are going to start defining our Network IP – This is the IP address or IP addresses that you use to go out to the internet.


If you have trouble finding it, a quick way is to go to

Here is how it should look after you enter your IP address:

At this point everything should work and information should be logged to the Umbrella Console. I believe that you will start seeing DNS requests after a few minutes, usually 5 to 15 minutes (not fun I know, but the information will be there)

Umbrella comes with a default policy for DNS Security, but you may want to tweak it and play with it. At this point your Network will play the role of the identities you can apply this policy to. The next step should be to take a look at these policies

What is under the DNS Security Policy?

  • Security Settings: Protects against the following Command and Control Callbacks, Malware, Phishing Attacks, Newly Seen Domains, Dynamic DNS, Potentially Harmful Domains, DNS Tunneling and Crypto Mining
  • Content Settings: This section allows you to clock DNS requests based on Web categories, this feature is not a full Web Proxy (We will get to this one soon).
  • Application Settings: This one is similar to the previous one, but related to DNS queries based on Applications
  • Destination Lists: This one allows you to create Allow and Block lists. You can enter IP Addresses in CIDR format and Domain Names you want to either allow or block
  • File Analysis: This one helps inspect files, at this point we are looking at malicious files for dynamic or static analysis **This one requires you to have the Intelligent Proxy turned on
  • Custom Block Page: You will set this one to let users know when they are blocked from a website or domain


The next piece will be your Advanced Settings, every DNS Policy will have this section. This is where you will enable and configure Intelligent Proxy and SSL Inspection, which is used to inspect HTTPS traffic.

If you enable SSL Decryption, you will also need to install the Umbrella SSL certificate on the computers affected by this policy. You can also add your own SSL certificate to Umbrella (In case you want to use your own, this way there is no need to download Umbrella’s CA Certificate)

At this point, you should start seeing some traffic being reported. Go to Reporting –> Activity Search


Going back to what we have configured so far, the thinking behind this approach is that if all your domain computers and all devices that receive DHCP instructions, should receive the DNS Server address or addresses and point to these servers. But we all know life is not perfect, and Networks aren’t either. Why did I say that? You will have some computers that maybe are not part of the domain, or receive DHCP from a router that just points their DNS to (Google DNS Resolvers) or (Level3 DNS Resolver), in other cases, maybe a DNS server that is not configured to forward DNS queries to Umbrella. If this is the case the endpoints receiving this information or configured like this, will not be covered or protected by Umbrella.

Another downside of this approach is the fact that there will only be only one identity in the logs of Umbrella – This solution is a good first step, but will not give you full visibility

Other ways to configure Umbrella

  • Network *** This Post ***
  • Network device
  • Umbrella Roaming Client (macOS, Windows)
  • Cisco AnyConnect Umbrella Roaming Security Module (macOS, Windows)
  • Virtual Appliance

What to Look forward to?

I will continue going over the other ways of configuring DNS Security with Umbrella in upcoming posts.

About the Author:

Andres Sarmiento, CCIE # 53520
With over 18 years of professional experience, Andres is a specialist in Unified Communications and Collaboration technologies, Enterprise Networks, and Network Security. He has consulted for numerous companies in South Florida, including Financial Institutions, on behalf of Cisco Systems. Andres has played a key role in several high-profile implementations, utilizing Cisco technologies such as Data Center, UC & Collaboration, Contact Center Express, Routing & Switching, Security, and Hosted IPT Service Provider infrastructures.

You can follow Andres using Twitter, LinkedIn, or Facebook.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top