Hey we are back, this time I want to explore the section of the deployment of Umbrella, where we can configure a device to communicate and forward all traffic to Umbrella
We will concentrate on the section for Network Devices this time:
The main idea of this integration is that the devices will become an Identity, which you can use later to apply policy under any of your settings inside Umbrella
- Firewall Management Center –> Currently running software version: 7.3.0
- Umbrella Subscription
- Cisco Secure Firewall Management Center (FMC) running version 7.2 or above.
- FMC-managed Cisco Firepower Threat Defense (FTD) firewall running version 6.6 or above.
- FTD able to resolve and connect to api.opendns.com over port 443 for initial registration.
- FTD access over TCP and UDP on port 53 (DNS) to 220.127.116.11 and 18.104.22.168—the Cisco Umbrella public DNS resolvers.
- The Umbrella Digicert CA (registration server certificate) installed on the FTD devices. The certificate needs to be trusted for purposes of ‘SSL Server’ validation which is a non-default option in FMC.
- FMC Base license with ‘export-control’ functionality allowed.
- The FMC needs to be able to resolve management.api.umbrella.com for policy configuration
Things we will need from Umbrella
When you go to FMC –> Integration > Other Integrations > Cloud Services > Cisco Umbrella Connection – You will notice that there are a few requirements:
- Organization ID – You get this one from the url when you go to the Umbrella dashboard –> https://dashboard.umbrella.com/o/XXXXXXX/#/overview –> XXXXXXX will be your OrgID
- Network Device Key – Depending on your deployment, you may have to refresh the Key, copy the Key and the Secret ** You will be able to get this on the same place under Legacy API Keys
- Network Device Secret – This one gets generated once you refresh the Key
- Legacy Network Device Token: You get this one by going to Legacy Keys, look for Legacy Network Devices
After you finish hunting for all those keys and information, you will be ready to click the test button and it should be successful
Calling or defining Policies in FMC
This section may take a while, but your policies will make it to FMC, maybe after 5 minutes. How do we check this? In FMC, go to Policies –> DNS
For this example I created a DNS Umbrella Policy which I will be using to call my Policy in Umbrella, the next thing I will do is to create a New DNS Policy this time on Umbrella – I expect to see it show up in FMC after a few mins
Here is the example:
Be aware of the errors and correct them, I got this one when I was ready to save: Selected umbrella protection policy name contains space. Umbrella Protection Policy name cannot contains space. Create umbrella protection policy name without space in umbrella cloud and refresh.
How to add our DNS Policies to our Access Policy?
In this case you want to go to Policies –> Access Control
Select your policy and click Security Intelligence (Not very intuitive if you’re new here, but it will be there)
Select on the right your Umbrella Policy
At this point I decided that it was time to deploy my changes, now if everything is working properly I should be able to modify my Umbrella Policies
Next is to Deploy the Umbrella CA Certificate
This one is not very intuitive from the guides, yeah Umbrella Docs mentions it on the prerequisites, but no other guide shows you where and how to do it. Now the Umbrella docs tell you that you need the Umbrella Registration Certificate, which I found under the ASA Umbrella Connector Integration
Go to Objects –> Object Management
Under PKI go for Cert Enrollment
Add a new enrollment like in the next image – Make sure you select Manual for the Enrollment Type. The Umbrella certificate needs to be in .pem format – open it in a text editor and copy and past it, again, like in the image. *** Make sure you use the certificate from this guide –> ASA Umbrella Connector Integration
Once this is done, we are going to Devices –> Certificates
Click add and configure it like this for each of your FTD appliances
I recently had a quick issue that was driving me nuts, the FTD Devices were not showing up on my Network Devices (Umbrella Dashboard). Here are some of the things that I did
Went to my Platform Settings Policy and made sure the DNS was correctly configured and I had Umbrella on my trusted DNS Servers
The next step was the Umbrella Certificate – you need the Registration certificate not the Root CA – which I did not know because the documentation did not point to this one. So I started looking at the ASA Integration guide, and I found the PEM format of the Umbrella Registration Cert.
Then I moved to Devices --> Certificates and enrolled the 2 new certs.
Last but not least, I regenerated my API Keys in Umbrella and got a good connection this time. I don't think I needed this specific piece, but at this point I needed to test everything
About the Author:
Andres Sarmiento, CCIE # 53520
With over 18 years of professional experience, Andres is a specialist in Unified Communications and Collaboration technologies, Enterprise Networks, and Network Security. He has consulted for numerous companies in South Florida, including Financial Institutions, on behalf of Cisco Systems. Andres has played a key role in several high-profile implementations, utilizing Cisco technologies such as Data Center, UC & Collaboration, Contact Center Express, Routing & Switching, Security, and Hosted IPT Service Provider infrastructures.