Managing Umbrella with Cisco Security Cloud Control
Umbrella is Cisco's cloud-based Secure Internet Gateway (SIG) platform that provides you with multiple levels of defense against internet-based threats. Umbrella integrates secure web gateway, firewall, DNS-layer security, and cloud access security broker (CASB) functionality to protect your systems against threats. By utilizing SIG and DNS protection, the ASA devices are protected with both the local DNS inspection policy on your device and the Umbrella cloud-based DNS inspection policy. By providing several ways to inspect and detect incoming traffic, Umbrella makes the ASA device comparable to FTD next-generation firewall (NGFW).
At this time, Security Cloud Control only supports ASA integration with an Umbrella organization.
Build a Bridge with SASE
Secure Access Service Edge (SASE) is a forward-thinking framework in which networking and security functions converge into a single integrated service that works at the cloud edge to deliver protection and performance. This effort provides a way to consolidate services safely and securely, regardless of your location, and allows you to control and manager your network no matter the size of your organization. Reduced complexity and an agile take of management means your deployments are simple, scalable, and and secure.
What is an Umbrella Organization?
An Umbrella organization is a group of users with varying user roles that are associated with a single license key; a single user can have access to multiple Umbrella organizations. Every Umbrella organization is a separate instance of Umbrella and has its own dashboard. Organizations are identified by their name and their organization ID (Org ID). The Org ID is used to identify your organization for deploying components such as virtual appliances, and sometimes support may request your Org ID.
What is a SIG Tunnel?
A Secure Internet Gateway (SIG) tunnel is an instance of a SIG IPSec (Internet Protocol Security) tunnel that occurs between the ASA and Umbrella, where all internet-bound traffic is forwarded to Umbrella SIG for inspection and filtering. This solution provides centralized management for security so network administrators do not have to separately manage security settings for each branch.
When you onboard an Umbrella organization that has tunnels configured, these tunnels are listed in Security Cloud Control's Site-to-site VPN page. To create a SASE tunnel for your Umbrella organization from the Security Cloud Control UI, see Configure a SASE Tunnel for Umbrella.
Note |
If you onboard an Umbrella organization and its peer devices, the Site-to-site VPN page combines all the devices to the tunnel associated with that organization into a single entry. To manually refresh the Tunnels page and read in any changes made from the Umbrella dashboard, see Read Umbrella Tunnel Configuration. |
How does Security Cloud Control Communicate with Umbrella?
You must onboard the Umbrella organization as well as any ASA devices associated with the organization.
When an ASA device is associated with an Umbrella cloud, the connection requires a site-to-site VPN SIG tunnel to create a secure connection between the device and the cloud. Security Cloud Control communicates with both the Umbrella organization and the ASA devices. This dual-communication method allows Security Cloud Control to instantly detect changes in configuration or tunnel changes, and immediately alert you to an out-of-bound changes, errors, or unhealthy states for Umbrella, the ASA, and the tunnels.
When you onboard an Umbrella organization to Security Cloud Control, you onboard with the organization's API key and Secret, both of which are unique to the organization and the ASA devices associated with that organization. Security Cloud Control communicates to the Umbrella cloud with the Umbrella API, using the API key and Secret used to onboard the organization to request and send information about the ASA devices. This level of communication does not compromise the SIG tunnel that exists between the ASA and the Umbrella cloud.
Once an Umbrella organization is onboarded, the Security Devices page displays any detected ASA devices associated with the org as "peers", and notes whether the devices are onboarded to Security Cloud Control or not. If a peer device is not already onboarded, you have the option to onboard directly from that page by clicking Onboard Device. When an ASA device that is associated with an Umbrella organization is onboarded to Security Cloud Control, the Security Devices page displays the relationship and the VPN Tunnels page shows the tunnels between the device and the organization. If an ASA device that is associated with an organization is not onboarded to Security Cloud Control, the tunnels associated with the device are displayed in the VPN Tunnels and you can opt to onboard the device directly from this page.
How do I access the Umbrella Cloud from Security Cloud Control?
Once the Umbrella organization is successfully onboarded onto Security Cloud Control, you can cross-launch to the organization's dashboard or to the Umbrella Tunnels page from the Security Cloud Control UI.
See Cross-launch to the Umbrella dashboard and Cross-launch to the Umbrella Tunnels Page to access the Umbrella Cloud from the Security Cloud Control UI.
Prerequisites
Supported Hardware and Software
Umbrella organizations are cloud-based and thusly version-less. Note that when you onboard an Umbrella organization to Security Cloud Control, you are only able to associate that organization with an ASA device.
For Umbrella integration, Security Cloud Control supports ASA devices running 9.1.2 and later. See Cloud Device Support Specifics for a list of ASA device models and software that Security Cloud Control supports.
Licensing Requirements
In order to successfully onboard an Umbrella organization to Security Cloud Control, you must have one of the following license packages selected:
-
Umbrella SIG Essentials
-
SIG Advantage
Onboarding
To successfully manage an Umbrella account, you must onboard both the Umbrella organization and the ASA devices associated with it. Once you onboard an Umbrella organization, Security Cloud Control reads any existing ASA tunnels associated with the organization and monitor the health status of these tunnels as well as any additional tunnels you create and associate with the organization. Before you onboard an Umbrella organization, review the general device requirements and onboarding prerequisites.
If you happen to onboard an Umbrella organization before onboarding any ASA devices associated with it, you can view the ASA peer from the Site-to-site VPN page and onboard the device from the VPN page.
Note |
If you have an ASA pair configured for failover, you must only onboard the active device of the two peers. Onboarding both the active and the standby devices to Security Cloud Control may generate duplicate tunnel information for SASE tunnels that are already configured in Umbrella. |
Monitoring Your Network
Security Cloud Control provides reports summarizing the impact of your security policies and methods of viewing notable events triggered by those security policies. Security Cloud Control also logs the changes you make to your devices and provides you with a way to label those changes so you can associate the work you commit in Security Cloud Control with a help ticket or other operational request.
Change Log
The change log continuously captures configuration changes as they are made in Security Cloud Control. This single view includes changes across all supported devices and services. Because Umbrella is a cloud-based product, changes are immediately deployed.
These are some of the features of the change log:
-
Side-by-side comparison of changes made to device configuration.
-
Plain-English labels for all change log entries.
-
Records on-boarding and removal of devices.
-
Detection of policy change conflicts occurring outside of Security Cloud Control.
-
Answers who, what, and when during an incident investigation or troubleshooting.
-
The full change log, or only a portion, can be downloaded as a CSV file.
Note |
Note that when you create, edit, or delete a SASE tunnel associated with an Umbrella organization, the request and configuration changes appear for the Umbrella organization and any ASA device associated with it. |