Skip to main content

 

 

Cisco Defense Orchestrator

Managing Umbrella with Cisco Defense Orchestrator

About Umbrella

Umbrella is Cisco's cloud-based Secure Internet Gateway (SIG) platform that provides you with multiple levels of defense against internet-based threats. Umbrella integrates secure web gateway, firewall, DNS-layer security, and cloud access security broker (CASB) functionality to protect your systems against threats. By utilizing SIG and DNS protection, the ASA devices are protected with both the local DNS inspection policy on your device and the Umbrella cloud-based DNS inspection policy. By providing several ways to inspect and detect incoming traffic, Umbrella makes the ASA device comparable to FTD next-generation firewall (NGFW).

At this time, CDO only supports ASA integration with an Umbrella organization. 

Build a Bridge to SASE

Secure Access Service Edge (SASE) is a forward-thinking framework in which networking and security functions converge into a single integrated service that works at the cloud edge to deliver protection and performance. This effort provides a way to consolidate services safely and securely, regardless of your location, and allows you to control and manage your network no matter the size of your organization. Reduced complexity and an agile take of management means your deployments are simple, scalable, and and secure.

What is an Umbrella Organization?

An Umbrella organization is a group of users with varying user roles that are associated with a single license key; a single user can have access to multiple Umbrella organizations. Every Umbrella organization is a separate instance of Umbrella and has its own dashboard. Organizations are identified by their name and their organization ID (Org ID). The Org ID is used to identify your organization for deploying components such as virtual appliances, and sometimes support may request your Org ID. 

Note: You must know your organization ID in order to onboard an Umbrella organization.

What is a SIG Tunnel?

A Secure Internet Gateway (SIG) tunnel is an instance of a SIG IPSec (Internet Protocol Security) tunnel that occurs between the ASA and Umbrella, where all internet-bound traffic is forwarded to Umbrella SIG for inspection and filtering. This solution provides centralized management for security so network administrators do not have to separately manage security settings for each branch.

When you onboard an Umbrella organization that has tunnels configured, these tunnels are listed in CDO's Site-to-site VPN page. To create a SASE tunnel for your Umbrella organization from the CDO UI, see Configure a SASE Tunnel for Umbrella

Note: If you onboard an Umbrella organization and its peer devices, the Site-to-site VPN page combines all the devices to the tunnel associated with that organization into a single entry. To manually refresh the Tunnels page and read in any changes made from the Umbrella dashboard, see Read Umbrella Tunnel Configuration.

How does CDO Manage Umbrella?

You must onboard the Umbrella organization as well as any ASA devices associated with the organization.

When an ASA device is associated with an Umbrella cloud, the connection requires a site-to-site VPN SIG tunnel to create a secure connection between the device and the cloud. CDO communicates with both the Umbrella organization and the ASA devices. This dual-communication method allows CDO to instantly detect changes in configuration or tunnel changes, and immediately alert you to an out-of-bound changes, errors, or unhealthy states for Umbrella, the ASA, and the tunnels. 

When you onboard an Umbrella organization to CDO, you onboard with the organization's API key and Secret, both of which are unique to the organization and the ASA devices associated with that organization. CDO communicates to the Umbrella cloud with the Umbrella API, using the API key and Secret used to onboard the organization to request and send information about the ASA devices. This level of communication does not compromise the SIG tunnel that exists between the ASA and the Umbrella cloud. 

Once an Umbrella organization is onboarded, the Devices & Services page displays any detected ASA devices associated with the org as "peers", and notes whether the devices are onboarded to CDO or not. If a peer device is not already onboarded, you have the option to onboard directly from that page by clicking Onboard Device. When an ASA device that is associated with an Umbrella organization is onboarded to CDO, the Devices & Services page displays the relationship and the VPN Tunnels page shows the tunnels between the device and the organization. If an ASA device that is associated with an organization is not onboarded to CDO, the tunnels associated with the device are displayed in the VPN Tunnels and you can opt to onboard the device directly from this page.

How do I access the Umbrella Cloud from CDO?

Once the Umbrella organization is successfully onboarded onto CDO, you can cross-launch to the organization's dashboard or to the Umbrella Tunnels page from the CDO UI. 

See Cross-launch from CDO to the Umbrella Cloud for more information. 

Prerequisites

Supported Hardware and Software

Umbrella organizations are cloud-based and thusly version-less. Note that when you onboard an Umbrella organization to CDO, you are only able to associate that organization with an ASA device.

For Umbrella integration, CDO supports ASA devices running 9.1.2 and later. For a list of ASA device models that CDO supports, see Software and Hardware Supported by CDO

Configuration Requirements

Umbrella Licensing

In order to successfully onboard an Umbrella organization to CDO, you must have one of the following license packages selected:

  • Umbrella SIG Essentials
  • SIG Advantage

Onboarding

To successfully manage an Umbrella account, you must onboard both the Umbrella organization and the ASA devices associated with it. Once you onboard an Umbrella organization, CDO reads any existing ASA tunnels associated with the organization and monitor the health status of these tunnels as well as any additional tunnels you create and associate with the organization. Before you onboard an Umbrella organization, review the general device requirements and onboarding prerequisites. See the prerequisites for more information.

If you happen to onboard an Umbrella organization before onboarding any ASA devices associated with it, you can view the ASA peer from the Site-to-site VPN page and onboard the device from the VPN page. 

Note: If you have an ASA pair configured for failover, you must only onboard the active device of the two peers. Onboarding both the active and the standby devices to CDO may generate duplicate tunnel information for SASE tunnels that are already configured in Umbrella.  

Monitoring Your Network

CDO provides reports summarizing the impact of your security policies and methods of viewing notable events triggered by those security policies. CDO also logs the changes you make to your devices and provides you with a way to label those changes so you can associate the work you commit in CDO with a help ticket or other operational request.

Change Log 

The change log continuously captures configuration changes as they are made in CDO. This single view includes changes across all supported devices and services. Because Umbrella is a cloud-based product, changes are immediately deployed.

 These are some of the features of the change log:

  • Side-by-side comparison of changes made to device configuration
  • Plain-English labels for all change log entries.
  • Records on-boarding and removal of devices.
  • Detection of policy change conflicts occurring outside of CDO.
  • Answers who, what, and when during an incident investigation or troubleshooting.
  • The full change log, or only a portion, can be downloaded as a CSV file.

Note that when you create, edit, or delete a SASE tunnel associated with an Umbrella organization, the request and configuration changes appear for the Umbrella organization and any ASA device associated with it. See Read Configuration Changes from an ASA to CDO and Change Log Entries after Reading Changes from an ASA for more information.