The OpenDNS Hardware Integrations Developer Hub

Welcome to the OpenDNS Hardware Integrations developer hub. You'll find comprehensive guides and documentation to help you start working with OpenDNS Hardware Integrations as quickly as possible, as well as support if you get stuck. Let's jump right in!

Get Started    

Integration for ISR 4K and ISR 1100 – Security Configuration Guide

Overview

The Cisco Umbrella integration enables a cloud-based security service by inspecting the Domain Name System (DNS) query that is sent to the enterprise DNS server through the Cisco 4000 Series or 1100 Series Integrated Services Routers (ISR). The security administrator configures policies on the Cisco Umbrella cloud to either allow or deny traffic towards the fully qualified domain name (FQDN). Cisco 4000 Series or 1100 Series ISR acts as a DNS forwarder on the network edge, transparently intercepts DNS traffic and forwards the DNS queries to the Cisco Umbrella cloud. This feature is available on Cisco IOS XE Denali 16.3 and later releases.

NOTE: 16.6.1 was released to General Availability in late July 2017. The features described below have changed and a major new improvement with internal mapping of IPs has been included. There are significant differences between the command line interface, so if you are running 16.6.1 refer to:

NOTE: Support for the ISR 1100 Series was made available in February 2018. DNSCrypt on the ISR 1100 requires minimum software version: 16.6.3, 16.7.2, or 16.8.1 The integration for the ISR 1100 is exactly the same as with the 4000 series and should be followed according to the steps for the 4000 series. As more information becomes available about the 1100 Series integration, detail regarding system requirements will be added here.

Table of Contents

What is Cisco Umbrella?

Cloud-based Security Service – Cisco Umbrella

The Cisco Umbrella integration feature provides a cloud-based security service by inspecting the DNS query that is sent to an enterprise DNS server through Cisco 4000 and 1100 Series ISRs. When a host initiates the traffic and sends a DNS query, the Cisco 4000 and 1100 Series ISR intercepts and inspects the DNS query. If the DNS query is for a local domain, it forwards without changing the DNS packet to the DNS server in the enterprise network. If the DNS query is for an external domain, it adds an Extended DNS (EDNS) record to the query and sends it to the Cisco Umbrella cloud. An EDNS record includes the device identifier information. Based on this information, the Cisco Umbrella cloud service applies different policies to the DNS query. Cisco Umbrella allows or blocks the request and returns the appropriate IP address in the DNS response.

Prerequisites for Cisco Umbrella with the ISR4K

Before you configure the Cisco Umbrella integration feature on the Cisco 4000 Series ISR, ensure that you have the following:

  • The minimum ROMMON version to load the Cisco IOS Denali 16.2 image on a Cisco 4000 Series ISR is 16.2(1r).
    The Cisco 4000 Series ISR runs the Cisco IOS XE Denali 16.3 software image or later.
  • You can upgrade from any ROMMON version to release 16.2(1r). For more information, see the Upgrading the Device Image to Cisco IOS XE Denali 16.3 section of this guide.
  • The Cisco 4000 Series ISR must have a security K9 license to enable Cisco Umbrella.
  • A valid Cisco Umbrella subscription license.
  • The Cisco 4000 Series ISR should be set as the default DNS server gateway. Ensure that DNS traffic goes through the Cisco 4000 Series ISR.

The following network requirements must be met:

  • For initial registration—The opendns_out interface (this may have a different name if you so choose) must be able to access api.opendns.com over port 443 in order to complete initial registration.
  • TCP & UDP on port 53 (DNS) to 208.67.220.220 & 208.67.222.222 (The Cisco Umbrella public DNS resolvers)
  • DNSCrypt—If there are any devices in front of the ISR that may block DNSCrypt for not looking like an actual DNS packet, the DNSCrypt feature may not work. For more information and an example of the problem, read thi.

Security Blocking and Installing a Certificate on Endpoints

Based on the domain (FQDN) that is being queried, Cisco Umbrella determines if the IP addresses should be provided in the response. If the domain is deemed to be malicious or hosting malicious content or blocked by a customized security policy, the IP address of the Cisco Umbrella block page server is sent back in the DNS response instead of the IP address of the domain.

When the HTTP client on the host sends an HTTP request to the Cisco Umbrella cloud IP address, Umbrella provides the reason for blocking the content in the HTTP response, this is the ‘block page.'

If the blocked domain is from the HTTPS request, the client’s web­ browser displays a certificate error message. The error message is displayed because the Cisco Umbrella cloud may not have the certificate from the blocked server.

In order to resolve these issues, we highly recommend installing the Cisco Root Certificates on your clients. For more information including a description of the process, see Cisco Certificate Import Information.

Limitations and Restrictions for the Cisco Umbrella integration

  • If an application or host makes a direct IP layer connection without using DNS, policy enforcement will not be applied.
  • When the client is connected to a web proxy, the DNS query does not pass through the ISR. In this case, the connector will not be able to detect any DNS request and the connection to the web server will bypass any policy from Cisco Umbrella.
  • Using in conjunction with Cloud Web Security (CWS): When the Cisco Umbrella policy blocks a DNS query, the client is redirected to a Cisco Umbrella block page. HTTPS servers provide these block pages and the IP address range of these block pages is defined by the Cisco Umbrella. These web server addresses should be allowed listed for Cloud Web Security (CWS), so that CWS allows the client to get the blocked page from Cisco Umbrella's web servers.
  • User authentication and identity is not supported in this release.
  • Only queries for A and AAAA record types are redirected to the cloud. Other query types will bypass the connector. However, the TXT type DNS queries to debug.opendns.com are redirected.
  • IPv6 is not supported in this release for Umbrella block pages or policy enforcement.
  • A maximum of 64 local domains can be configured, and the allowed name length is 100 characters for each of these domains.

When you deploy the Cisco Umbrella integration feature

  • If you use the multiple EDNS options, the Cisco Umbrella policy may not get applied on the device. For the work-around, contact Cisco Technical Support to get the engineering special image which will resolve this issue.
  • If the WAN interface is down for more than 30 minutes, the device may reload with an exception. Disable DNSCrypt to stop this exception. If you do not want to disable DNSCrypt, contact Cisco Technical Support to get the engineering special image which will resolve this issue.

Encrypting the DNS Packet

The DNS packet sent from the Cisco ISR to the Cisco Umbrella's server(s) must be encrypted if the EDNS information in the packet contains information such as user IDs, internal network IP addresses, and so on. When the DNS response is sent back from the DNS server, Cisco ISR decrypts the packet and forwards it back to the host.

You can encrypt DNS packets only when the DNSCrypt feature is enabled on the ISR. Based on the FQDN in the DNS query, the Cisco Umbrella service determines if the content provider IP addresses should be provided in the response. If the FQDN is malicious or blocked by the customized enterprise security policy, the Cisco Umbrella block web page server address is sent back in the DNS response. When the HTTP client on the host sends an HTTP request to the Cisco Umbrella cloud IP address, it provides the reason for blocking the content in the HTTP response.

If the blocked domain is from the HTTPS request, the client’s web browser displays a certificate error message. This error message is displayed because the Cisco Umbrella cloud may not have the certificate from the blocked server. The ISR will use the following Anycast recursive Cisco Umbrella servers:

  • 208.67.222.222
  • 208.67.220.220
  • 2620:119:53::53
  • 2620:119:35::35

Supported and Recommended Configurations for Reporting and Attribution

There are two ways to structure the way DNS traffic is handled with the ISR on the LAN, and both are supported configurations, but only one is recommended. The recommended approach is to use transparent DNS interception and route traffic appropriately with the ISR. This gives the ability to show the IP of the requesting endpoint in Umbrella's reporting, rather than the IP of the internal DNS server. In turn, this makes attribution of the endpoint making the DNS request much easier.

Recommended configuration

The preferred configuration is to have the endpoint's DNS server be the internal DNS server for the network, but use the ISR to route traffic to either the internal or external DNS resource, based on defined subnet.

If you would like to add the user and group mappings, a VA is required to connect to Active Directory and gather information about the logged in user. More information about Virtual Appliances can be found here and this is diagram outlines that work flow. The VA would sit behind the ISR and be the primary DNS server for all clients:

Supported but not recommended configuration

Upgrading the Device Image to Cisco IOS XE Denali 16.3

You need to upgrade to the Cisco IOS XE 3.16 version before you upgrade the router image to the Cisco IOS XE Denali 16.3 or later version.

Upgrading the ROMMON

After you upgrade to Cisco IOS XE 3.16 version, upgrade the ROMMON. To upgrade the ROMMON version, download the correct version here: https://software.cisco.com/download/navigator.html?mdfid=286281708

For additional guidance in this area, please consult the ISR4K documentation.

  1. Download the rommon image and upload it to flash using tftp, scp, or use a usb key.
  2. Use the upgrade rommonitor filename bootflash command to upgrade the ROMMON.
Device# upgrade rommonitor filename bootflash:rommon_isr_usd_rel_ios_package_SSA.bin16_2_1r R0 Chassis model ISR4321/K9 has a single rommonitor.
Upgrade rommonitor
Target copying rommonitor image file
selected : 0
Booted : 0
Reset Reason: 0
Info: Upgrading entire flash from the rommon package
4259840+0 records in
4259840+0 records out
262144+0 records in
262144+0 records out
655360+0 records in
655360+0 records out
4194304+0 records in
4194304+0 records out
File is a FIPS ROMMON image
FIPS1403 Load Test on has PASSED.
Authenticity of the image has been verified.
Switching to ROM 1
8192+0 records in
8192+0 records out
Upgrade image MD5 signature is b702a0a59a46a20a4924f9b17b8f0887
4259840+0 records in
4259840+0 records out
4194304+0 records in
4194304+0 records out
4194304+0 records in
4194304+0 records out
262144+0 records in
262144+0 records out
Upgrade image MD5 signature verification is b702a0a59a46a20a4924f9b17b8f0887
Switching back to ROM 0
ROMMON upgrade complete.
  1. To make the new ROMMON version as the permanent version, you must restart the RP.
  2. After the upgrade is complete, reload the device. Ensure that you issue the show platform command to verify that the ROMMON upgrade is successful. The firmware version should be 16.2(1r).

How to Configure Cisco Umbrella

This portion of the document outlines how to configure an ISR to register with the Umbrella dashboard as a Network Device and enforce policy based on Device ID as well as Tags.

The process of registration is fairly straightforward. I​n order to authenticate the ISR to the Cisco Umbrella dashboard, a token must be obtained from your Umbrella dashboard and installed on the ISR.

Then you simply log into the device's command interface and follow the steps below to configure your ISR. Once completed, the ISR will register as a device in your Umbrella dashboard and a policy can then be defined for the ISR or any additional tags.

Understanding Tags

A tag is essentially another network that is behind the ISR that can be registered alone and given its own Device ID in the Umbrella dashboard. This can be a VLAN or a physical interface. Each tag will use the same API Token, so minimal extra configuration is needed to register a newly tagged interface. T​ags are not unique, but the combination of Model + MAC Address + Tag is unique within an organization.

The screenshot below shows two Network Devices in the Umbrella dashboard. They look like two separate devices but they are the same ISR, just with different interfaces tagged for different VLANs. Tags can be used to auto­-assign policy; this is covered later in this guide.

Obtaining the API Token from the Umbrella Dashboard.

You will need to get your Network Device API Token from your Umbrella dashboard.

  1. Navigate to Identities > Network Devices​, then click Get My API Token. The API token is a long alphanumeric set of characters.
  2. Copy the API token to your clipboard or to a text file so that you can complete the next steps.

Configuring Cisco Umbrella on the ISR

To configure Cisco Umbrella on the ISR, perform these steps. First:

• You should have the API token from the Cisco Umbrella dashboard (as described in the previous steps).

• You should have the root certificate to establish the HTTPS connection with the Cisco Umbrella registration server. You should import the root certificate of DigiCert given below into the device using the crypto pki trustpool import terminal command. Steps to get the certificate are below.

Import CA Certificate to the trust pool

Communication for device registration to the Cisco Umbrella server is via HTTPS. This requires a root certificate to be installed on the router.

While in the Configure Terminal (conf t), run the following commands on your ISR. There are two choices, one of which is to simply import the cert directly from Cisco.

crypto pki trustpool import url http://www.cisco.com/security/pki/trs/ios.p7b

The second option is to use the import terminal, then paste the Root Certificate and the word quit after it.

To download this certificate directly from a link instead of pasting it in, you can find the certificate here:
https://www.digicert.com/CACerts/DigiCertSHA2SecureServerCA.crt

The contents of the certificate are also below and can also be copied from this document, although the download is less prone to error.

The commands are listed here first, then with the certificate, then a last step to finalize the upload:

crypto pki trustpool import terminal
% Enter PEM-formatted CA certificate.

----BEGIN CERTIFICATE----
MIIElDCCA3ygAwIBAgIQAf2j627KdciIQ4tyS8+8kTANBgkqhkiG9w0BAQsFADBh
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
QTAeFw0xMzAzMDgxMjAwMDBaFw0yMzAzMDgxMjAwMDBaME0xCzAJBgNVBAYTAlVT
MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxJzAlBgNVBAMTHkRpZ2lDZXJ0IFNIQTIg
U2VjdXJlIFNlcnZlciBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
ANyuWJBNwcQwFZA1W248ghX1LFy949v/cUP6ZCWA1O4Yok3wZtAKc24RmDYXZK83
nf36QYSvx6+M/hpzTc8zl5CilodTgyu5pnVILR1WN3vaMTIa16yrBvSqXUu3R0bd
KpPDkC55gIDvEwRqFDu1m5K+wgdlTvza/P96rtxcflUxDOg5B6TXvi/TC2rSsd9f
/ld0Uzs1gN2ujkSYs58O09rg1/RrKatEp0tYhG2SS4HD2nOLEpdIkARFdRrdNzGX
kujNVA075ME/OV4uuPNcfhCOhkEAjUVmR7ChZc6gqikJTvOX6+guqw9ypzAO+sf0
/RR3w6RbKFfCs/mC/bdFWJsCAwEAAaOCAVowggFWMBIGA1UdEwEB/wQIMAYBAf8C
AQAwDgYDVR0PAQH/BAQDAgGGMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYY
aHR0cDovL29jc3AuZGlnaWNlcnQuY29tMHsGA1UdHwR0MHIwN6A1oDOGMWh0dHA6
Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbFJvb3RDQS5jcmwwN6A1
oDOGMWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbFJvb3RD
QS5jcmwwPQYDVR0gBDYwNDAyBgRVHSAAMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8v
d3d3LmRpZ2ljZXJ0LmNvbS9DUFMwHQYDVR0OBBYEFA+AYRyCMWHVLyjnjUY4tCzh
xtniMB8GA1UdIwQYMBaAFAPeUDVW0Uy7ZvCj4hsbw5eyPdFVMA0GCSqGSIb3DQEB
CwUAA4IBAQAjPt9L0jFCpbZ+QlwaRMxp0Wi0XUvgBCFsS+JtzLHgl4+mUwnNqipl
5TlPHoOlblyYoiQm5vuh7ZPHLgLGTUq/sELfeNqzqPlt/yGFUzZgTHbO7Djc1lGA
8MXW5dRNJ2Srm8c+cftIl7gzbckTB+6WohsYFfZcTEDts8Ls/3HB40f/1LkAtDdC
2iDJ6m6K7hQGrn2iWZiIqBtvLfTyyRRfJs8sjX7tN8Cp1Tm5gr8ZDOo0rwAhaPit
c+LJMto4JQtV05od8GiG7S5BNO98pVAdvzr508EIDObtHopYJeS4d60tbvVS3bR0
j6tJLp07kzQoH3jOlOrHvdPJbRzeXDLz
----END CERTIFICATE----

% End with a blank line or "quit" on a line by itself.
quit
% PEM files import succeeded.

Verify that the PEM import is successful. You should receive a message after importing the certificate.

Next, while still in Configure Terminal on the ISR (conf t), add the API token to the ISR by running the following commands, substituting the <API TOKEN> variable with your token:

parameter-map type opendns global
token <API TOKEN>

This is the sample configuration:

enable
configure terminal
parameter-map type opendns global
	token AABBA59A0BDE1485C912AFE472952641001EEECC 
	local-domain dns_bypass
	udp-timeout 25 (The range is from 1 to 30 seconds). 
	dnscrypt
	public-key key (Key should contain only hexadecimal digit). 
	resolver ipv4 10.1.1.2
exit

Additional configurations listed in the configuration are discussed later in this documentation.

Registering the Cisco Umbrella Tag

To register the Cisco Umbrella tag:

  1. Configure the OpenDNS parameter map as shown in the previous section.
  2. Configure the OpenDNS Out on the WAN interface:
interface gigabitEthernet 0/0/0
 opendns out
  1. Configure the OpenDNS In on the LAN interface:
interface gigabitEthernet 0/0/1
 opendns in mydevice_tag 

Note: The length of the hostname and OpenDNS tag should not exceed 49 characters.

  1. After you configure the OpenDNS In with a tag using the opendns in mydevice_tag command, the ISR will register the tag to the Cisco Umbrella portal.
  2. The ISR will initiate the registration process by resolving api.opendns.com. You need to have a name server (ip name-server x.x.x.x) and domain lookup (ip domain-lookup) configured on Cisco ISR to successfully resolve the FQDN.

Note: Configure the OpenDNS Out command before you configure OpenDNS In command. Registration will be successful only when port 443 is in an open state and allows the traffic to pass through the existing firewall.

Configuring Internal Domains on Cisco ISR

You can identify the traffic to be bypassed using domain names. This can be useful for directing internal DNS traffic to your local DNS servers. In the Cisco ISR, you can define these domains in the form of a regular expression. If the DNS query that is intercepted by the ISR matches one of the configured regular expressions, then the query is sent to the specified DNS server without redirecting to the Cisco Umbrella cloud.

This sample configuration shows how to define a regex parameter-map with the desired domain name and regular expressions:

Device# configure terminal
Device(config)# parameter-map type regex dns_bypass 
Device(config)# pattern www.fisco.com 
Device(config)# pattern .*engineering.fisco.*

_Attach the regex param-map with the OpenDNS global configuration as shown below:_

Device(config)# parameter-map type opendns global 
Device(config-profile)# local-domain dns_bypass

DNSCrypt, Resolver IP, and Public-key

When you configure the parameter-map type opendns global command, the following values are auto-populated:

  • DNSCrypt
  • Resolver IP
  • Public-Key

It is recommended that you only change the above parameters when performing certain tests in the lab. These parameters are reserved for future use. If you modify these parameters, it can affect the normal functioning of the device.

Resolver IP
The following commands will change the redirection of DNS packets from ISR to the Cisco Umbrella cloud:

  • resolver ipv4 1.1.1.1
  • resolver ipv4 1.1.1.2
  • resolver ipv6 1234::1
  • resolver ipv6 2345::1

In this example, all the IPv4 DNS packets are redirected to 1.1.1.1 or 1.1.1.2 and IPv6 DNS packets are redirected to 1234::1 or 2345::1. You should remove the IP address to restore to the default values of the resolver. When you modify a resolver IP address, a message is displayed as shown below:

User configured would overwrite defaults
Defaults are restored when no more user configured are present

With the default values of 208.67.222.222 and 208.67.220.220, all the DNS packets are redirected to the Cisco Umbrella Anycast resolvers. Cisco ISR uses the first default resolver IP address for all its redirection. When the ISR does not receive a response for three consecutive DNS queries, the ISR automatically switches to a different resolver IP address. This behavior remains the same for IPv6 resolver addresses.

Public-key
Public-key is used to download the DNSCrypt certificate from the Cisco Umbrella cloud. This value is preconfigured to B735:1140:206F:225d:3E2B:d822:D7FD:691e:A1C3:3cc8:D666:8d0c:BE04:bfab:CA43:FB79 which is the public-key of the Cisco Umbrella Anycast servers.
If there is a change in the public-key and if you modify this command, then you have to remove the modified command to restore the default value. If you modify the value, the DNSCrypt certificate download can fail.

DNSCrypt

DNSCrypt is an encryption protocol to authenticate communications between the Cisco ISR and Cisco Umbrella.

When the parameter-map type opendns is configured and opendns out is enabled on the WAN interface, DNSCrypt is triggered and a certificate downloaded, validated, and parsed. A shared secret key is then negotiated, which is used to encrypt the DNS queries. DNSCrypt downloads this certificate every hour and verifies it for upgrade. As well, a new shared secret key is negotiated to encrypt the DNS queries.

To disable DNSCrypt, use the no dnscrypt command and to re-enable DNSCrypt, use the dnscrypt command. When the DNSCrypt is used, the DNS request packets size will be more than 512 bytes.
Ensure that you allow these packets passage through intermediary devices; otherwise, the response may not reach the intended recipients.

Verifying the Cisco Umbrella Configuration

You can verify the Cisco Umbrella configuration using the following commands:

Router# show opendns config

Output example:

Open DNS Configuration ========================
   Token: AAAAAD288BA440D10E207350339F497A001CCBBB
   Local Domain Regex parameter-map name: NONE
   DNSCrypt: Not enabled
   Public-key: NONE
   Timeout: NONE
   Resolver address: NONE
Open DNS Interface Config:
       Number of interfaces with "opendns out" config: 1
         1. GigabitEthernet0/0/1
             Mode     :  OUT
       Number of interfaces with "opendns in" config: 1
         1. GigabitEthernet0/0/0
             Mode     : IN
             Tag      : test1
             Device-id: ...Pending...

Device# show opendns deviceid

Output example:

Device registration details 

Interface Name Tag Status     Device Id
GigabitEthernet0/0/0  test1 REQ QUEUED -
GigabitEthernet0/0/0.1 test498 200 SUCCES 010af8cde579a997
GigabitEthernet0/0/0.2 utah-win-intf 200 SUCCES 010a0a25d20088b8
GigabitEthernet0/0/0.3 utah-win-intf 200 SUCCES 010a0a25d20088b8
GigabitEthernet0/0/0.4 mydevice_tag REQ QUEUED  -

Device#show opendns dnscrypt

Output example:

DNSCrypt: Enabled
Public-key: B735:1140:206F:225D:3E2B:D822:D7FD:691E:A1C3:3CC8:D666:8D0C:BE04:BFAB:CA43:FB79
Certificate Update Status:
     Last Successful Attempt : 10:55:40 UTC Apr 14 2016
     Last Failed Attempt
Certificate Details:
    Certificate Magic : DNSC
    Major Version      : 0x0001
    Minor Version      : 0x0000
    Server Public-key:
: 10:55:10 UTC Apr 14 2016
ED19:BFBA:FAFC:9257:DFDC:68C7:69BF:AC24:94CD:743F:3C1D:4966:134D:FE2C:4BDC:F315
Query Magic
Serial Number
Start  Time
End Time
 : 0x717744506545635A
: 1435874751
    : 1435874751 (22:05:51 UTC Jul 2 2015)
   : 1467410751 (22:05:51 UTC Jul 1 2016)
Client Public key : 106AE7C2373E5EA68FF90FDA116912D67AF16751F3EEABCB5D8CAAD565D8A44E

Deploying Cisco Umbrella Using Cisco Prime CLI Templates

You can use the Cisco Prime CLI templates to provision the Cisco Umbrella deployment. The Cisco Prime CLI templates make provisioning Cisco Umbrella deployment simple.
NOTE: The Cisco Prime CLI template is supported only on Cisco Prime version 3.1 or later.

To use the Cisco Prime CLI templates to provision the Cisco Umbrella deployment, perform these steps:

  1. Download the Cisco Prime templates corresponding to the Cisco Denali IOS XE version running on your system.
  2. Unzip the file, if it is a zipped version.
  3. From Cisco Prime Web UI, choose Configuration > Templates > Features and Technologies, then select CLI Templates (User Defined).
  4. Click Import.
  5. Select the folder where you want to import the templates to, click Select Templates, and choose the templates that you just downloaded to import. The following Cisco Umbrella templates are available:
    • OpenDNS: Use this template to provision OpenDNS connector on Cisco ISR.
    • Cleanup: Use this template to remove previously configured OpenDNS connector on Cisco ISR.

Testing for Successful Configuration

After the device has been registered, there are some basic and advanced tests that can be performed. These ensure the ISR has been correctly registered and that Cisco Umbrella can see traffic coming from the ISR as well as that you can see the ISR and traffic related to it in the Umbrella dashboard.

NOTE: ​You should use a client that has the IP address of the ISR as its DNS server. In a small “branch office” scenario or in a lab/test environment, this may already be the case; however, in a larger environment, this may not be the case. If necessary, change the DNS server for the client to the ISR in order to generate traffic for these tests.

You can troubleshoot issues that are related to enabling Cisco Umbrella feature using these commands:

  • debug opendns device-registration
  • debug opendns config
  • debug opendns dnscrypt

You can run this command from the client device:

  • Use the nslookup -type=txt debug.opendns.com 8.8.8.8 command from the command prompt of the Windows machine
  • Use the nslookup -type=txt debug.opendns.com 8.8.8.8 command from the terminal window or shell of the Linux or OS X machine.

The return from either test should include a d​evice​ field in the output. Below is a sample output when the client machine is configured to use Google’s public DNS server.

As you can see below, the Device ID is passed to Cisco Umbrella's DNS service in the query yet it still shows the server that was being queried as 8.8.8.8. This shows a perfectly executed DNS hijack by the ISR. If it is NOT intercepting traffic, the results will be much shorter than what’s displayed below.

user$ nslookup type=txt debug.opendns.com 8.8.8.8 
Server: 8.8.8.8
Address: 8.8.8.8#53
Nonauthoritative answer:

debug.opendns.com text = "server 1.nyc" [This is the specific resolver the query ran against]
debug.opendns.com text = "device 010AFE48555956EC"
debug.opendns.com text = "flags 422 0 5040 19FD000780000000000"
debug.opendns.com text = "originid 44491141"
debug.opendns.com text = "orgid 300727"
debug.opendns.com text = "actype 0"
debug.opendns.com text = "bundle 399367"
debug.opendns.com text = "source 67.215.92.210::47726" [This is the egress IP that Cisco Umbrella saw the query come from]
debug.opendns.comtext = "dnscrypt enabled (717473654A614970)"

Checking the Block Page is available

To check that the block page will be returned as expected from a client using the ISR to pass DNS traffic through:

  • Linux or OS X—From the terminal window or shell:
    nslookup internetbadguys.com
  • Windows—From the command prompt:
    nslookup internetbadguys.com

In return, you will receive the IP address of the Cisco Umbrella block page:

Non­authoritative answer:
Name:
internetbadguys.com
Address: 146.112.61.108

Logging into Umbrella for the first time with your registered device and tags

Authenticate to the Umbrella dashboard by going to http://dashboard.umbrella.com​ and logging into the dashboard with your account information.

Upon first logging in, you will see an Overview report of traffic from your organization. Traffic can take up to 90 minutes to first begin populating in the Dashboard, after which, the reporting should be real-time.

  1. Navigate to Reporting > Activity Search to see the real-­time traffic.

  2. Navigate to Identities > Network Devices to check whether the ISR has registered as a device in the Umbrella dashboard.

If successfully registered, the ISR appears here. Clicking the Device Name expand the windows. You can rename the device and delete a device from the dashboard.
Click How to remove this device to access the Delete button.

Testing for successful configuration and checking traffic in Reports

Once your ISR is configured and appears as a Network Device in Umbrella, any traffic sent from an endpoint device (laptop, workstation, server or any other network­ connected device) behind the ISR will appear in the Umbrella Dashboard as Activity.

If Internet availability is not a problem, navigate to Reporting > Activity Search.
The traffic from the device to the ISR, then to Cisco Umbrella should appear here as Activity.

To test to see if basic security filtering is already in place, go to​ h​ttp://internetbadguys.com​ in the browser of your test device.
The website should display a blocked message in the browser if everything is working correctly.

Alternately, running a dig or nslookup against that website from the command line will also generate traffic.

Return to the Umbrella dashboard, click Reporting > Security Activity and run the report. A block for “Phishing” should appear in the report.

Configuring a unique policy for the ISR as a Device Identity in Cisco Umbrella

Next, configure your policy with the policy wizard. Depending on your preference, you may wish to create a new policy or simply modify the Default policy to suit your needs.

These steps apply when creating your first policy, or when going back to edit an existing policy. By default, there's always a single policy­­—the Default policy. This policy applies to all identities when no other policy above it covers that identity. In other words, the Default policy is a catch­-all to ensure all identities within your organization receive a baseline level of protection. You can also find out more about policies, here.

The screenshot below shows one policy created manually and ordered above the default policy, and how all devices and networks are applied

To start building and understanding your policies:

  1. Navigate to Policies > Policy List and click the + (Add) icon or expand the default policy. If you select the default policy, all Identities are selected so the second step can be skipped.
  2. Select the identities to which the policy will be applied. If you simply have a single ISR configured as a Device in your dashboard, select that single Identity and click Next. If you have more than one, you can select all the ISR in a group.
  1. Select what you want this policy to do.

The four options shown correspond to policy features: security settings, IP layer enforcement, content category blocks and custom destination lists.

  • Enforce Security at the DNS Layer—These are settings related directly the blocking of domains based on whether they are malicious and provides a base level of security protection. We recommend always selecting this.
  • Inspect Files—Selectively inspect files in the cloud, not on premises, so there is no need for additional hardware. The inspection is done with Cisco AMP and an antivirus. For more information, see Enable File Inspection.
  • Limit Content Access—These settings filter types of content based on your Organization's acceptable use policies, typically this is recommended.
  • Apply Destination Lists—If you have particular domains you'd like to allow or block, add them to a destination list. There are two by default, block or allow, and you can create more to organize groups of domains. The two defaults are the "Global" lists, meaning they apply to any policy. It's up to you whether you have anything in particular you'd like to block right away.

Underneath the options for what the policy should do, you'll find Advanced Settings.

These include the Intelligent Proxy, SSL Decryption, the "Allow-Only mode" (previously known as 'white list mode') and logging options.

Once you've picked what the policy should do, click Next.

  1. Configure security settings and click Next.
    These settings determine which security type threats are blocked. For more information on what each of these categories represents, see Understanding Security Categories.
  1. Configure content access settings and click Next.
    These settings filter types of content based on your Organization's acceptable use policies. These settings allow the selection of content categories to be blocked for the devices selected in the second step of the policy editor. To create a new set of content filtering rules, choose "Create New Setting" from the Custom Setting drop-down list.

Advanced Settings – SafeSearch

SafeSearch is a feature of the major search engines that restricts and filters explicit images and results. Umbrella provides the ability to enforce traffic to Google, YouTube and Bing on a per-policy basis. If anyone enters an inappropriate or suggestive phrase, no results will be returned that could be considered unsafe or problematic. For more information, see Enforcing SafeSearch.

  1. Apply destination lists and click Next.
    If you have particular domains you'd like to allow or block, add them to a destination list. There are two by default, block or allow, and you can create more to organize groups of destinations. Note that each destination list can be set to be a block list (default) or an allow list. We recommend adding domains in the format "domain.com" rather than www.domain.com to ensure *.domain.com is included. Allow list entries will always take precedence over block list entries.
  1. Set a block page and click Next.
    You can optionally create a unique block page for your users, as well as how to bypass that block page. Default settings are selected by default and will display the Cisco Umbrella block page and the type of block if and when users reach blocked content.
  1. Give your policy a good meaningful name, review settings, and click Save.
    The name of a policy is not purely cosmetic, the next section of this document outlines how to 'auto-attach' a pre-existing policy for future ISRs.

“Auto­-attach” a pre­-existing policy for ISRs added in future

A helpful feature is to add a policy for an ISR in advance of that device being added to the Umbrella dashboard. This means that as soon as the device is registered, the policy applied to it will be whatever you’ve configured and there will be no need to manually add the device to an existing policy.

A normal use case is when you have a large number of ISR boxes. Each ISR would register a “guest” and a “corp” tag. We’d want all of those “guest” devices to go into the same “guest” policy.
When a Network Device registers with a tag, the API will check to see if there are any policies with that exact same name (aka Policy Description) as the tag. If such a policy exists, the newly­ registered Network Device will immediately be assigned this policy. The name must match the tag exactly (although it is not case­ sensitive). This process only occurs at the time of registration, so if a policy is created after registration, you will need to assign existing Network Devices to it manually.

Tags are not unique, but the combination of Model + MAC Address + Tag is unique within an organization.

Adding additional ISRs, managing existing ISRs, or removing an ISR from the Umbrella Dashboard

If you wish to add additional ISRs, simply authenticate these devices with Cisco Umbrella as you've done with the devices that are already present in the dashboard.

The information about a device, such as Serial Number and Device Name can be set by the device itself, but it can be changed in the Umbrella Dashboard in case the Device Name is not helpful or is a duplicate. Where applicable, it's a good idea to include information about the physical location or network address of the device.

To manage the list of devices, use the Filter functionality or group the devices together.

To remove a device, you must remove the authentication (username/password or API token) from the device first or simply take the device offline if you're decommissioning it. Otherwise,
even if it has been deleted from the dashboard, the device will reappear in the dashboard when it sends additional traffic.

Once authentication has been removed from the device, it can be deleted from the dashboard by clicking How to remove this device", then clicking Delete.


Integration for ISR 4K – Security Configuration Guide > Wireless LAN Controller Integration

Integration for ISR 4K and ISR 1100 – Security Configuration Guide