{"_id":"57fd182460205c19008485c7","__v":1,"project":"56a938852036420d002d23a0","user":"560b40145148ba0d009bd0b5","version":{"_id":"56a938852036420d002d23a3","__v":1,"project":"56a938852036420d002d23a0","createdAt":"2016-01-27T21:37:09.719Z","releaseDate":"2016-01-27T21:37:09.719Z","categories":["56a938862036420d002d23a4"],"is_deprecated":false,"is_hidden":false,"is_beta":false,"is_stable":true,"codename":"","version_clean":"1.0.0","version":"1.0"},"category":{"_id":"56a938862036420d002d23a4","version":"56a938852036420d002d23a3","__v":3,"pages":["56a938872036420d002d23a6","56abf9759327b30d00f7c2a5","56afa3529ca3b20d0017571a"],"project":"56a938852036420d002d23a0","sync":{"url":"","isSync":false},"reference":false,"createdAt":"2016-01-27T21:37:10.291Z","from_sync":false,"order":0,"slug":"documentation","title":"Documentation"},"parentDoc":null,"updates":[],"next":{"pages":[],"description":""},"createdAt":"2016-10-11T16:49:40.129Z","link_external":false,"link_url":"","githubsync":"","sync_unique":"","hidden":false,"api":{"settings":"","results":{"codes":[]},"auth":"required","params":[],"url":""},"isReference":false,"order":0,"body":"## Overview \n\nThe Cisco Umbrella integration enables a cloud-based security service by inspecting the Domain Name System (DNS) query that is sent to the enterprise DNS server through the Cisco 4000 Series Integrated Services Routers (ISR). The security administrator configures policies on the Cisco Umbrella cloud to either allow or deny traffic towards the fully qualified domain name (FQDN). Cisco 4000 Series ISR acts as a DNS forwarder on the network edge, transparently intercepts DNS traffic and forwards the DNS queries to the Cisco Umbrella cloud. This feature is available on Cisco IOS XE Denali 16.3 and later releases.\n\n**NOTE:** 16.6.1 was released to General Availability in late July 2017.  The features described below have changed and a major new improvement with internal mapping of IPs has been included.  There are significant differences between the command line interface, so if you are running 16.6.1 refer to:\n  * [16.6.1 Release Notes](http://www.cisco.com/c/en/us/td/docs/routers/access/4400/release/xe-16-6/isr4k-rel-notes-xe-16-6.html) \n  * [Documentation](http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_utd/configuration/xe-16/sec-data-umbrella-branch-xe-16-book/sec-data-umbrella-bran.html).\n\n### Table of Contents\n \n* [What is Cisco Umbrella Integration?](#section-what-is-cisco-umbrella-)\n* [Prerequisites for Cisco Umbrella](#section-prerequisites-for-cisco-umbrella-with-the-isr4k)\n * [Security Blocking and Installing a Certificate on Endpoints](#section-security-blocking-and-installing-a-certificate-on-endpoints)\n* [Limitations and Restrictions for the Cisco Umbrella integration](#section-limitations-and-restrictions-for-the-cisco-umbrella-integration)\n* [Encrypting the DNS Packet](#section-encrypting-the-dns-packet)\n* [Upgrading the Device Image to Cisco IOS XE Denali 16.3](#section-upgrading-the-device-image-to-cisco-ios-xe-denali-16-3)\n* [Upgrading ROMMON](#section-upgrading-the-rommon)\n* [How to Configure Cisco Umbrella ](#section-how-to-configure-cisco-umbrella)\n* [Understanding Tags](#section-understanding-tags)\n* [Obtaining the API Token from the Umbrella Dashboard](#section--obtaining-the-api-token-from-the-umbrella-dashboard-)\n * [Configuring Cisco Umbrella on the ISR](#section-configuring-cisco-umbrella-on-the-isr)\n * [Import CA to the trust pool](#section-import-ca-certificate-to-the-trust-pool)\n* [Registering the Cisco Umbrella Tag](#section-registering-the-cisco-umbrella-tag)\n* [Configuring Cisco 4000 Series ISR as a Pass-through Server](#section-configuring-cisco-4000-series-isr-as-a-pass-through-server)\n* [DNSCrypt, Resolver IP, and Public Key](#section-dnscrypt-resolver-ip-and-public-key)\n* [Verifying the the Cisco Umbrella Configuration](#section-verifying-the-cisco-umbrella-configuration)\n* [Deploying Cisco Umbrella Using Cisco Prime CLI Templates](#section-deploying-cisco-umbrella-using-cisco-prime-cli-templates)\n* [Testing for Successful Configuration](#section-testing-for-successful-configuration)\n* [Logging Into Umbrella for the First Time with Your Registered Device and Tags](#section-logging-into-umbrella-for-the-first-time-with-your-registered-device-and-tags)\n * [Testing for successful configuration and checking traffic in Reports](#testing_successful_configuration)\n * [Configuring a unique policy for the ISR as a Device Identity in Cisco Umbrella](#section-configuring-a-unique-policy-for-the-isr-as-a-device-identity-in-cisco-umbrella)\n * [“Auto­-attach” a pre­-existing policy for ISRs added in future](#section--auto-attach-a-pre-existing-policy-for-isrs-added-in-future)\n* [Adding Additional ISRs, Managing Existing ISRs, or Removing an ISR From the Umbrella Dashboard](#section-adding-additional-isrs-managing-existing-isrs-or-removing-an-isr-from-the-umbrella-dashboard)\n\n## What is Cisco Umbrella?\n\n#### Cloud-based Security Service – Cisco Umbrella\n\nThe Cisco Umbrella integration feature provides a cloud-based security service by inspecting the DNS query that is sent to an enterprise DNS server through Cisco 4000 Series ISRs. When a host initiates the traffic and sends a DNS query, the Cisco 4000 Series ISR intercepts and inspects the DNS query. If the DNS query is for a local domain, it forwards without changing the DNS packet to the DNS server in the enterprise network. If the DNS query is for an external domain, it adds an Extended DNS (EDNS) record to the query and sends it to the Cisco Umbrella cloud. An EDNS record includes the device identifier information. Based on this information, the Cisco Umbrella cloud service applies different policies to the DNS query. Cisco Umbrella allows or blocks the request and returns the appropriate IP address in the DNS response.\n\n## Prerequisites for Cisco Umbrella with the ISR4K\n\nBefore you configure the Cisco Umbrella integration feature on the Cisco 4000 Series ISR, ensure that you have the following:\n* The minimum ROMMON version to load the Cisco IOS Denali 16.2 image on a Cisco 4000 Series ISR is 16.2(1r).\nThe Cisco 4000 Series ISR runs the Cisco IOS XE Denali 16.3 software image or later.\n* You can upgrade from any ROMMON version to release 16.2(1r). For more information, see the  [Upgrading the Device Image to Cisco IOS XE Denali 16.3](#section-upgrading-the-device-image-to-cisco-ios-xe-denali-16-3) section of this guide.\n* The Cisco 4000 Series ISR must have a security K9 license to enable Cisco Umbrella.\n* A valid Cisco Umbrella subscription license.\n* The Cisco 4000 Series ISR should be set as the default DNS server gateway. Ensure that DNS traffic goes through the Cisco 4000 Series ISR.\n\nThe following network requirements must be met:\n\n* For initial registration—The opendns_out interface (this may have a different name if you so choose) must be able to access api.opendns.com over port 443 in order to complete initial registration. \n* TCP & UDP on port 53 (DNS) to 208.67.220.220 & 208.67.222.222 (The Cisco Umbrella public DNS resolvers)\n* DNSCrypt—If there are any devices in front of the ISR that may block DNSCrypt for not looking like an actual DNS packet, the DNSCrypt feature may not work.  For more information and an example of the problem, [read thi](https://support.umbrella.com/hc/en-us/articles/230562207-Cisco-ASA-Firewall-blocks-DNSCrypt).\n\n#### Security Blocking and Installing a Certificate on Endpoints\n\nBased on the domain (FQDN) that is being queried, Cisco Umbrella determines if the IP addresses should be provided in the response. If the domain is deemed to be malicious or hosting malicious content or blocked by a customized security policy, the IP address of the Cisco Umbrella block page server is sent back in the DNS response instead of the IP address of the domain.\n\nWhen the HTTP client on the host sends an HTTP request to the Cisco Umbrella cloud IP address, Umbrella provides the reason for blocking the content in the HTTP response, this is the ‘block page.'\n\nIf the blocked domain is from the HTTPS request, the client’s web­ browser displays a certificate error message. The error message is displayed because the Cisco Umbrella cloud may not have the certificate from the blocked server.\n\nIn order to resolve these issues, we highly recommend installing the Cisco Root Certificates on your clients. For more information including a description of the process, see [Cisco Certificate Import Information](https://docs.umbrella.com/product/umbrella/rebrand-cisco-certificate-import-information/).\n\n## Limitations and Restrictions for the Cisco Umbrella integration\n\n* If an application or host makes a direct IP layer connection without using DNS, policy enforcement will not be applied.\n* When the client is connected to a web proxy, the DNS query does not pass through the Cisco 4000 Series ISR. In this case, the connector will not be able to detect any DNS request and the connection to the web server will bypass any policy from Cisco Umbrella.\n* Using in conjunction with Cloud Web Security (CWS): When the Cisco Umbrella policy blocks a DNS query, the client is redirected to a Cisco Umbrella block page. HTTPS servers provide these block pages and the IP address range of these block pages is defined by the Cisco Umbrella. These web server addresses should be allowed listed for Cloud Web Security (CWS), so that CWS allows the client to get the blocked page from Cisco Umbrella's web servers.\n* User authentication and identity is not supported in this release.\n* Only queries for A and AAAA record types are redirected to the cloud. Other query types will bypass the connector. However, the TXT type DNS queries to debug.opendns.com are redirected.\n* IPv6 is not supported in this release for Umbrella block pages or policy enforcement.\n* A maximum of 64 local domains can be configured, and the allowed name length is 100 characters for each of these domains.\n\n#### When you deploy the Cisco Umbrella integration feature\n\n* If you use the multiple EDNS options, the Cisco Umbrella policy may not get applied on the device. For the work-around, contact Cisco Technical Support to get the engineering special image which will resolve this issue.\n* If the WAN interface is down for more than 30 minutes, the device may reload with an exception. Disable DNSCrypt to stop this exception. If you do not want to disable DNSCrypt, contact Cisco Technical Support to get the engineering special image which will resolve this issue.\n\n## Encrypting the DNS Packet\n\nThe DNS packet sent from the Cisco 4000 Series ISR to the Cisco Umbrella's server(s) must be encrypted if the EDNS information in the packet contains information such as user IDs, internal network IP addresses, and so on. When the DNS response is sent back from the DNS server, Cisco 4000 Series ISR decrypts the packet and forwards it back to the host.\n\nYou can encrypt DNS packets only when the DNSCrypt feature is enabled on the Cisco 4000 Series ISR. Based on the FQDN in the DNS query, the Cisco Umbrella service determines if the content provider IP addresses should be provided in the response. If the FQDN is malicious or blocked by the customized enterprise security policy, the Cisco Umbrella block web page server address is sent back in the DNS response. When the HTTP client on the host sends an HTTP request to the Cisco Umbrella cloud IP address, it provides the reason for blocking the content in the HTTP response.\n\nIf the blocked domain is from the HTTPS request, the client’s web browser displays a certificate error message. This error message is displayed because the Cisco Umbrella cloud may not have the certificate from the blocked server. Cisco 4000 Series ISR will use the following Anycast recursive Cisco Umbrella servers:\n\n* 208.67.222.222\n* 208.67.220.220 \n* 2620:119:53::53 \n* 2620:119:35::35\n\n## Supported and Recommended Configurations for Reporting and Attribution\n\nThere are two ways to structure the way DNS traffic is handled with the ISR 4K on the LAN, and both are supported configurations, but only one is recommended.  **The recommended approach is to use transparent DNS interception and route traffic appropriately with the ISR.** This gives the ability to show the IP of the requesting endpoint in Umbrella's reporting, rather than the IP of the internal DNS server.  In turn, this makes attribution of the endpoint making the DNS request much easier.\n\n#### Recommended configuration\n\nThe preferred configuration is to have the endpoint's DNS server be the internal DNS server for the network, but use the ISR to route traffic to either the internal or external DNS resource, based on defined subnet. \n\n\n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/46a0969-ISR_4K_Deployment_Recommended-02-02.png\",\n        \"ISR 4K Deployment Recommended-02-02.png\",\n        553,\n        692,\n        \"#d6d9da\"\n      ],\n      \"sizing\": \"original\"\n    }\n  ]\n}\n[/block]\nIf you would like to add the user and group mappings, a VA is required to connect to Active Directory and gather information about the logged in user.  [More information about Virtual Appliances can be found here](https://docs.umbrella.com/product/umbrella/1-introduction/) and this is diagram outlines that work flow.  The VA would sit behind the ISR and be the primary DNS server for all clients:\n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/ad81431-4206467-Virtual_Appliance_Deployment-03-03.png\",\n        \"4206467-Virtual_Appliance_Deployment-03-03.png\",\n        553,\n        692,\n        \"#dbd9da\"\n      ],\n      \"sizing\": \"original\"\n    }\n  ]\n}\n[/block]\n####Supported but not recommended configuration:\n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/3681514-ISR_4K_Deployment_Supported_Not_Recommended-01-01.png\",\n        \"ISR 4K Deployment Supported_Not Recommended-01-01.png\",\n        553,\n        692,\n        \"#d8d8d9\"\n      ],\n      \"sizing\": \"original\"\n    }\n  ]\n}\n[/block]\n## Upgrading the Device Image to Cisco IOS XE Denali 16.3\n\nYou need to upgrade to the Cisco IOS XE 3.16 version before you upgrade the router image to the Cisco IOS XE Denali 16.3 or later version. \n\n\n## Upgrading the ROMMON\n\nAfter you upgrade to Cisco IOS XE 3.16 version, upgrade the ROMMON. To upgrade the ROMMON version, download the correct version here: [https://software.cisco.com/download/navigator.html?mdfid=286281708](https://software.cisco.com/download/navigator.html?mdfid=286281708)\n\nFor additional guidance in this area, please consult the ISR4K documentation.\n\n1. Download the rommon image and upload it to flash using tftp, scp, or use a usb key. \n2. Use the upgrade rommonitor filename bootflash command to upgrade the ROMMON.  \n[block:code]\n{\n  \"codes\": [\n    {\n      \"code\": \"Device# upgrade rommonitor filename bootflash:rommon_isr_usd_rel_ios_package_SSA.bin16_2_1r R0 Chassis model ISR4321/K9 has a single rommonitor.\\nUpgrade rommonitor\\nTarget copying rommonitor image file\\nselected : 0\\nBooted : 0\\nReset Reason: 0\\nInfo: Upgrading entire flash from the rommon package\\n4259840+0 records in\\n4259840+0 records out\\n262144+0 records in\\n262144+0 records out\\n655360+0 records in\\n655360+0 records out\\n4194304+0 records in\\n4194304+0 records out\\nFile is a FIPS ROMMON image\\nFIPS1403 Load Test on has PASSED.\\nAuthenticity of the image has been verified.\\nSwitching to ROM 1\\n8192+0 records in\\n8192+0 records out\\nUpgrade image MD5 signature is b702a0a59a46a20a4924f9b17b8f0887\\n4259840+0 records in\\n4259840+0 records out\\n4194304+0 records in\\n4194304+0 records out\\n4194304+0 records in\\n4194304+0 records out\\n262144+0 records in\\n262144+0 records out\\nUpgrade image MD5 signature verification is b702a0a59a46a20a4924f9b17b8f0887\\nSwitching back to ROM 0\\nROMMON upgrade complete.\",\n      \"language\": \"text\"\n    }\n  ]\n}\n[/block]\n3. To make the new ROMMON version as the permanent version, you must restart the RP.\n4. After the upgrade is complete, reload the device. Ensure that you issue the show platform command to verify that the ROMMON upgrade is successful. The firmware version should be 16.2(1r).\n\n## How to Configure Cisco Umbrella \n\nThis portion of the document outlines how to configure an ISR to register with the Umbrella dashboard as a Network Device and enforce policy based on Device ID as well as Tags.\n\nThe process of registration is fairly straightforward. I​n order to authenticate the ISR to the Cisco Umbrella dashboard, a token must be obtained from your Umbrella dashboard and installed on the ISR.\n\nThen you simply log into the device's command interface and follow the steps below to configure your ISR. Once completed, the ISR will register as a device in your Umbrella dashboard and a policy can then be defined for the ISR or any additional tags.\n\n#### Understanding Tags\n\nA tag is essentially another network that is behind the ISR that can be registered alone and given its own Device ID in the Umbrella dashboard. This can be a VLAN or a physical interface. Each tag will use the same API Token, so minimal extra configuration is needed to register a newly tagged interface. T​ags are not unique, but the combination of Model + MAC Address + Tag is unique within an organization.\n\nThe screenshot below shows two Network Devices in the Umbrella dashboard. They look like two separate devices but they are the same ISR, just with different interfaces tagged for different VLANs. Tags can be used to auto­-assign policy; this is covered later in this guide.\n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/4c2a34b-Screen_Shot_2016-07-29_at_7.13.13_PM.png\",\n        \"Screen Shot 2016-07-29 at 7.13.13 PM.png\",\n        1646,\n        164,\n        \"#e9ece8\"\n      ]\n    }\n  ]\n}\n[/block]\n#### Obtaining the API Token from the Umbrella Dashboard.\n\nYou will need to get your Network Device API Token from your Umbrella dashboard. \n\n1. Navigate to **Identities > Network Devices​**, then click **Get My API Token**. The API token is a long alphanumeric set of characters. \n2. Copy the API token to your clipboard or to a text file so that you can complete the next steps.\n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/bb8588e-get_API_token.jpg\",\n        \"get_API_token.jpg\",\n        906,\n        366,\n        \"#ededec\"\n      ],\n      \"sizing\": \"80\"\n    }\n  ]\n}\n[/block]\n## Configuring Cisco Umbrella on the ISR\n\nTo configure Cisco Umbrella on the Cisco 4000 Series ISR, perform these steps. First:\n\n• You should have the API token from the Cisco Umbrella dashboard (as described in the previous steps).\n\n• You should have the root certificate to establish the HTTPS connection with the Cisco Umbrella registration server. You should import the root certificate of DigiCert given below into the device using the *crypto pki trustpool import* terminal command. Steps to get the certificate are below.\n\n#### Import CA Certificate to the trust pool\n\nCommunication for device registration to the Cisco Umbrella server is via HTTPS. This requires a root certificate to be installed on the router.\n\nWhile in the Configure Terminal (conf t), run the following commands on your ISR. There are two choices, one of which is to simply import the cert directly from Cisco.\n[block:code]\n{\n  \"codes\": [\n    {\n      \"code\": \"crypto pki trustpool import url http://www.cisco.com/security/pki/trs/ios.p7b\",\n      \"language\": \"text\"\n    }\n  ]\n}\n[/block]\nThe second option is to use the import terminal, then paste the Root Certificate and the word **quit** after it. \n\nTo download this certificate directly from a link instead of pasting it in, you can find the certificate here:\n[https://www.digicert.com/CACerts/DigiCertSHA2SecureServerCA.crt](https://www.digicert.com/CACerts/DigiCertSHA2SecureServerCA.crt)\n\nThe contents of the certificate are also below and can also be copied from this document, although the download is less prone to error. \n\nThe commands are listed here first, then with the certificate, then a last step to finalize the upload:\n[block:code]\n{\n  \"codes\": [\n    {\n      \"code\": \"crypto pki trustpool import terminal\\n% Enter PEM-formatted CA certificate.\",\n      \"language\": \"text\"\n    }\n  ]\n}\n[/block]\n----BEGIN CERTIFICATE----\nMIIElDCCA3ygAwIBAgIQAf2j627KdciIQ4tyS8+8kTANBgkqhkiG9w0BAQsFADBh\nMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3\nd3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD\nQTAeFw0xMzAzMDgxMjAwMDBaFw0yMzAzMDgxMjAwMDBaME0xCzAJBgNVBAYTAlVT\nMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxJzAlBgNVBAMTHkRpZ2lDZXJ0IFNIQTIg\nU2VjdXJlIFNlcnZlciBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB\nANyuWJBNwcQwFZA1W248ghX1LFy949v/cUP6ZCWA1O4Yok3wZtAKc24RmDYXZK83\nnf36QYSvx6+M/hpzTc8zl5CilodTgyu5pnVILR1WN3vaMTIa16yrBvSqXUu3R0bd\nKpPDkC55gIDvEwRqFDu1m5K+wgdlTvza/P96rtxcflUxDOg5B6TXvi/TC2rSsd9f\n/ld0Uzs1gN2ujkSYs58O09rg1/RrKatEp0tYhG2SS4HD2nOLEpdIkARFdRrdNzGX\nkujNVA075ME/OV4uuPNcfhCOhkEAjUVmR7ChZc6gqikJTvOX6+guqw9ypzAO+sf0\n/RR3w6RbKFfCs/mC/bdFWJsCAwEAAaOCAVowggFWMBIGA1UdEwEB/wQIMAYBAf8C\nAQAwDgYDVR0PAQH/BAQDAgGGMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYY\naHR0cDovL29jc3AuZGlnaWNlcnQuY29tMHsGA1UdHwR0MHIwN6A1oDOGMWh0dHA6\nLy9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbFJvb3RDQS5jcmwwN6A1\noDOGMWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbFJvb3RD\nQS5jcmwwPQYDVR0gBDYwNDAyBgRVHSAAMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8v\nd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwHQYDVR0OBBYEFA+AYRyCMWHVLyjnjUY4tCzh\nxtniMB8GA1UdIwQYMBaAFAPeUDVW0Uy7ZvCj4hsbw5eyPdFVMA0GCSqGSIb3DQEB\nCwUAA4IBAQAjPt9L0jFCpbZ+QlwaRMxp0Wi0XUvgBCFsS+JtzLHgl4+mUwnNqipl\n5TlPHoOlblyYoiQm5vuh7ZPHLgLGTUq/sELfeNqzqPlt/yGFUzZgTHbO7Djc1lGA\n8MXW5dRNJ2Srm8c+cftIl7gzbckTB+6WohsYFfZcTEDts8Ls/3HB40f/1LkAtDdC\n2iDJ6m6K7hQGrn2iWZiIqBtvLfTyyRRfJs8sjX7tN8Cp1Tm5gr8ZDOo0rwAhaPit\nc+LJMto4JQtV05od8GiG7S5BNO98pVAdvzr508EIDObtHopYJeS4d60tbvVS3bR0\nj6tJLp07kzQoH3jOlOrHvdPJbRzeXDLz\n----END CERTIFICATE----\n[block:code]\n{\n  \"codes\": [\n    {\n      \"code\": \"% End with a blank line or \\\"quit\\\" on a line by itself.\\nquit\\n% PEM files import succeeded.\\n\",\n      \"language\": \"text\"\n    }\n  ]\n}\n[/block]\nVerify that the PEM import is successful. You should receive a message after importing the certificate.\n\nNext, while still in Configure Terminal on the ISR (conf t), add the API token to the ISR by running the following commands, substituting the <API TOKEN> variable with your token:\n[block:code]\n{\n  \"codes\": [\n    {\n      \"code\": \"parameter-map type opendns global\\ntoken <API TOKEN>\",\n      \"language\": \"text\"\n    }\n  ]\n}\n[/block]\nThis is the sample configuration:\n[block:code]\n{\n  \"codes\": [\n    {\n      \"code\": \"enable\\nconfigure terminal\\nparameter-map type opendns global\\n\\ttoken AABBA59A0BDE1485C912AFE472952641001EEECC \\n\\tlocal-domain dns_bypass\\n\\tudp-timeout 25 (The range is from 1 to 30 seconds). \\n\\tdnscrypt\\n\\tpublic-key key (Key should contain only hexadecimal digit). \\n\\tresolver ipv4 10.1.1.2\\nexit\",\n      \"language\": \"text\"\n    }\n  ]\n}\n[/block]\nAdditional configurations listed in the configuration are discussed later in this documentation.\n\n## Registering the Cisco Umbrella Tag\n\nTo register the Cisco Umbrella tag:\n\n1. Configure the OpenDNS parameter map as shown in the previous section.\n2. Configure the OpenDNS Out on the WAN interface: \n[block:code]\n{\n  \"codes\": [\n    {\n      \"code\": \"interface gigabitEthernet 0/0/0\\n opendns out\",\n      \"language\": \"text\"\n    }\n  ]\n}\n[/block]\n3. Configure the OpenDNS In on the LAN interface:\n[block:code]\n{\n  \"codes\": [\n    {\n      \"code\": \"interface gigabitEthernet 0/0/1\\n opendns in mydevice_tag \",\n      \"language\": \"text\"\n    }\n  ]\n}\n[/block]\n**Note:** For Cisco 4000 Series ISRs, the length of the hostname and OpenDNS tag should not exceed 49 characters. \n\n4.  After you configure the OpenDNS In with a tag using the opendns in mydevice_tag command, the Cisco 4000 Series ISR will register the tag to the Cisco Umbrella portal.\n5. The Cisco 4000 Series ISR will initiate the registration process by resolving api.opendns.com. You need to have a name server (ip name-server x.x.x.x) and domain lookup (ip domain-lookup) configured on Cisco 4000 Series ISR to successfully resolve the FQDN.\n\n> **Note:** Configure the OpenDNS Out command before you configure OpenDNS In command. Registration will be successful only when port 443 is in an open state and allows the traffic to pass through the existing firewall.\n\n## Configuring Internal Domains on Cisco 4000 Series ISR\n\nYou can identify the traffic to be bypassed using domain names. This can be useful for directing internal DNS traffic to your local DNS servers. In the Cisco 4000 Series ISR, you can define these domains in the form of a regular expression. If the DNS query that is intercepted by the Cisco 4000 Series ISR matches one of the configured regular expressions, then the query is sent to the specified DNS server without redirecting to the Cisco Umbrella cloud.\n\nThis sample configuration shows how to define a regex parameter-map with the desired domain name and regular expressions:\n[block:code]\n{\n  \"codes\": [\n    {\n      \"code\": \"Device# configure terminal\\nDevice(config)# parameter-map type regex dns_bypass \\nDevice(config)# pattern www.fisco.com \\nDevice(config)# pattern .*engineering.fisco.*\\n\\n_Attach the regex param-map with the OpenDNS global configuration as shown below:_\\n\\nDevice(config)# parameter-map type opendns global \\nDevice(config-profile)# local-domain dns_bypass\",\n      \"language\": \"text\"\n    }\n  ]\n}\n[/block]\n## DNSCrypt, Resolver IP, and Public-key\n\nWhen you configure the parameter-map type opendns global command, the following values are auto-populated:\n\n* DNSCrypt\n* Resolver IP\n* Public-Key\n\nIt is recommended that you only change the above parameters when performing certain tests in the lab. These parameters are reserved for future use. If you modify these parameters, it can affect the normal functioning of the device.\n\n***Resolver IP***\nThe following commands will change the redirection of DNS packets from Cisco 4000 Series ISR to the Cisco Umbrella cloud:\n\n* resolver ipv4 1.1.1.1\n* resolver ipv4 1.1.1.2\n* resolver ipv6 1234::1\n* resolver ipv6 2345::1\n\nIn this example, all the IPv4 DNS packets are redirected to 1.1.1.1 or 1.1.1.2 and IPv6 DNS packets are redirected to 1234::1 or 2345::1. You should remove the IP address to restore to the default values of the resolver. When you modify a resolver IP address, a message is displayed as shown below:\n[block:code]\n{\n  \"codes\": [\n    {\n      \"code\": \"User configured would overwrite defaults\\nDefaults are restored when no more user configured are present\",\n      \"language\": \"text\"\n    }\n  ]\n}\n[/block]\nWith the default values of 208.67.222.222 and 208.67.220.220, all the DNS packets are redirected to the Cisco Umbrella Anycast resolvers. Cisco 4000 Series ISR uses the first default resolver IP address for all its redirection. When the Cisco 4000 Series ISR does not receive a response for three consecutive DNS queries, the Cisco 4000 Series ISR automatically switches to a different resolver IP address. This behavior remains the same for IPv6 resolver addresses.\n\n***Public-key***\nPublic-key is used to download the DNSCrypt certificate from the Cisco Umbrella cloud. This value is preconfigured to B735:1140:206F:225D:3E2B:D822:D7FD:691E:A1C3:3CC8:D666:8D0C:BE04:BFAB:CA43:FB79 which is the public-key of the Cisco Umbrella Anycast servers. \nIf there is a change in the public-key and if you modify this command, then you have to remove the modified command to restore the default value. If you modify the value, the DNSCrypt certificate download can fail.\n\n***DNSCrypt***\n\nDNSCrypt is an encryption protocol to authenticate communications between the Cisco 4000 Series ISR and Cisco Umbrella. \n\nWhen the parameter-map type opendns is configured and opendns out is enabled on the WAN interface, DNSCrypt is triggered and a certificate downloaded, validated, and parsed. A shared secret key is then negotiated, which is used to encrypt the DNS queries. DNSCrypt downloads this certificate every hour and verifies it for upgrade. As well, a new shared secret key is negotiated to encrypt the DNS queries.\n\nTo disable DNSCrypt, use the *no dnscrypt* command and to re-enable DNSCrypt, use the *dnscrypt* command. When the DNSCrypt is used, the DNS request packets size will be more than 512 bytes. \nEnsure that you allow these packets passage through intermediary devices; otherwise, the response may not reach the intended recipients.\n\n##Verifying the Cisco Umbrella Configuration\n\nYou can verify the Cisco Umbrella configuration using the following commands:\n\n*Router# show opendns config*\n\nOutput example:\n[block:code]\n{\n  \"codes\": [\n    {\n      \"code\": \"Open DNS Configuration ========================\\n   Token: AAAAAD288BA440D10E207350339F497A001CCBBB\\n   Local Domain Regex parameter-map name: NONE\\n   DNSCrypt: Not enabled\\n   Public-key: NONE\\n   Timeout: NONE\\n   Resolver address: NONE\\nOpen DNS Interface Config:\\n       Number of interfaces with \\\"opendns out\\\" config: 1\\n         1. GigabitEthernet0/0/1\\n             Mode     :  OUT\\n       Number of interfaces with \\\"opendns in\\\" config: 1\\n         1. GigabitEthernet0/0/0\\n             Mode     : IN\\n             Tag      : test1\\n             Device-id: ...Pending...\",\n      \"language\": \"text\"\n    }\n  ]\n}\n[/block]\n*Device# show opendns deviceid*\n\nOutput example:\n[block:code]\n{\n  \"codes\": [\n    {\n      \"code\": \"Device registration details \\n\\nInterface Name Tag Status     Device Id\\nGigabitEthernet0/0/0  test1 REQ QUEUED -\\nGigabitEthernet0/0/0.1 test498 200 SUCCES 010af8cde579a997\\nGigabitEthernet0/0/0.2 utah-win-intf 200 SUCCES 010a0a25d20088b8\\nGigabitEthernet0/0/0.3 utah-win-intf 200 SUCCES 010a0a25d20088b8\\nGigabitEthernet0/0/0.4 mydevice_tag REQ QUEUED  -\\n\",\n      \"language\": \"text\"\n    }\n  ]\n}\n[/block]\n*Device#show opendns dnscrypt*\n\nOutput example:\n[block:code]\n{\n  \"codes\": [\n    {\n      \"code\": \"DNSCrypt: Enabled\\nPublic-key: B735:1140:206F:225D:3E2B:D822:D7FD:691E:A1C3:3CC8:D666:8D0C:BE04:BFAB:CA43:FB79\\nCertificate Update Status:\\n     Last Successful Attempt : 10:55:40 UTC Apr 14 2016\\n     Last Failed Attempt\\nCertificate Details:\\n    Certificate Magic : DNSC\\n    Major Version      : 0x0001\\n    Minor Version      : 0x0000\\n    Server Public-key:\\n: 10:55:10 UTC Apr 14 2016\\nED19:BFBA:FAFC:9257:DFDC:68C7:69BF:AC24:94CD:743F:3C1D:4966:134D:FE2C:4BDC:F315\\nQuery Magic\\nSerial Number\\nStart  Time\\nEnd Time\\n : 0x717744506545635A\\n: 1435874751\\n    : 1435874751 (22:05:51 UTC Jul 2 2015)\\n   : 1467410751 (22:05:51 UTC Jul 1 2016)\\nClient Public key : 106AE7C2373E5EA68FF90FDA116912D67AF16751F3EEABCB5D8CAAD565D8A44E\",\n      \"language\": \"text\"\n    }\n  ]\n}\n[/block]\n## Deploying Cisco Umbrella Using Cisco Prime CLI Templates\n\nYou can use the Cisco Prime CLI templates to provision the Cisco Umbrella deployment. The Cisco Prime CLI templates make provisioning Cisco Umbrella deployment simple.\n**NOTE:** The Cisco Prime CLI template is supported only on Cisco Prime version 3.1 or later.\n\nTo use the Cisco Prime CLI templates to provision the Cisco Umbrella deployment, perform these steps:\n1. Download the Cisco Prime templates corresponding to the Cisco Denali IOS XE version running on your system. \n2. Unzip the file, if it is a zipped version.\n3. From Cisco Prime Web UI, choose **Configuration > Templates > Features and Technologies**, then select **CLI Templates (User Defined)**.\n4.  Click **Import**.\n5. Select the folder where you want to import the templates to, click **Select Templates**, and choose the templates that you just downloaded to import. The following Cisco Umbrella templates are available:\n     * OpenDNS: Use this template to provision OpenDNS connector on Cisco 4000 Series ISR.\n     * Cleanup: Use this template to remove previously configured OpenDNS connector on Cisco 4000 Series ISR.\n\n## Testing for Successful Configuration\n\nAfter the device has been registered, there are some basic and advanced tests that can be performed. These ensure the ISR has been correctly registered and that Cisco Umbrella can see traffic coming from the ISR as well as that you can see the ISR and traffic related to it in the Umbrella dashboard.\n\n*NOTE:* ​You should use a client that has the IP address of the ISR as its DNS server. In a small “branch office” scenario or in a lab/test environment, this may already be the case; however, in a larger environment, this may not be the case. If necessary, change the DNS server for the client to the ISR in order to generate traffic for these tests.\n\nYou can troubleshoot issues that are related to enabling Cisco Umbrella feature using these commands:\n* debug opendns device-registration\n* debug opendns config\n* debug opendns dnscrypt\n\nYou can run this command from the client device:\n\n* Use the *nslookup -type=txt debug.opendns.com 8.8.8.8* command from the command prompt of the Windows machine\n*  Use the *nslookup -type=txt debug.opendns.com 8.8.8.8* command from the terminal window or shell of the Linux or OS X machine.\n\nThe return from either test should include a d​evice​ field in the output. Below is a sample output when the client machine is configured to use Google’s public DNS server.\n\nAs you can see below, the Device ID is passed to Cisco Umbrella's DNS service in the query yet it still shows the server that was being queried as 8.8.8.8. This shows a perfectly executed DNS hijack by the ISR. If it is NOT intercepting traffic, the results will be much shorter than what’s displayed below.\n[block:code]\n{\n  \"codes\": [\n    {\n      \"code\": \"user$ nslookup type=txt debug.opendns.com 8.8.8.8 \\nServer: 8.8.8.8\\nAddress: 8.8.8.8#53\\nNonauthoritative answer:\\n\\ndebug.opendns.com text = \\\"server 1.nyc\\\" [This is the specific resolver the query ran against]\\ndebug.opendns.com text = \\\"device 010AFE48555956EC\\\"\\ndebug.opendns.com text = \\\"flags 422 0 5040 19FD000780000000000\\\"\\ndebug.opendns.com text = \\\"originid 44491141\\\"\\ndebug.opendns.com text = \\\"orgid 300727\\\"\\ndebug.opendns.com text = \\\"actype 0\\\"\\ndebug.opendns.com text = \\\"bundle 399367\\\"\\ndebug.opendns.com text = \\\"source 67.215.92.210::47726\\\" [This is the egress IP that Cisco Umbrella saw the query come from]\\ndebug.opendns.comtext = \\\"dnscrypt enabled (717473654A614970)\\\"\\n\",\n      \"language\": \"text\"\n    }\n  ]\n}\n[/block]\n#### Checking the Block Page is available\n\nTo check that the block page will be returned as expected from a client using the ISR to pass DNS traffic through:\n\n  * Linux or OS X—From the terminal window or shell:\n   *nslookup internetbadguys.com*\n\n* Windows—From the command prompt:\n*nslookup internetbadguys.com*\n\nIn return, you will receive the IP address of the Cisco Umbrella block page: \n\nNon­authoritative answer:\nName:\ninternetbadguys.com\nAddress: 146.112.61.108\n\n## Logging into Umbrella for the first time with your registered device and tags\n\nAuthenticate to the Umbrella dashboard by going to [http://dashboard.umbrella.com​](http://dashboard.umbrella.com) and logging into the dashboard with your account information.\n\nUpon first logging in, you will see an Overview report of traffic from your organization. Traffic can take up to 90 minutes to first begin populating in the Dashboard, after which, the reporting should be real-time. \n\n1. Navigate to **Reporting > Activity Search** to see the real-­time traffic.\n\n2. Navigate to **Identities > Network Devices** to check whether the ISR has registered as a device in the Umbrella dashboard. \n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/5f5216e-network_devices.jpg\",\n        \"network_devices.jpg\",\n        653,\n        85,\n        \"#e9eae5\"\n      ]\n    }\n  ]\n}\n[/block]\nIf successfully registered, the ISR appears here. Clicking the Device Name expand the windows. You can rename the device and delete a device from the dashboard.\nClick **How to remove this device** to access the Delete button.\n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/cbe323e-delete_device.jpg\",\n        \"delete_device.jpg\",\n        653,\n        300,\n        \"#e5e7e2\"\n      ]\n    }\n  ]\n}\n[/block]\n<a name=\"testing_successful_configuration\"></a>\n#### Testing for successful configuration and checking traffic in Reports\n\nOnce your ISR is configured and appears as a Network Device in Umbrella, any traffic sent from an endpoint device (laptop, workstation, server or any other network­ connected device) behind the ISR will appear in the Umbrella Dashboard as Activity.\n\nIf Internet availability is not a problem, navigate to **Reporting > Activity Search**. \nThe traffic from the device to the ISR, then to Cisco Umbrella should appear here as Activity.\n\nTo test to see if basic security filtering is already in place, go to​ [h​ttp://internetbadguys.com​](http://internetbadguys.com) in the browser of your test device. \nThe website should display a blocked message in the browser if everything is working correctly.  \n\nAlternately, running a dig or nslookup against that website from the command line will also generate traffic.\n\nReturn to the Umbrella dashboard, click **Reporting > Security Activity** and run the report. A block for “Phishing” should appear in the report.  \n\n#### Configuring a unique policy for the ISR as a Device Identity in Cisco Umbrella\n\nNext, configure your policy with the policy wizard. Depending on your preference, you may wish to create a new policy or simply modify the Default policy to suit your needs.\n\nThese steps apply when creating your first policy, or when going back to edit an existing policy. By default, there's always a single policy­­—the Default policy. This policy applies to all identities when no other policy above it covers that identity. In other words, the Default policy is a catch­-all to ensure all identities within your organization receive a baseline level of protection.  You can also find out more about policies, [here](https://docs.umbrella.com/product/umbrella/customize-your-policies-1/).\n\nThe screenshot below shows one policy created manually and ordered above the default policy, and how all devices and networks are applied\n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/b9a43ff-ISR_policy.jpg\",\n        \"ISR_policy.jpg\",\n        939,\n        609,\n        \"#e7e7e8\"\n      ],\n      \"sizing\": \"80\"\n    }\n  ]\n}\n[/block]\nTo start building and understanding your policies:\n\n1. Navigate to **Policies > Policy List** and click the **+** (**Add**) icon or expand the default policy. If you select the default policy, all Identities are selected so the second step can be skipped.\n2. Select the identities to which the policy will be applied. If you simply have a single ISR configured as a Device in your dashboard, select that single Identity and click **Next**. If you have more than one, you can select all the ISR in a group.\n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/af877f0-select_idents.jpg\",\n        \"select_idents.jpg\",\n        900,\n        506,\n        \"#e3e3e4\"\n      ],\n      \"sizing\": \"80\"\n    }\n  ]\n}\n[/block]\n3.  Select what you want this policy to do.\n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/8bd0d99-what_policy_do.png\",\n        \"what_policy_do.png\",\n        1814,\n        833,\n        \"#d8dada\"\n      ],\n      \"sizing\": \"80\"\n    }\n  ]\n}\n[/block]\n  The four options shown correspond to policy features: security settings, IP layer enforcement, content category blocks and custom destination lists. \n* **Enforce Security at the DNS Layer**—These are settings related directly the blocking of domains based on whether they are malicious and provides a base level of security protection. We recommend always selecting this.\n* ** Inspect Files**—Selectively inspect files in the cloud, not on premises, so there is no need for additional hardware.  The inspection is done with Cisco AMP and an antivirus.  For more information, see [Enable File Inspection](https://docs.umbrella.com/product/umbrella/file-inspection/).\n* **Limit Content Access**—These settings filter types of content based on your Organization's acceptable use policies, typically this is recommended.\n*  **Apply Destination Lists**—If you have particular domains you'd like to allow or block, add them to a destination list. There are two by default, _block_ or _allow_, and you can create more to organize groups of domains. The two defaults are the \"Global\" lists, meaning they apply to *any* policy.  It's up to you whether you have anything in particular you'd like to block right away.\n\nUnderneath the options for what the policy should do, you'll find Advanced Settings.  \n\nThese include the Intelligent Proxy, SSL Decryption, the \"Allow-Only mode\" (previously known as 'white list mode') and logging options.  \n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/c7c7970-advanced_settings.jpg\",\n        \"advanced_settings.jpg\",\n        899,\n        531,\n        \"#d2d1d3\"\n      ],\n      \"sizing\": \"80\"\n    }\n  ]\n}\n[/block]\nOnce you've picked what the policy should do, click **Next**. \n\n4. Configure security settings and click **Next**.\nThese settings determine which security type threats are blocked. For more information on what each of these categories represents, see [Understanding Security Categories](https://docs.umbrella.com/product/umbrella/understanding-the-security-categories/).\n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/d5a2a2f-secure_set.jpg\",\n        \"secure_set.jpg\",\n        900,\n        750,\n        \"#d2d1d3\"\n      ],\n      \"sizing\": \"80\"\n    }\n  ]\n}\n[/block]\n5. Configure content access settings and click **Next**.\nThese settings filter types of content based on your Organization's acceptable use policies. These settings allow the selection of content categories to be blocked for the devices selected in the second step of the policy editor. By default, no content categories are blocked. To create a new set of content filtering rules, choose \"Create New Setting\" from the Custom Setting drop-down list.\n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/1b9ed2c-content_access.jpg\",\n        \"content_access.jpg\",\n        900,\n        630,\n        \"#e4e4e3\"\n      ],\n      \"sizing\": \"80\"\n    }\n  ]\n}\n[/block]\n6. Apply destination lists and click **Next**.\nIf you have particular domains you'd like to allow or block, add them to a destination list. There are two by default, block or allow, and you can create more to organize groups of destinations. Note that each destination list can be set to be a block list (default) or an allow list. We recommend adding domains in the format \"domain.com\" rather than www.domain.com to ensure *.domain.com is included. Allow list entries will always take precedence over block list entries.\n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/fefb8a4-destination_apply.jpg\",\n        \"destination_apply.jpg\",\n        900,\n        534,\n        \"#e1e2e2\"\n      ],\n      \"sizing\": \"80\"\n    }\n  ]\n}\n[/block]\n6. Set a block page and click **Next**.\nYou can optionally create a unique block page for your users, as well as how to bypass that block page. Default settings are selected by default and will display the Cisco Umbrella block page and the type of block if and when users reach blocked content.\n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/53be0e2-set_block_page.jpg\",\n        \"set_block_page.jpg\",\n        900,\n        433,\n        \"#d8d8d9\"\n      ],\n      \"sizing\": \"80\"\n    }\n  ]\n}\n[/block]\n7. Give your policy a good meaningful name, review settings, and click **Save**.\nThe name of a policy is not purely cosmetic, the next section of this document outlines how to 'auto-attach' a pre-existing policy for future ISRs.\n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/d96a08c-review_policy.jpg\",\n        \"review_policy.jpg\",\n        900,\n        527,\n        \"#d8d9db\"\n      ],\n      \"sizing\": \"80\"\n    }\n  ]\n}\n[/block]\n#### “Auto­-attach” a pre­-existing policy for ISRs added in future\n\nA helpful feature is to add a policy for an ISR in advance of that device being added to the Umbrella dashboard. This means that as soon as the device is registered, the policy applied to it will be whatever you’ve configured and there will be no need to manually add the device to an existing policy. \n\nA normal use case is when you have a large number of ISR boxes. Each ISR would register a “guest” and a “corp” tag. We’d want all of those “guest” devices to go into the same “guest” policy.\nWhen a Network Device registers with a tag, the API will check to see if there are any policies with that exact same name (aka Policy Description) as the tag. If such a policy exists, the newly­ registered Network Device will immediately be assigned this policy. The name must match the tag exactly (although it is not case­ sensitive). This process only occurs at the time of registration, so if a policy is created after registration, you will need to assign existing Network Devices to it manually.\n\nTags are not unique, but the combination of Model + MAC Address + Tag is unique within an organization.\n\n## Adding additional ISRs, managing existing ISRs, or removing an ISR from the Umbrella Dashboard\n\nIf you wish to add additional ISRs, simply authenticate these devices with Cisco Umbrella as you've done with the devices that are already present in the dashboard.\n\nThe information about a device, such as Serial Number and Device Name can be set by the device itself, but it can be changed in the Umbrella Dashboard in case the Device Name is not helpful or is a duplicate. Where applicable, it's a good idea to include information about the physical location or network address of the device.\n\nTo manage the list of devices, use the Filter functionality or group the devices together.\n\nTo remove a device, you must remove the authentication (username/password or API token) from the device first or simply take the device offline if you're decommissioning it. Otherwise,\neven if it has been deleted from the dashboard, the device will reappear in the dashboard when it sends additional traffic.\n\nOnce authentication has been removed from the device, it can be deleted from the dashboard by clicking **How to remove this device**\", then clicking **Delete**.\n\n\n---\n**Integration for ISR 4K – Security Configuration Guide** > [Wireless LAN Controller Integration](https://docs.umbrella.com/product/hardware/opendns-wlc_integration_guide/)\n","excerpt":"","slug":"cisco-umbrella-branch-for-isr-4k-security-configuration-guide-1","type":"basic","title":"Integration for ISR 4K – Security Configuration Guide"}

Integration for ISR 4K – Security Configuration Guide


## Overview The Cisco Umbrella integration enables a cloud-based security service by inspecting the Domain Name System (DNS) query that is sent to the enterprise DNS server through the Cisco 4000 Series Integrated Services Routers (ISR). The security administrator configures policies on the Cisco Umbrella cloud to either allow or deny traffic towards the fully qualified domain name (FQDN). Cisco 4000 Series ISR acts as a DNS forwarder on the network edge, transparently intercepts DNS traffic and forwards the DNS queries to the Cisco Umbrella cloud. This feature is available on Cisco IOS XE Denali 16.3 and later releases. **NOTE:** 16.6.1 was released to General Availability in late July 2017. The features described below have changed and a major new improvement with internal mapping of IPs has been included. There are significant differences between the command line interface, so if you are running 16.6.1 refer to: * [16.6.1 Release Notes](http://www.cisco.com/c/en/us/td/docs/routers/access/4400/release/xe-16-6/isr4k-rel-notes-xe-16-6.html) * [Documentation](http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_utd/configuration/xe-16/sec-data-umbrella-branch-xe-16-book/sec-data-umbrella-bran.html). ### Table of Contents * [What is Cisco Umbrella Integration?](#section-what-is-cisco-umbrella-) * [Prerequisites for Cisco Umbrella](#section-prerequisites-for-cisco-umbrella-with-the-isr4k) * [Security Blocking and Installing a Certificate on Endpoints](#section-security-blocking-and-installing-a-certificate-on-endpoints) * [Limitations and Restrictions for the Cisco Umbrella integration](#section-limitations-and-restrictions-for-the-cisco-umbrella-integration) * [Encrypting the DNS Packet](#section-encrypting-the-dns-packet) * [Upgrading the Device Image to Cisco IOS XE Denali 16.3](#section-upgrading-the-device-image-to-cisco-ios-xe-denali-16-3) * [Upgrading ROMMON](#section-upgrading-the-rommon) * [How to Configure Cisco Umbrella ](#section-how-to-configure-cisco-umbrella) * [Understanding Tags](#section-understanding-tags) * [Obtaining the API Token from the Umbrella Dashboard](#section--obtaining-the-api-token-from-the-umbrella-dashboard-) * [Configuring Cisco Umbrella on the ISR](#section-configuring-cisco-umbrella-on-the-isr) * [Import CA to the trust pool](#section-import-ca-certificate-to-the-trust-pool) * [Registering the Cisco Umbrella Tag](#section-registering-the-cisco-umbrella-tag) * [Configuring Cisco 4000 Series ISR as a Pass-through Server](#section-configuring-cisco-4000-series-isr-as-a-pass-through-server) * [DNSCrypt, Resolver IP, and Public Key](#section-dnscrypt-resolver-ip-and-public-key) * [Verifying the the Cisco Umbrella Configuration](#section-verifying-the-cisco-umbrella-configuration) * [Deploying Cisco Umbrella Using Cisco Prime CLI Templates](#section-deploying-cisco-umbrella-using-cisco-prime-cli-templates) * [Testing for Successful Configuration](#section-testing-for-successful-configuration) * [Logging Into Umbrella for the First Time with Your Registered Device and Tags](#section-logging-into-umbrella-for-the-first-time-with-your-registered-device-and-tags) * [Testing for successful configuration and checking traffic in Reports](#testing_successful_configuration) * [Configuring a unique policy for the ISR as a Device Identity in Cisco Umbrella](#section-configuring-a-unique-policy-for-the-isr-as-a-device-identity-in-cisco-umbrella) * [“Auto­-attach” a pre­-existing policy for ISRs added in future](#section--auto-attach-a-pre-existing-policy-for-isrs-added-in-future) * [Adding Additional ISRs, Managing Existing ISRs, or Removing an ISR From the Umbrella Dashboard](#section-adding-additional-isrs-managing-existing-isrs-or-removing-an-isr-from-the-umbrella-dashboard) ## What is Cisco Umbrella? #### Cloud-based Security Service – Cisco Umbrella The Cisco Umbrella integration feature provides a cloud-based security service by inspecting the DNS query that is sent to an enterprise DNS server through Cisco 4000 Series ISRs. When a host initiates the traffic and sends a DNS query, the Cisco 4000 Series ISR intercepts and inspects the DNS query. If the DNS query is for a local domain, it forwards without changing the DNS packet to the DNS server in the enterprise network. If the DNS query is for an external domain, it adds an Extended DNS (EDNS) record to the query and sends it to the Cisco Umbrella cloud. An EDNS record includes the device identifier information. Based on this information, the Cisco Umbrella cloud service applies different policies to the DNS query. Cisco Umbrella allows or blocks the request and returns the appropriate IP address in the DNS response. ## Prerequisites for Cisco Umbrella with the ISR4K Before you configure the Cisco Umbrella integration feature on the Cisco 4000 Series ISR, ensure that you have the following: * The minimum ROMMON version to load the Cisco IOS Denali 16.2 image on a Cisco 4000 Series ISR is 16.2(1r). The Cisco 4000 Series ISR runs the Cisco IOS XE Denali 16.3 software image or later. * You can upgrade from any ROMMON version to release 16.2(1r). For more information, see the [Upgrading the Device Image to Cisco IOS XE Denali 16.3](#section-upgrading-the-device-image-to-cisco-ios-xe-denali-16-3) section of this guide. * The Cisco 4000 Series ISR must have a security K9 license to enable Cisco Umbrella. * A valid Cisco Umbrella subscription license. * The Cisco 4000 Series ISR should be set as the default DNS server gateway. Ensure that DNS traffic goes through the Cisco 4000 Series ISR. The following network requirements must be met: * For initial registration—The opendns_out interface (this may have a different name if you so choose) must be able to access api.opendns.com over port 443 in order to complete initial registration. * TCP & UDP on port 53 (DNS) to 208.67.220.220 & 208.67.222.222 (The Cisco Umbrella public DNS resolvers) * DNSCrypt—If there are any devices in front of the ISR that may block DNSCrypt for not looking like an actual DNS packet, the DNSCrypt feature may not work. For more information and an example of the problem, [read thi](https://support.umbrella.com/hc/en-us/articles/230562207-Cisco-ASA-Firewall-blocks-DNSCrypt). #### Security Blocking and Installing a Certificate on Endpoints Based on the domain (FQDN) that is being queried, Cisco Umbrella determines if the IP addresses should be provided in the response. If the domain is deemed to be malicious or hosting malicious content or blocked by a customized security policy, the IP address of the Cisco Umbrella block page server is sent back in the DNS response instead of the IP address of the domain. When the HTTP client on the host sends an HTTP request to the Cisco Umbrella cloud IP address, Umbrella provides the reason for blocking the content in the HTTP response, this is the ‘block page.' If the blocked domain is from the HTTPS request, the client’s web­ browser displays a certificate error message. The error message is displayed because the Cisco Umbrella cloud may not have the certificate from the blocked server. In order to resolve these issues, we highly recommend installing the Cisco Root Certificates on your clients. For more information including a description of the process, see [Cisco Certificate Import Information](https://docs.umbrella.com/product/umbrella/rebrand-cisco-certificate-import-information/). ## Limitations and Restrictions for the Cisco Umbrella integration * If an application or host makes a direct IP layer connection without using DNS, policy enforcement will not be applied. * When the client is connected to a web proxy, the DNS query does not pass through the Cisco 4000 Series ISR. In this case, the connector will not be able to detect any DNS request and the connection to the web server will bypass any policy from Cisco Umbrella. * Using in conjunction with Cloud Web Security (CWS): When the Cisco Umbrella policy blocks a DNS query, the client is redirected to a Cisco Umbrella block page. HTTPS servers provide these block pages and the IP address range of these block pages is defined by the Cisco Umbrella. These web server addresses should be allowed listed for Cloud Web Security (CWS), so that CWS allows the client to get the blocked page from Cisco Umbrella's web servers. * User authentication and identity is not supported in this release. * Only queries for A and AAAA record types are redirected to the cloud. Other query types will bypass the connector. However, the TXT type DNS queries to debug.opendns.com are redirected. * IPv6 is not supported in this release for Umbrella block pages or policy enforcement. * A maximum of 64 local domains can be configured, and the allowed name length is 100 characters for each of these domains. #### When you deploy the Cisco Umbrella integration feature * If you use the multiple EDNS options, the Cisco Umbrella policy may not get applied on the device. For the work-around, contact Cisco Technical Support to get the engineering special image which will resolve this issue. * If the WAN interface is down for more than 30 minutes, the device may reload with an exception. Disable DNSCrypt to stop this exception. If you do not want to disable DNSCrypt, contact Cisco Technical Support to get the engineering special image which will resolve this issue. ## Encrypting the DNS Packet The DNS packet sent from the Cisco 4000 Series ISR to the Cisco Umbrella's server(s) must be encrypted if the EDNS information in the packet contains information such as user IDs, internal network IP addresses, and so on. When the DNS response is sent back from the DNS server, Cisco 4000 Series ISR decrypts the packet and forwards it back to the host. You can encrypt DNS packets only when the DNSCrypt feature is enabled on the Cisco 4000 Series ISR. Based on the FQDN in the DNS query, the Cisco Umbrella service determines if the content provider IP addresses should be provided in the response. If the FQDN is malicious or blocked by the customized enterprise security policy, the Cisco Umbrella block web page server address is sent back in the DNS response. When the HTTP client on the host sends an HTTP request to the Cisco Umbrella cloud IP address, it provides the reason for blocking the content in the HTTP response. If the blocked domain is from the HTTPS request, the client’s web browser displays a certificate error message. This error message is displayed because the Cisco Umbrella cloud may not have the certificate from the blocked server. Cisco 4000 Series ISR will use the following Anycast recursive Cisco Umbrella servers: * 208.67.222.222 * 208.67.220.220 * 2620:119:53::53 * 2620:119:35::35 ## Supported and Recommended Configurations for Reporting and Attribution There are two ways to structure the way DNS traffic is handled with the ISR 4K on the LAN, and both are supported configurations, but only one is recommended. **The recommended approach is to use transparent DNS interception and route traffic appropriately with the ISR.** This gives the ability to show the IP of the requesting endpoint in Umbrella's reporting, rather than the IP of the internal DNS server. In turn, this makes attribution of the endpoint making the DNS request much easier. #### Recommended configuration The preferred configuration is to have the endpoint's DNS server be the internal DNS server for the network, but use the ISR to route traffic to either the internal or external DNS resource, based on defined subnet. [block:image] { "images": [ { "image": [ "https://files.readme.io/46a0969-ISR_4K_Deployment_Recommended-02-02.png", "ISR 4K Deployment Recommended-02-02.png", 553, 692, "#d6d9da" ], "sizing": "original" } ] } [/block] If you would like to add the user and group mappings, a VA is required to connect to Active Directory and gather information about the logged in user. [More information about Virtual Appliances can be found here](https://docs.umbrella.com/product/umbrella/1-introduction/) and this is diagram outlines that work flow. The VA would sit behind the ISR and be the primary DNS server for all clients: [block:image] { "images": [ { "image": [ "https://files.readme.io/ad81431-4206467-Virtual_Appliance_Deployment-03-03.png", "4206467-Virtual_Appliance_Deployment-03-03.png", 553, 692, "#dbd9da" ], "sizing": "original" } ] } [/block] ####Supported but not recommended configuration: [block:image] { "images": [ { "image": [ "https://files.readme.io/3681514-ISR_4K_Deployment_Supported_Not_Recommended-01-01.png", "ISR 4K Deployment Supported_Not Recommended-01-01.png", 553, 692, "#d8d8d9" ], "sizing": "original" } ] } [/block] ## Upgrading the Device Image to Cisco IOS XE Denali 16.3 You need to upgrade to the Cisco IOS XE 3.16 version before you upgrade the router image to the Cisco IOS XE Denali 16.3 or later version. ## Upgrading the ROMMON After you upgrade to Cisco IOS XE 3.16 version, upgrade the ROMMON. To upgrade the ROMMON version, download the correct version here: [https://software.cisco.com/download/navigator.html?mdfid=286281708](https://software.cisco.com/download/navigator.html?mdfid=286281708) For additional guidance in this area, please consult the ISR4K documentation. 1. Download the rommon image and upload it to flash using tftp, scp, or use a usb key. 2. Use the upgrade rommonitor filename bootflash command to upgrade the ROMMON. [block:code] { "codes": [ { "code": "Device# upgrade rommonitor filename bootflash:rommon_isr_usd_rel_ios_package_SSA.bin16_2_1r R0 Chassis model ISR4321/K9 has a single rommonitor.\nUpgrade rommonitor\nTarget copying rommonitor image file\nselected : 0\nBooted : 0\nReset Reason: 0\nInfo: Upgrading entire flash from the rommon package\n4259840+0 records in\n4259840+0 records out\n262144+0 records in\n262144+0 records out\n655360+0 records in\n655360+0 records out\n4194304+0 records in\n4194304+0 records out\nFile is a FIPS ROMMON image\nFIPS1403 Load Test on has PASSED.\nAuthenticity of the image has been verified.\nSwitching to ROM 1\n8192+0 records in\n8192+0 records out\nUpgrade image MD5 signature is b702a0a59a46a20a4924f9b17b8f0887\n4259840+0 records in\n4259840+0 records out\n4194304+0 records in\n4194304+0 records out\n4194304+0 records in\n4194304+0 records out\n262144+0 records in\n262144+0 records out\nUpgrade image MD5 signature verification is b702a0a59a46a20a4924f9b17b8f0887\nSwitching back to ROM 0\nROMMON upgrade complete.", "language": "text" } ] } [/block] 3. To make the new ROMMON version as the permanent version, you must restart the RP. 4. After the upgrade is complete, reload the device. Ensure that you issue the show platform command to verify that the ROMMON upgrade is successful. The firmware version should be 16.2(1r). ## How to Configure Cisco Umbrella This portion of the document outlines how to configure an ISR to register with the Umbrella dashboard as a Network Device and enforce policy based on Device ID as well as Tags. The process of registration is fairly straightforward. I​n order to authenticate the ISR to the Cisco Umbrella dashboard, a token must be obtained from your Umbrella dashboard and installed on the ISR. Then you simply log into the device's command interface and follow the steps below to configure your ISR. Once completed, the ISR will register as a device in your Umbrella dashboard and a policy can then be defined for the ISR or any additional tags. #### Understanding Tags A tag is essentially another network that is behind the ISR that can be registered alone and given its own Device ID in the Umbrella dashboard. This can be a VLAN or a physical interface. Each tag will use the same API Token, so minimal extra configuration is needed to register a newly tagged interface. T​ags are not unique, but the combination of Model + MAC Address + Tag is unique within an organization. The screenshot below shows two Network Devices in the Umbrella dashboard. They look like two separate devices but they are the same ISR, just with different interfaces tagged for different VLANs. Tags can be used to auto­-assign policy; this is covered later in this guide. [block:image] { "images": [ { "image": [ "https://files.readme.io/4c2a34b-Screen_Shot_2016-07-29_at_7.13.13_PM.png", "Screen Shot 2016-07-29 at 7.13.13 PM.png", 1646, 164, "#e9ece8" ] } ] } [/block] #### Obtaining the API Token from the Umbrella Dashboard. You will need to get your Network Device API Token from your Umbrella dashboard. 1. Navigate to **Identities > Network Devices​**, then click **Get My API Token**. The API token is a long alphanumeric set of characters. 2. Copy the API token to your clipboard or to a text file so that you can complete the next steps. [block:image] { "images": [ { "image": [ "https://files.readme.io/bb8588e-get_API_token.jpg", "get_API_token.jpg", 906, 366, "#ededec" ], "sizing": "80" } ] } [/block] ## Configuring Cisco Umbrella on the ISR To configure Cisco Umbrella on the Cisco 4000 Series ISR, perform these steps. First: • You should have the API token from the Cisco Umbrella dashboard (as described in the previous steps). • You should have the root certificate to establish the HTTPS connection with the Cisco Umbrella registration server. You should import the root certificate of DigiCert given below into the device using the *crypto pki trustpool import* terminal command. Steps to get the certificate are below.  #### Import CA Certificate to the trust pool Communication for device registration to the Cisco Umbrella server is via HTTPS. This requires a root certificate to be installed on the router. While in the Configure Terminal (conf t), run the following commands on your ISR. There are two choices, one of which is to simply import the cert directly from Cisco. [block:code] { "codes": [ { "code": "crypto pki trustpool import url http://www.cisco.com/security/pki/trs/ios.p7b", "language": "text" } ] } [/block] The second option is to use the import terminal, then paste the Root Certificate and the word **quit** after it. To download this certificate directly from a link instead of pasting it in, you can find the certificate here: [https://www.digicert.com/CACerts/DigiCertSHA2SecureServerCA.crt](https://www.digicert.com/CACerts/DigiCertSHA2SecureServerCA.crt) The contents of the certificate are also below and can also be copied from this document, although the download is less prone to error. The commands are listed here first, then with the certificate, then a last step to finalize the upload: [block:code] { "codes": [ { "code": "crypto pki trustpool import terminal\n% Enter PEM-formatted CA certificate.", "language": "text" } ] } [/block] ----BEGIN CERTIFICATE---- MIIElDCCA3ygAwIBAgIQAf2j627KdciIQ4tyS8+8kTANBgkqhkiG9w0BAQsFADBh MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD QTAeFw0xMzAzMDgxMjAwMDBaFw0yMzAzMDgxMjAwMDBaME0xCzAJBgNVBAYTAlVT MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxJzAlBgNVBAMTHkRpZ2lDZXJ0IFNIQTIg U2VjdXJlIFNlcnZlciBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB ANyuWJBNwcQwFZA1W248ghX1LFy949v/cUP6ZCWA1O4Yok3wZtAKc24RmDYXZK83 nf36QYSvx6+M/hpzTc8zl5CilodTgyu5pnVILR1WN3vaMTIa16yrBvSqXUu3R0bd KpPDkC55gIDvEwRqFDu1m5K+wgdlTvza/P96rtxcflUxDOg5B6TXvi/TC2rSsd9f /ld0Uzs1gN2ujkSYs58O09rg1/RrKatEp0tYhG2SS4HD2nOLEpdIkARFdRrdNzGX kujNVA075ME/OV4uuPNcfhCOhkEAjUVmR7ChZc6gqikJTvOX6+guqw9ypzAO+sf0 /RR3w6RbKFfCs/mC/bdFWJsCAwEAAaOCAVowggFWMBIGA1UdEwEB/wQIMAYBAf8C AQAwDgYDVR0PAQH/BAQDAgGGMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYY aHR0cDovL29jc3AuZGlnaWNlcnQuY29tMHsGA1UdHwR0MHIwN6A1oDOGMWh0dHA6 Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbFJvb3RDQS5jcmwwN6A1 oDOGMWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbFJvb3RD QS5jcmwwPQYDVR0gBDYwNDAyBgRVHSAAMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8v d3d3LmRpZ2ljZXJ0LmNvbS9DUFMwHQYDVR0OBBYEFA+AYRyCMWHVLyjnjUY4tCzh xtniMB8GA1UdIwQYMBaAFAPeUDVW0Uy7ZvCj4hsbw5eyPdFVMA0GCSqGSIb3DQEB CwUAA4IBAQAjPt9L0jFCpbZ+QlwaRMxp0Wi0XUvgBCFsS+JtzLHgl4+mUwnNqipl 5TlPHoOlblyYoiQm5vuh7ZPHLgLGTUq/sELfeNqzqPlt/yGFUzZgTHbO7Djc1lGA 8MXW5dRNJ2Srm8c+cftIl7gzbckTB+6WohsYFfZcTEDts8Ls/3HB40f/1LkAtDdC 2iDJ6m6K7hQGrn2iWZiIqBtvLfTyyRRfJs8sjX7tN8Cp1Tm5gr8ZDOo0rwAhaPit c+LJMto4JQtV05od8GiG7S5BNO98pVAdvzr508EIDObtHopYJeS4d60tbvVS3bR0 j6tJLp07kzQoH3jOlOrHvdPJbRzeXDLz ----END CERTIFICATE---- [block:code] { "codes": [ { "code": "% End with a blank line or \"quit\" on a line by itself.\nquit\n% PEM files import succeeded.\n", "language": "text" } ] } [/block] Verify that the PEM import is successful. You should receive a message after importing the certificate. Next, while still in Configure Terminal on the ISR (conf t), add the API token to the ISR by running the following commands, substituting the <API TOKEN> variable with your token: [block:code] { "codes": [ { "code": "parameter-map type opendns global\ntoken <API TOKEN>", "language": "text" } ] } [/block] This is the sample configuration: [block:code] { "codes": [ { "code": "enable\nconfigure terminal\nparameter-map type opendns global\n\ttoken AABBA59A0BDE1485C912AFE472952641001EEECC \n\tlocal-domain dns_bypass\n\tudp-timeout 25 (The range is from 1 to 30 seconds). \n\tdnscrypt\n\tpublic-key key (Key should contain only hexadecimal digit). \n\tresolver ipv4 10.1.1.2\nexit", "language": "text" } ] } [/block] Additional configurations listed in the configuration are discussed later in this documentation. ## Registering the Cisco Umbrella Tag To register the Cisco Umbrella tag: 1. Configure the OpenDNS parameter map as shown in the previous section. 2. Configure the OpenDNS Out on the WAN interface: [block:code] { "codes": [ { "code": "interface gigabitEthernet 0/0/0\n opendns out", "language": "text" } ] } [/block] 3. Configure the OpenDNS In on the LAN interface: [block:code] { "codes": [ { "code": "interface gigabitEthernet 0/0/1\n opendns in mydevice_tag ", "language": "text" } ] } [/block] **Note:** For Cisco 4000 Series ISRs, the length of the hostname and OpenDNS tag should not exceed 49 characters. 4. After you configure the OpenDNS In with a tag using the opendns in mydevice_tag command, the Cisco 4000 Series ISR will register the tag to the Cisco Umbrella portal. 5. The Cisco 4000 Series ISR will initiate the registration process by resolving api.opendns.com. You need to have a name server (ip name-server x.x.x.x) and domain lookup (ip domain-lookup) configured on Cisco 4000 Series ISR to successfully resolve the FQDN. > **Note:** Configure the OpenDNS Out command before you configure OpenDNS In command. Registration will be successful only when port 443 is in an open state and allows the traffic to pass through the existing firewall. ## Configuring Internal Domains on Cisco 4000 Series ISR You can identify the traffic to be bypassed using domain names. This can be useful for directing internal DNS traffic to your local DNS servers. In the Cisco 4000 Series ISR, you can define these domains in the form of a regular expression. If the DNS query that is intercepted by the Cisco 4000 Series ISR matches one of the configured regular expressions, then the query is sent to the specified DNS server without redirecting to the Cisco Umbrella cloud. This sample configuration shows how to define a regex parameter-map with the desired domain name and regular expressions: [block:code] { "codes": [ { "code": "Device# configure terminal\nDevice(config)# parameter-map type regex dns_bypass \nDevice(config)# pattern www.fisco.com \nDevice(config)# pattern .*engineering.fisco.*\n\n_Attach the regex param-map with the OpenDNS global configuration as shown below:_\n\nDevice(config)# parameter-map type opendns global \nDevice(config-profile)# local-domain dns_bypass", "language": "text" } ] } [/block] ## DNSCrypt, Resolver IP, and Public-key When you configure the parameter-map type opendns global command, the following values are auto-populated: * DNSCrypt * Resolver IP * Public-Key It is recommended that you only change the above parameters when performing certain tests in the lab. These parameters are reserved for future use. If you modify these parameters, it can affect the normal functioning of the device. ***Resolver IP*** The following commands will change the redirection of DNS packets from Cisco 4000 Series ISR to the Cisco Umbrella cloud: * resolver ipv4 1.1.1.1 * resolver ipv4 1.1.1.2 * resolver ipv6 1234::1 * resolver ipv6 2345::1 In this example, all the IPv4 DNS packets are redirected to 1.1.1.1 or 1.1.1.2 and IPv6 DNS packets are redirected to 1234::1 or 2345::1. You should remove the IP address to restore to the default values of the resolver. When you modify a resolver IP address, a message is displayed as shown below: [block:code] { "codes": [ { "code": "User configured would overwrite defaults\nDefaults are restored when no more user configured are present", "language": "text" } ] } [/block] With the default values of 208.67.222.222 and 208.67.220.220, all the DNS packets are redirected to the Cisco Umbrella Anycast resolvers. Cisco 4000 Series ISR uses the first default resolver IP address for all its redirection. When the Cisco 4000 Series ISR does not receive a response for three consecutive DNS queries, the Cisco 4000 Series ISR automatically switches to a different resolver IP address. This behavior remains the same for IPv6 resolver addresses. ***Public-key*** Public-key is used to download the DNSCrypt certificate from the Cisco Umbrella cloud. This value is preconfigured to B735:1140:206F:225D:3E2B:D822:D7FD:691E:A1C3:3CC8:D666:8D0C:BE04:BFAB:CA43:FB79 which is the public-key of the Cisco Umbrella Anycast servers. If there is a change in the public-key and if you modify this command, then you have to remove the modified command to restore the default value. If you modify the value, the DNSCrypt certificate download can fail. ***DNSCrypt*** DNSCrypt is an encryption protocol to authenticate communications between the Cisco 4000 Series ISR and Cisco Umbrella. When the parameter-map type opendns is configured and opendns out is enabled on the WAN interface, DNSCrypt is triggered and a certificate downloaded, validated, and parsed. A shared secret key is then negotiated, which is used to encrypt the DNS queries. DNSCrypt downloads this certificate every hour and verifies it for upgrade. As well, a new shared secret key is negotiated to encrypt the DNS queries. To disable DNSCrypt, use the *no dnscrypt* command and to re-enable DNSCrypt, use the *dnscrypt* command. When the DNSCrypt is used, the DNS request packets size will be more than 512 bytes. Ensure that you allow these packets passage through intermediary devices; otherwise, the response may not reach the intended recipients. ##Verifying the Cisco Umbrella Configuration You can verify the Cisco Umbrella configuration using the following commands: *Router# show opendns config* Output example: [block:code] { "codes": [ { "code": "Open DNS Configuration ========================\n Token: AAAAAD288BA440D10E207350339F497A001CCBBB\n Local Domain Regex parameter-map name: NONE\n DNSCrypt: Not enabled\n Public-key: NONE\n Timeout: NONE\n Resolver address: NONE\nOpen DNS Interface Config:\n Number of interfaces with \"opendns out\" config: 1\n 1. GigabitEthernet0/0/1\n Mode : OUT\n Number of interfaces with \"opendns in\" config: 1\n 1. GigabitEthernet0/0/0\n Mode : IN\n Tag : test1\n Device-id: ...Pending...", "language": "text" } ] } [/block] *Device# show opendns deviceid* Output example: [block:code] { "codes": [ { "code": "Device registration details \n\nInterface Name Tag Status Device Id\nGigabitEthernet0/0/0 test1 REQ QUEUED -\nGigabitEthernet0/0/0.1 test498 200 SUCCES 010af8cde579a997\nGigabitEthernet0/0/0.2 utah-win-intf 200 SUCCES 010a0a25d20088b8\nGigabitEthernet0/0/0.3 utah-win-intf 200 SUCCES 010a0a25d20088b8\nGigabitEthernet0/0/0.4 mydevice_tag REQ QUEUED -\n", "language": "text" } ] } [/block] *Device#show opendns dnscrypt* Output example: [block:code] { "codes": [ { "code": "DNSCrypt: Enabled\nPublic-key: B735:1140:206F:225D:3E2B:D822:D7FD:691E:A1C3:3CC8:D666:8D0C:BE04:BFAB:CA43:FB79\nCertificate Update Status:\n Last Successful Attempt : 10:55:40 UTC Apr 14 2016\n Last Failed Attempt\nCertificate Details:\n Certificate Magic : DNSC\n Major Version : 0x0001\n Minor Version : 0x0000\n Server Public-key:\n: 10:55:10 UTC Apr 14 2016\nED19:BFBA:FAFC:9257:DFDC:68C7:69BF:AC24:94CD:743F:3C1D:4966:134D:FE2C:4BDC:F315\nQuery Magic\nSerial Number\nStart Time\nEnd Time\n : 0x717744506545635A\n: 1435874751\n : 1435874751 (22:05:51 UTC Jul 2 2015)\n : 1467410751 (22:05:51 UTC Jul 1 2016)\nClient Public key : 106AE7C2373E5EA68FF90FDA116912D67AF16751F3EEABCB5D8CAAD565D8A44E", "language": "text" } ] } [/block] ## Deploying Cisco Umbrella Using Cisco Prime CLI Templates You can use the Cisco Prime CLI templates to provision the Cisco Umbrella deployment. The Cisco Prime CLI templates make provisioning Cisco Umbrella deployment simple. **NOTE:** The Cisco Prime CLI template is supported only on Cisco Prime version 3.1 or later. To use the Cisco Prime CLI templates to provision the Cisco Umbrella deployment, perform these steps: 1. Download the Cisco Prime templates corresponding to the Cisco Denali IOS XE version running on your system. 2. Unzip the file, if it is a zipped version. 3. From Cisco Prime Web UI, choose **Configuration > Templates > Features and Technologies**, then select **CLI Templates (User Defined)**. 4. Click **Import**. 5. Select the folder where you want to import the templates to, click **Select Templates**, and choose the templates that you just downloaded to import. The following Cisco Umbrella templates are available: * OpenDNS: Use this template to provision OpenDNS connector on Cisco 4000 Series ISR. * Cleanup: Use this template to remove previously configured OpenDNS connector on Cisco 4000 Series ISR. ## Testing for Successful Configuration After the device has been registered, there are some basic and advanced tests that can be performed. These ensure the ISR has been correctly registered and that Cisco Umbrella can see traffic coming from the ISR as well as that you can see the ISR and traffic related to it in the Umbrella dashboard. *NOTE:* ​You should use a client that has the IP address of the ISR as its DNS server. In a small “branch office” scenario or in a lab/test environment, this may already be the case; however, in a larger environment, this may not be the case. If necessary, change the DNS server for the client to the ISR in order to generate traffic for these tests. You can troubleshoot issues that are related to enabling Cisco Umbrella feature using these commands: * debug opendns device-registration * debug opendns config * debug opendns dnscrypt You can run this command from the client device: * Use the *nslookup -type=txt debug.opendns.com 8.8.8.8* command from the command prompt of the Windows machine * Use the *nslookup -type=txt debug.opendns.com 8.8.8.8* command from the terminal window or shell of the Linux or OS X machine. The return from either test should include a d​evice​ field in the output. Below is a sample output when the client machine is configured to use Google’s public DNS server. As you can see below, the Device ID is passed to Cisco Umbrella's DNS service in the query yet it still shows the server that was being queried as 8.8.8.8. This shows a perfectly executed DNS hijack by the ISR. If it is NOT intercepting traffic, the results will be much shorter than what’s displayed below. [block:code] { "codes": [ { "code": "user$ nslookup type=txt debug.opendns.com 8.8.8.8 \nServer: 8.8.8.8\nAddress: 8.8.8.8#53\nNonauthoritative answer:\n\ndebug.opendns.com text = \"server 1.nyc\" [This is the specific resolver the query ran against]\ndebug.opendns.com text = \"device 010AFE48555956EC\"\ndebug.opendns.com text = \"flags 422 0 5040 19FD000780000000000\"\ndebug.opendns.com text = \"originid 44491141\"\ndebug.opendns.com text = \"orgid 300727\"\ndebug.opendns.com text = \"actype 0\"\ndebug.opendns.com text = \"bundle 399367\"\ndebug.opendns.com text = \"source 67.215.92.210::47726\" [This is the egress IP that Cisco Umbrella saw the query come from]\ndebug.opendns.comtext = \"dnscrypt enabled (717473654A614970)\"\n", "language": "text" } ] } [/block] #### Checking the Block Page is available To check that the block page will be returned as expected from a client using the ISR to pass DNS traffic through: * Linux or OS X—From the terminal window or shell: *nslookup internetbadguys.com* * Windows—From the command prompt: *nslookup internetbadguys.com* In return, you will receive the IP address of the Cisco Umbrella block page: Non­authoritative answer: Name: internetbadguys.com Address: 146.112.61.108 ## Logging into Umbrella for the first time with your registered device and tags Authenticate to the Umbrella dashboard by going to [http://dashboard.umbrella.com​](http://dashboard.umbrella.com) and logging into the dashboard with your account information. Upon first logging in, you will see an Overview report of traffic from your organization. Traffic can take up to 90 minutes to first begin populating in the Dashboard, after which, the reporting should be real-time. 1. Navigate to **Reporting > Activity Search** to see the real-­time traffic. 2. Navigate to **Identities > Network Devices** to check whether the ISR has registered as a device in the Umbrella dashboard. [block:image] { "images": [ { "image": [ "https://files.readme.io/5f5216e-network_devices.jpg", "network_devices.jpg", 653, 85, "#e9eae5" ] } ] } [/block] If successfully registered, the ISR appears here. Clicking the Device Name expand the windows. You can rename the device and delete a device from the dashboard. Click **How to remove this device** to access the Delete button. [block:image] { "images": [ { "image": [ "https://files.readme.io/cbe323e-delete_device.jpg", "delete_device.jpg", 653, 300, "#e5e7e2" ] } ] } [/block] <a name="testing_successful_configuration"></a> #### Testing for successful configuration and checking traffic in Reports Once your ISR is configured and appears as a Network Device in Umbrella, any traffic sent from an endpoint device (laptop, workstation, server or any other network­ connected device) behind the ISR will appear in the Umbrella Dashboard as Activity. If Internet availability is not a problem, navigate to **Reporting > Activity Search**. The traffic from the device to the ISR, then to Cisco Umbrella should appear here as Activity. To test to see if basic security filtering is already in place, go to​ [h​ttp://internetbadguys.com​](http://internetbadguys.com) in the browser of your test device. The website should display a blocked message in the browser if everything is working correctly. Alternately, running a dig or nslookup against that website from the command line will also generate traffic. Return to the Umbrella dashboard, click **Reporting > Security Activity** and run the report. A block for “Phishing” should appear in the report. #### Configuring a unique policy for the ISR as a Device Identity in Cisco Umbrella Next, configure your policy with the policy wizard. Depending on your preference, you may wish to create a new policy or simply modify the Default policy to suit your needs. These steps apply when creating your first policy, or when going back to edit an existing policy. By default, there's always a single policy­­—the Default policy. This policy applies to all identities when no other policy above it covers that identity. In other words, the Default policy is a catch­-all to ensure all identities within your organization receive a baseline level of protection. You can also find out more about policies, [here](https://docs.umbrella.com/product/umbrella/customize-your-policies-1/). The screenshot below shows one policy created manually and ordered above the default policy, and how all devices and networks are applied [block:image] { "images": [ { "image": [ "https://files.readme.io/b9a43ff-ISR_policy.jpg", "ISR_policy.jpg", 939, 609, "#e7e7e8" ], "sizing": "80" } ] } [/block] To start building and understanding your policies: 1. Navigate to **Policies > Policy List** and click the **+** (**Add**) icon or expand the default policy. If you select the default policy, all Identities are selected so the second step can be skipped. 2. Select the identities to which the policy will be applied. If you simply have a single ISR configured as a Device in your dashboard, select that single Identity and click **Next**. If you have more than one, you can select all the ISR in a group. [block:image] { "images": [ { "image": [ "https://files.readme.io/af877f0-select_idents.jpg", "select_idents.jpg", 900, 506, "#e3e3e4" ], "sizing": "80" } ] } [/block] 3. Select what you want this policy to do. [block:image] { "images": [ { "image": [ "https://files.readme.io/8bd0d99-what_policy_do.png", "what_policy_do.png", 1814, 833, "#d8dada" ], "sizing": "80" } ] } [/block] The four options shown correspond to policy features: security settings, IP layer enforcement, content category blocks and custom destination lists. * **Enforce Security at the DNS Layer**—These are settings related directly the blocking of domains based on whether they are malicious and provides a base level of security protection. We recommend always selecting this. * ** Inspect Files**—Selectively inspect files in the cloud, not on premises, so there is no need for additional hardware. The inspection is done with Cisco AMP and an antivirus. For more information, see [Enable File Inspection](https://docs.umbrella.com/product/umbrella/file-inspection/). * **Limit Content Access**—These settings filter types of content based on your Organization's acceptable use policies, typically this is recommended. * **Apply Destination Lists**—If you have particular domains you'd like to allow or block, add them to a destination list. There are two by default, _block_ or _allow_, and you can create more to organize groups of domains. The two defaults are the "Global" lists, meaning they apply to *any* policy. It's up to you whether you have anything in particular you'd like to block right away. Underneath the options for what the policy should do, you'll find Advanced Settings. These include the Intelligent Proxy, SSL Decryption, the "Allow-Only mode" (previously known as 'white list mode') and logging options. [block:image] { "images": [ { "image": [ "https://files.readme.io/c7c7970-advanced_settings.jpg", "advanced_settings.jpg", 899, 531, "#d2d1d3" ], "sizing": "80" } ] } [/block] Once you've picked what the policy should do, click **Next**. 4. Configure security settings and click **Next**. These settings determine which security type threats are blocked. For more information on what each of these categories represents, see [Understanding Security Categories](https://docs.umbrella.com/product/umbrella/understanding-the-security-categories/). [block:image] { "images": [ { "image": [ "https://files.readme.io/d5a2a2f-secure_set.jpg", "secure_set.jpg", 900, 750, "#d2d1d3" ], "sizing": "80" } ] } [/block] 5. Configure content access settings and click **Next**. These settings filter types of content based on your Organization's acceptable use policies. These settings allow the selection of content categories to be blocked for the devices selected in the second step of the policy editor. By default, no content categories are blocked. To create a new set of content filtering rules, choose "Create New Setting" from the Custom Setting drop-down list. [block:image] { "images": [ { "image": [ "https://files.readme.io/1b9ed2c-content_access.jpg", "content_access.jpg", 900, 630, "#e4e4e3" ], "sizing": "80" } ] } [/block] 6. Apply destination lists and click **Next**. If you have particular domains you'd like to allow or block, add them to a destination list. There are two by default, block or allow, and you can create more to organize groups of destinations. Note that each destination list can be set to be a block list (default) or an allow list. We recommend adding domains in the format "domain.com" rather than www.domain.com to ensure *.domain.com is included. Allow list entries will always take precedence over block list entries. [block:image] { "images": [ { "image": [ "https://files.readme.io/fefb8a4-destination_apply.jpg", "destination_apply.jpg", 900, 534, "#e1e2e2" ], "sizing": "80" } ] } [/block] 6. Set a block page and click **Next**. You can optionally create a unique block page for your users, as well as how to bypass that block page. Default settings are selected by default and will display the Cisco Umbrella block page and the type of block if and when users reach blocked content. [block:image] { "images": [ { "image": [ "https://files.readme.io/53be0e2-set_block_page.jpg", "set_block_page.jpg", 900, 433, "#d8d8d9" ], "sizing": "80" } ] } [/block] 7. Give your policy a good meaningful name, review settings, and click **Save**. The name of a policy is not purely cosmetic, the next section of this document outlines how to 'auto-attach' a pre-existing policy for future ISRs. [block:image] { "images": [ { "image": [ "https://files.readme.io/d96a08c-review_policy.jpg", "review_policy.jpg", 900, 527, "#d8d9db" ], "sizing": "80" } ] } [/block] #### “Auto­-attach” a pre­-existing policy for ISRs added in future A helpful feature is to add a policy for an ISR in advance of that device being added to the Umbrella dashboard. This means that as soon as the device is registered, the policy applied to it will be whatever you’ve configured and there will be no need to manually add the device to an existing policy. A normal use case is when you have a large number of ISR boxes. Each ISR would register a “guest” and a “corp” tag. We’d want all of those “guest” devices to go into the same “guest” policy. When a Network Device registers with a tag, the API will check to see if there are any policies with that exact same name (aka Policy Description) as the tag. If such a policy exists, the newly­ registered Network Device will immediately be assigned this policy. The name must match the tag exactly (although it is not case­ sensitive). This process only occurs at the time of registration, so if a policy is created after registration, you will need to assign existing Network Devices to it manually. Tags are not unique, but the combination of Model + MAC Address + Tag is unique within an organization. ## Adding additional ISRs, managing existing ISRs, or removing an ISR from the Umbrella Dashboard If you wish to add additional ISRs, simply authenticate these devices with Cisco Umbrella as you've done with the devices that are already present in the dashboard. The information about a device, such as Serial Number and Device Name can be set by the device itself, but it can be changed in the Umbrella Dashboard in case the Device Name is not helpful or is a duplicate. Where applicable, it's a good idea to include information about the physical location or network address of the device. To manage the list of devices, use the Filter functionality or group the devices together. To remove a device, you must remove the authentication (username/password or API token) from the device first or simply take the device offline if you're decommissioning it. Otherwise, even if it has been deleted from the dashboard, the device will reappear in the dashboard when it sends additional traffic. Once authentication has been removed from the device, it can be deleted from the dashboard by clicking **How to remove this device**", then clicking **Delete**. --- **Integration for ISR 4K – Security Configuration Guide** > [Wireless LAN Controller Integration](https://docs.umbrella.com/product/hardware/opendns-wlc_integration_guide/)