Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8501
Views
5
Helpful
1
Replies

Block & Permit access in Umbrella

anousakisioannis
Level 1
Level 1

‎12-11-2018 02:20 AM

Hello all,

 

I have a question regarding Umbrella product.

Let's say that we have one organization with 1000 employees.

In the Active Directory (AD), i have created groups like Sales,Marketing,Accounting,etc... and i have assigned the users to the appropriate group(or groups)

In umbrella, i have updated Global Allow List and Global Block List in Destination Lists panel with the websites that i want to be allowed and blocked.

Example Global Allow List:

www.google.com

www.cisco.com

office365.com

...

Example Global Block List:

www.music.com

www.malware.com

...

 

The above setting will be applied globally for all users without checking in which group the user belongs.

Is this correct?

 

Now, i want to specify allowed sites for one AD group,let's say Accounting.

I will create a new Destination List, i will name it "Accounting Allow" and this list will permit the specifies websites i want.

 

When i will create the policy for this department, it will take by default the Global Allowed and Blocked List and i will also assign the Destination List i created for this department.

 

I suppose with this configuration, that users which belong to AD group Accounting, they will have access to websites from Global Allow List and "Accounting Allow" and they will not be able to access the websites from Global Block List.

Am i right?

 

Finally, my basic question here is, how all the other websites are being blocked? Should i define them somewhere else?

I mean the websites that are not part of Global Block List. In my organization, i want each department to have access to specific websites.

Will be the other websites be blocked by the Content?

 

Please let me know if you need more information.

 

Thank you in advance,

Giannis 

Labels:
0 Helpful
1 Reply 1

Niles Pyelshak
Cisco Employee
Cisco Employee

‎01-10-2019 09:21 AM

My response…please see inline…

 

 

The above setting will be applied globally for all users without checking in which group the user belongs.

 

Is this correct?

 

np: It's not clear if you have integrated AD into Umbrella.  Depends on if you have AD integrated or not.

 

 

 

Now, i want to specify allowed sites for one AD group,let's say Accounting.

 

I will create a new Destination List, i will name it "Accounting Allow" and this list will permit the specifies websites i want.

 

np: Depends on if you have AD integrated or not.  If you have AD integrated, then you can create and enforce policies on the specific identity AD groups. Keep in mind the Policy Precedence.  Also, be sure to use the nifty  Policy Tester from the Umbrella dashboard to ensure desired results.

https://docs.umbrella.com/deployment-umbrella/docs/1-ad-integration-setup-overview

 

See Precedence doc

https://docs.umbrella.com/deployment-umbrella/docs/policy-precedence

 

 

 

When i will create the policy for this department, it will take by default the Global Allowed and Blocked List and i will also assign the Destination List i created for this department.

 

np:  Correct.  Global Allowed and blocked is globally applied. 

 

https://docs.umbrella.com/deployment-umbrella/docs/working-with-destination-lists

 

See Precedence doc

https://docs.umbrella.com/deployment-umbrella/docs/policy-precedence

 

 

 

I suppose with this configuration, that users which belong to AD group Accounting, they will have access to websites from Global Allow List and "Accounting Allow" and they will not be able to access the websites from Global Block List.

 

Am i right?

 

np:  Correct.  The Umbrella Identity or AD group will access the policy in which you assign and apply to them.  The policy wizard will give you the option to apply the destination list accordingly.

 

https://docs.umbrella.com/deployment-umbrella/docs/customize-your-policies-1#detail

 

https://docs.umbrella.com/deployment-umbrella/docs/6-configure-policies

 

 

 

Finally, my basic question here is, how all the other websites are being blocked? Should i define them somewhere else?

 

np:  Cisco Umbrella has a Default Policy that is a catch-all policy for those that you have not defined.  The Global Allow list and Global Block List is also applied to the default policy.

https://docs.umbrella.com/deployment-umbrella/docs/best-practices-for-defining-policies

 

I mean the websites that are not part of Global Block List. In my organization, i want each department to have access to specific websites.

 

np:  You can customize the allow and block destinations and associate them to the proper identity/departments you see fit all from the Umbrella Dashboard.

 

Will be the other websites be blocked by the Content?

 

np:  Cisco Umbrella has predefined Content categories and provides the option to customize.

https://docs.umbrella.com/deployment-umbrella/docs/content-categories

 

There is a policy tester that you should always use to ensure that the policies are blocking what you intended to.

https://docs.umbrella.com/deployment-umbrella/docs/umbrella-policy-tester-1

 

 

Will be the other websites be blocked by the Content?

 

Niles:  Default Policy is the catch-all for all identities you haven't defined a specific policy for

 

https://docs.umbrella.com/deployment-umbrella/docs/best-practices-for-defining-policies

 

 

HTP,

Niles

Customers Also Viewed These Support Documents