- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-29-2020 12:55 AM
Hi Guys,
I have deployed the Cisco Umbrella and it's working fine. Now i have a new requirement, we have 5 internal subnets and the company wants to deny the DNS resolution request from 172.30.0.0/16 subnet expect for 172.30.111.0/24 segment on Umbrella.
Let me know how i can do this task.
Thanks
Solved! Go to Solution.
- Labels:
-
Other Community Feedback
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-29-2020 02:01 AM
The DNS policies are applied top down on a first match basis. If you define the first rule in "Allow-only mode" for 172.30.0.0/16 then that will also effect the 172.30.111.0/24 network. Your top most rule would need to permit from 172.30.111.0/24, the rule below should be "Allow-only mode".
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-29-2020 01:50 AM
You don't want the the 172.16.0.0/16 network to resolve any DNS request?
Assuming you are using the Umbrella Virtual Appliance (VA), you could define a couple of DNS policies. Create the first policy, which permits 172.30.111.0/24. And another policy (or the default) which is set to "Allow-only mode", which allows only a list of defined domains and blocks the rest.
HTH
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-29-2020 01:55 AM
HI Rob,
Thanks for the response I'm using 2 VA and i have 1 custom security policy on Umbrella. You want me to create another policy on top of that custom policy to block everything for that subnet? and rest all subnet will use secondary policy to access the internet.
Let me know if my understanding is correct.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-29-2020 02:01 AM
The DNS policies are applied top down on a first match basis. If you define the first rule in "Allow-only mode" for 172.30.0.0/16 then that will also effect the 172.30.111.0/24 network. Your top most rule would need to permit from 172.30.111.0/24, the rule below should be "Allow-only mode".
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-29-2020 02:05 AM
Hi Rob,
permit from 172.30.111.0/24
Deny everything 172.30.0.0/16
Alow policy for other subnets with all custom security
Default policy.
As you suggested will make the policy in this way.
Thanks.
