Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
558
Views
0
Helpful
3
Replies

How Umbrella controls access to AI-generated sites

masa.oym
Level 1
Level 1

‎05-15-2025 04:10 PM - edited ‎05-19-2025 02:33 PM

Are there best practices for using Umbrella to control the use of generative AI and ML?

 

Our intention is to block all AI-generated applications by default, including new sites, and then gradually allow AI-generated applications once we have confirmed they do not pose security issues.

We are using Cisco Umbrella DNS Security.

Labels:
0 Helpful
3 Replies 3

tacord001
Level 1
Level 1

‎05-18-2025 04:32 PM

I have to say, umbrella reporting is terrible
0 Helpful

masa.oym
Level 1
Level 1

‎05-25-2025 07:23 AM - edited ‎06-02-2025 09:04 PM

I would like to use this in conjunction with enabling (blocking) generative AI in the content category and adding generative AI sites to the destination list (allow).

0 Helpful

Royalty
Level 1
Level 1
In response to masa.oym

‎06-02-2025 01:06 PM - edited ‎06-02-2025 06:33 PM

Hi @masa.oym,

Sorry for the late reply, hope you're doing well! Have you sorted this one yet? I'll add some comments below, but bear in mind I will go over a few things that you will already know about / have already mentioned so that other readers can benefit.

If you are solely using the Protective DNS (PDNS) / DNS Security, the best way to control access to AI content is two methods:

  • via Content Categorisation (you are using this already)
  • via Application Settings (I imagine you are using this now too)

If you would like to action an explicit block-all for AI-related services, I would recommend blocking the Generative AI content category. This can be done either under 'Policy Components' > 'Content Categories' and editing the content category for the attached DNS Policies you have configured. Alternatively, you can edit the Content Category directly under the DNS Policy. This is suggested because not all AI services have an application signature/entry under Application Settings. Therefore, by skipping this step, there is a high chance that some AI services will still be allowed.

In addition to the above, you can configure your Application Settings so that a default block is in place. A default block means that any applications that Cisco adds in the future will be added to the list and ticked as blocked. This is done by ticking the entire Application Settings category for 'Generative AI'. A 'gear/cog' icon will appear next to the category - ensure it is set to 'Block'. For allowing specific applications, click the 'gear/cog' icon next to the individual application and set it to allow. It is a requirement that all applications are ticked for the dynamic updates to work properly. Shown below is the correct setup to ensure applications are blocked dynamically/immediately as applications become available.

Royalty_0-1748893924224.png

In Umbrella DNS Policies, all allows take precedence over blocks. This means if you configure an application as allowed, it cannot be blocked by anything else, including a destination list block.

In terms of best practices for managing and updating the list, you can use 'App Discovery' from the 'Reporting tab' to review Generative AI applications and add them to the allow list from the same page. Another option is to edit the DNS Policy's attached Application Settings directly through the DNS Policy page. The last method is to modify the Application Settings from the Policy Components. Any of the ways is fine as long as it suits you. Generally, editing from the Policy Components screen is preferred as it carries less risk/opportunity to change the wrong thing than editing the policy directly.

Hopefully this answers your question nicely. If you've any further questions let me know!

 

 

0 Helpful
Customers Also Viewed These Support Documents