Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1868
Views
0
Helpful
1
Replies

Umbrella - Policy Conditional Processing

ci-chris
Community Member

‎03-31-2022 07:39 PM

I am working to implement Umbrella within our organization and am working to setup some policies.  I'm not sure if this is a feature request or if I am just doing something incorrectly.  Basically the policies I am attempting to implement are:

 

1. A policy  only containing and allowed destination list(s) that won't do any type logging for example microsoft

2. A policy that would allow a specific set user(s) to visit say facebook using a destination list

3. A secure policy that has our prod network with all the website/app's that we don't want to allow

4. The default policy

 

In my testing of the policies if I try to visit microsoft I would expect it the hit policy 1, but it is hitting the default policy.  My other test was for policy #2 by testing with a username that is listed on the identity of the policy and visit facebook and it works as expected but if I visit say yahoo it still applies policy #2 instead of the 3rd policy. 

 

It's like if I use any type of identity the policy processing doesn't use any other values ie destination lists for determining on applying a policy. 

1 person had this problem
Labels:
0 Helpful
1 Reply 1

Esha Goyal
Cisco Employee
Cisco Employee

‎04-10-2022 11:40 AM

Hello,

 

Umbrella has Allowlist-Only feature within policies. The feature will block the entire Internet, allowing only sites deliberately added to an allowlist. For example if you want to allow facebook only for 3 users then add those users and accessible domains for them in that policy.

Screenshot 2022-04-11 at 12.09.07 AM.png

 

Policies are applied to identities using a "first match" methodology based on rank (the number listed at the left of each policy), which follows a top to bottom execution order. Therefore, only the highest ranked policy that matches an identity is applied, and all subsequent lower ranking matches are ignored.

In general, the topmost policy in the list that is added to an end user applies. However, this gets more complex when a user has multiple identities such as Umbrella roaming client and an Active Directory (AD) user active at the same time.

If an identity has no matches in any custom policy, the Default Policy will apply to the identity. If you'd like to find out which policy is matched for a particular identity, check umbrella policy tester:

 

Screenshot 2022-04-11 at 12.06.43 AM.pngScreenshot 2022-04-11 at 12.06.55 AM.png

0 Helpful
Customers Also Viewed These Support Documents