Umbrella - Policy Conditional Processing

ci-chris · ‎03-31-2022

I am working to implement Umbrella within our organization and am working to setup some policies. I'm not sure if this is a feature request or if I am just doing something incorrectly. Basically the policies I am attempting to implement are:

1. A policy only containing and allowed destination list(s) that won't do any type logging for example microsoft

2. A policy that would allow a specific set user(s) to visit say facebook using a destination list

3. A secure policy that has our prod network with all the website/app's that we don't want to allow

4. The default policy

In my testing of the policies if I try to visit microsoft I would expect it the hit policy 1, but it is hitting the default policy. My other test was for policy #2 by testing with a username that is listed on the identity of the policy and visit facebook and it works as expected but if I visit say yahoo it still applies policy #2 instead of the 3rd policy.

It's like if I use any type of identity the policy processing doesn't use any other values ie destination lists for determining on applying a policy.

Esha Goyal · ‎04-10-2022

Hello,

Umbrella has Allowlist-Only feature within policies. The feature will block the entire Internet, allowing only sites deliberately added to an allowlist. For example if you want to allow facebook only for 3 users then add those users and accessible domains for them in that policy.

Policies are applied to identities using a "first match" methodology based on rank (the number listed at the left of each policy), which follows a top to bottom execution order. Therefore, only the highest ranked policy that matches an identity is applied, and all subsequent lower ranking matches are ignored.

In general, the topmost policy in the list that is added to an end user applies. However, this gets more complex when a user has multiple identities such as Umbrella roaming client and an Active Directory (AD) user active at the same time.

If an identity has no matches in any custom policy, the Default Policy will apply to the identity. If you'd like to find out which policy is matched for a particular identity, check umbrella policy tester: