Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1972
Views
3
Helpful
6
Replies

Unable to remove Umbrella DNS from Inspection in FMC

Michael Bartholomæussen
Level 1
Level 1

‎09-15-2023 02:33 AM

Hi All,

I need to remove our Umbrella DNS policy from the Inspection part of a Acces Control Policy.

Setting the Umbrella policy to "None", the deployment fails.

I'm only able to apply a different policy, but not remove it entirely.

FMC >> vpn-addr-assign local
FMC >> policy-map type inspect dns preset_dns_map
FMC >> parameters
FMC >> no umbrella device-id 010a05988689d935
dk-dc-transit-ftd-dc01 >> [error] :
no umbrella device-id 010a05988689d935
^
ERROR: % Invalid input detected at '^' marker.
Config Error -- no umbrella device-id 010a05988689d9

Cheers

4 people had this problem
6 Replies 6

Marius Gunnerud
VIP
VIP

‎09-15-2023 03:10 AM

Hmm strange.  What version FMC are you using?

You could try to create a new Umbrella DNS policy, select it and deploy, and then once that is completed, try selecting None again.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Michael Bartholomæussen
Level 1
Level 1
In response to Marius Gunnerud

‎09-15-2023 03:32 AM

I tried to apply a new policy, with the default, but the Umbrella connector is still there, so it routes the quires to Umbrella Cloud
 
Version 7.3.1 (build 19)
Model
Secure Firewall Management Center for VMware
Serial Number
None
Snort Version
2.9.21 (Build 1000)
Snort3 Version
3.1.36.100 (Build 2)
Rule Pack Version
2890
Module Pack Version
3266
LSP Version
lsp-rel-20230912-1032
VDB Version
build 371 (2023-09-01 16:01:22)
Rule Update Version
2023-09-12-001-vrt
Geolocation Update Version
Country Code: 2023-08-17-100, IP: 2023-08-17-100
OS
Cisco Firepower Extensible Operating System (FX-OS) 2.13.0 (build 1022)
0 Helpful

Michael Bartholomæussen
Level 1
Level 1

‎09-16-2023 05:53 AM

UPDATE:

We spend some more time troubleshooting this issue, and discovered that everytime a new Domain bypass is created on the Umbrella Policy, an additional line "domain local bypass" is added to the "Global Umbrella" CMD. These no validation on this in the FMC GUI, and the value in the GUI cannot be "BLANK". We added "none" to the bypass list, and "none" was listed as a domain to be bypassed.

With Flexconfig we managed to remove the bypass config from the LINA code. We also tried to remove "umbrella device-id 010a05988689d9352" with Flexconfig but it failed. We did notice additional whitespace in the commandlet in the configuration.

0 Helpful

Michael McPhee
Cisco Employee
Cisco Employee

‎10-04-2023 12:32 PM

 I am having the exact same issues - cdFMC is on version 7.4, while the 2110 is on 7.3.1. Unable to resolve via Flexconfig and cdFMC.

 

 

ste.ant
Level 1
Level 1

‎03-25-2024 06:23 AM

I'm running FMC and FTD 1150 at 7.2.5.1 and I am experiencing the same issue.

Steve
0 Helpful

Michael Bartholomæussen
Level 1
Level 1

‎03-26-2024 03:02 AM

We had the issue resolved via a TAC case, unfortunately!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card