Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new blog
2594
Views
5
Helpful
0
Comments

Umbrella’s cloud-delivered firewall (CDFW)

Meddane
VIP
VIP
‎05-21-2022 03:04 PM

Umbrella’s cloud-delivered firewall (CDFW) is a cool features that provides Firewall Services in the Cisco Umbrella Cloud without the need to deploy on-premises firewall devices and visibility and control for internet traffic across all branch offices.
To deploy the CDFW firewall services, you can use ISR Router, FTD or ASA, or even vEDGE called Tunnel Device. The deployment is based on the a VPN IKEv2 Site to Site between Umbrella cloud and your Tunnel Device. Once the IKEv2 tunnel is established, you can redirect the internet traffic sourced by your LAN subnets to Cisco Umbrella Firewal services where a Firewall Policies can be applied based on L3/L4 filtering or Application L7 Filtering.
On ISR or ASA you can use PBR to redirect your internet traffic.
On FTD you can use ACP rule permitting LAN traffic going out.

Example on ISR:

ip access-list extended To_Umbrella
permit ip 192.168.20.0 0.0.0.255 any < Identify your LAN Subnet using an access-list>
!
route-map Umbrella-PBR permit 10 < Creates a PBR to redirect all traffic sourced by your LAN subnet through the IKEV2 tunnel >
match ip address To_Umbrella
set interface Tunnel1
!
interface GigabitEthernet 0 < LAN Interface OF your ISR>
ip policy route-map Umbrella-PBR < Associate the Route-map to the LAN Interface >

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Popular Articles
Customers Also Viewed These Support Documents