Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
3764
Views
5
Helpful
3
Comments

Cisco Umbrella DNS - integration with Cisco Meraki MX

jonas.resende
VIP Alumni
VIP Alumni

on ‎12-29-2023 06:27 AM

The portuguese version of this document can be found at: Cisco Umbrella DNS - Integração com Cisco Meraki MX

Introduction

jonasresende_0-1703622217191.png

The integration of the Meraki network with Cisco Umbrella allows customers connected to Meraki MX (firewall) or Meraki MR (access-point) to obtain all the DNS traffic protection provided by Cisco Umbrella DNS services.

Note: This article will be focused on integrating Cisco Umbrella with Meraki MX.

This integration allows administrators to apply and modify filter rules for different groups of clients by assigning a filtering policy to a group policy or on a specific SSID/Wi-Fi network. Once assigned, all DNS requests from clients included in this policy within the Meraki network will be redirected to Cisco Umbrella, where the traffic sent will be analyzed by policies created in the Cisco Umbrella dashboard.

Even if the network is protected with Cisco Meraki, adding Cisco Umbrella brings an additional layer of protection, such as DNS traffic encryption, protection against eavesdropping and man-in-the-middle attacks, SSL decryption to identify files and malicious traffic, management of all policies for network components from one place on the Umbrella dashboard, among other features. Additionally, with Cisco Umbrella roaming, even if the device is not connected to the corporate LAN, it remains protected against all threats on the Internet. 

The integration of Cisco Umbrella with Cisco Meraki MX is the beginning of the transformation and adaptation for the Secure Access Service Edge (SASE) journey, as it integrates an SD-WAN solution with a Cloud Security solution.

Requirements for Integration

For integration between the solutions, it needs to attend the follow requirements:

  • Meraki MX must have the Advanced Security license.
  • Meraki MX must use firmware version 15.10+.

To check the above requirements, within the Meraki dashboard, navigate to the Organization > Configure > License Info menu , and click on License , and check the type of License applied to the device you want to integrate. In this lab, we see the license applied is MX64-SEC (Advanced Security).

 

jonasresende_1-1703622217184.png

To check the firmware, use the Security & SD-WAN > Monitor > Appliance Status menu, Check Firmware Version at the bottom left side of the page.

 

jonasresende_2-1703622217168.png

Integration in practice

Before policies and filters are pushed from Umbrella to the Meraki network, both dashboards must be connected via API key generated from inside Umbrella dashboard.

Creating the API Key in Umbrella

As a first step towards the integration between Umbrella and Meraki, it is necessary to create an API Key within the Umbrella dashboard. To create the Key and Secret, go to Admin > API Keys > Legacy Keys > Umbrella Network Devices and click on Generate Token .

jonasresende_3-1703622217164.png

Once the Key and Secret are generated, copy the text and store it in a safe place.

jonasresende_4-1703622217171.png

Adding API Key and Secret to the Meraki Dashboard

To add the API Key and secret in the Meraki dashboard, navigate to Network -wide > Configure > General . At the bottom of the page, there is the Cisco Umbrella Account option.

Once you have obtained the API Key and Secret, the next step is to integrate it into the Meraki dashboard. Click on New Credentials , add the key and secret previously created within Umbrella, and click on Save Changes.

jonasresende_5-1703622217198.png

 

jonasresende_6-1703622217161.png

Creating Group Policy in the Meraki Dashboard

After registering the Umbrella API in the Meraki dashboard, it is necessary to create a Group Policy on Meraki to synchronize the Umbrella policy with Meraki.

To create the policy, navigate to the Network-wide > Configure > Group Policies menu , and click Add a group .

jonasresende_7-1703622217177.png

 

Give a name for the policy and in the Firewall and traffic and shaping option, select Custom network firewall & shaping rules. The remaining settings can be left as default. Click Save changes at the bottom of the page.

jonasresende_8-1703622217195.png

 

Note: the other configurations were left default, as it is only being demonstrated how to integrate Meraki with Umbrella, however, depending on the needs of the network, customizations can be applied..

Only after creating the policy it is possible to add the Umbrella policy that will be used in this Group Policy. Therefore, it is necessary to edit the policy that was created minutes ago. Click on the created policy, in this case Umbrella_Policy .

jonasresende_9-1703622217175.png

 

Within the Group policy settings, click on the Enable Umbrella Protection button, a button that was not available when the group policy was created.

jonasresende_10-1703622217631.png

 

When the notification message appears, click Yes. This message is informative saying that Umbrella protection will be activated on the Meraki dashboard. Soon after, it is possible to observe that all policies that are available in Cisco Umbrella will appear within the group policy. In this example, we only have the Default. Click Save Changes at the bottom of the page.

jonasresende_11-1703622217186.png

 

When clicking on Save Changes , return to the Umbrella dashboard in the Deployment > Core Identities > Network Devices menu , and a few minutes later the Meraki device will appear.

Note: In this case, as there are MX (firewall) and MR (access-point) in the Meraki network used for this lab, both appear in Network Devices, however in this article the integration is shown only with the MX, and in another opportunity the integration with MR will be demonstrated.

jonasresende_12-1703622217271.png

The Device Status is shown as Offline because traffic from the Meraki network to Umbrella has not yet been generated, which will be demonstrated in the next topic.

Applying Group Policy

Group Policy can be applied in different ways:

  • In a VLAN created in MX (demonstrated in the article)
  • On a network-connected client device
  • On a Wi-Fi network SSID

Applying policy to a VLAN on MX

To apply the policy, navigate to Security & SD-WAN > Configure > Addressing & VLANs . Go to the Routing option and select the VLAN you want to apply the Group policy, and in Group policy, select the previously created policy. Click Next > Preview > Update , and the Save button at the bottom of the page.

jonasresende_13-1703622217625.png

 

 

jonasresende_14-1703622217263.png

 

jonasresende_15-1703622217193.png

From this moment on, any device that is connected to the VLAN with the Group policy applied will be redirected to Cisco Umbrella and you can see the traffic in the Reporting > Core Reports > Activity Search menu on the Umbrella dashboard.

jonasresende_16-1703622217182.png

Also note that in Network Devices, the Appliance MX is already Active, as the Umbrella cloud is receiving traffic from the Meraki MX.

jonasresende_17-1703622217180.png

An important point is that in the integration between Meraki MX and Umbrella, which is applied by VLAN, the policies will work properly if the device is connected via a wired network, that is, on a LAN port on the MX itself or on the MS. If the device is connected to the VLAN with the applied group applied, however via Wi-Fi, the traffic will not porpely receive the Umbrella policies enforcement.

For this reason, when using a Wi-Fi network, it is necessary that the group policy is also applied to the SSID, and not just to the VLAN, a topic that will be covered in another article.

Creating DNS Exclusion

If it is necessary that some traffic is not handled by the Umbrella cloud, it is possible to create an exclusion in the Meraki dashboard.

To do this, navigate to Security & SD-WAN > Configure > Threat Protection, and click on Enable Umbrella Protection, click Yes and you are ready. Note that the Default Policy policy is selected and you can now specify domains not to route to Cisco Umbrella, in this case meraki.com.

jonasresende_18-1703622217201.png

Note: DNS traffic exclusion is only possible when Umbrella protection is active.

This exclusion aims to prevent traffic from safe/trusted domains from being directed to Umbrella, and thus, the amount of traffic to the Umbrella cloud is reduced. Example of traffic, meraki.com, office365, among others.

Please note that before applying the domain exclusion, traffic is redirected to the Umbrella cloud, after the exclusion, traffic is handled by the local DNS.

Check for this in the Umbrella dashboard on Reporting > Core Reports > Activity.

Conclusion

Therefore, it was demonstrated how to integrate a Meraki MX with the Cisco Umbrella DNS feature.

I hope you enjoyed reading.

Leave your like or kudo.

Thanks!

Jonas Resende

Comments
WaqasRaza8704
Level 1
Level 1
‎11-19-2024 06:19 AM

According to your article we need to enable Umbrella protection group policies on the VLAN for wired traffic on the SSID for wireless traffic and for DNS exclusion include the domains in the exclusion list under Threat Protection? All three need to be done, is that correct and have you tested it?

I was under the impression that when you enable Umbrella protection at the Threat Protection level under SD-WAN settings, it enables umbrella protection for the entire Meraki Network, whether wired or wireless and you do no need to assign Group policies to the VLAN or SSID and you can also include DNS exclusions under Threat Protection. Can you please clarify?

jonas.resende
VIP Alumni
VIP Alumni
‎11-28-2024 07:17 AM

@WaqasRaza8704 , after you create the policy, and enable Umbrella protection, you need to select to which VLAN you want to apply that policy. Applying group policy can be done by three ways, on VLAN create in the MX, or Network-connected client or on Wi-Fi network SSID. In this article is demonstrated only on VLAN, directly on MX. In case where you do not have MX in the network, you can apply the policy on SSID directly.

The DNS exclusion is a part of policy configuration, this is used in case you want to create some DNS exclusion, to avoid some domain being handled by Umbrella DNS. If you don't want to have exclusion, all traffic in the VLAN you enabled protection, will be handled on Umbrella cloud.

WaqasRaza8704
Level 1
Level 1
‎11-28-2024 08:36 PM
Hi,

Thanks for the reply. Actually, Meraki TAC confirmed to me that you in fact do NOT need to apply the policy per VLAN if you are applying it 'globally' for the network under Security --> SD-WAN --> Threat Protection. They also said for the wireless portion specifically you would need to enable it under the SSID but if you are doing it globally for the network that's not required either.

FYI, I have the remote client policy with the remote clients installed on top. My 'Catch-All' policy for on-site users sitting behind the Umbrella integrated Meraki is below the DNS roaming client policy. Previously, I had activated Umbrella Protection at the Group Policy level and bound it per VLAN. As you're aware, you cannot perform DNS exclusions at the Group Policy/VLAN level. What I started noticing that even though my roaming client policy was above the on-site catch-all policy for Meraki and I had DNS backoff disabled in Umbrella, all traffic even for the roaming clients was going to Umbrella and DNS exclusions in Umbrella were not being respected. So both Umbrella and Meraki TAC agreed that this traffic for roaming clients that are hitting the top most roaming client policy and not be going to Meraki for any DNS exclusion lookups. But seems like the VLAN Umbrella Protection feature which doesn't have the DNS exclusion feature was enforcing its policy even above the Umbrella Roaming client policy.

Anyhow, as a fix I referred to Meraki and they advised to not use the VLAN/Group Policy Umbrella Protection and simply apply it at the Global Network level and that should give me the option for DNS exclusions. I just tried that and even though DNS exclusions are now being respected for both the roaming client policy in Umbrella and on the on-site policy under Threat Protection, I noticed that DNS enforcement is only happening on the Guest Wi-fi for the on-site policy, and not anyone else. Something tells me that I will need to enable Umbrella Protection under each SSID.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents