Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
993
Views
2
Helpful
0
Comments

Cisco Umbrella DNS - integration with Cisco Meraki MX

jonas.resende
VIP
VIP

on ‎12-29-2023 06:27 AM

The portuguese version of this document can be found at: Cisco Umbrella DNS - Integração com Cisco Meraki MX

Introduction

jonasresende_0-1703622217191.png

The integration of the Meraki network with Cisco Umbrella allows customers connected to Meraki MX (firewall) or Meraki MR (access-point) to obtain all the DNS traffic protection provided by Cisco Umbrella DNS services.

Note: This article will be focused on integrating Cisco Umbrella with Meraki MX.

This integration allows administrators to apply and modify filter rules for different groups of clients by assigning a filtering policy to a group policy or on a specific SSID/Wi-Fi network. Once assigned, all DNS requests from clients included in this policy within the Meraki network will be redirected to Cisco Umbrella, where the traffic sent will be analyzed by policies created in the Cisco Umbrella dashboard.

Even if the network is protected with Cisco Meraki, adding Cisco Umbrella brings an additional layer of protection, such as DNS traffic encryption, protection against eavesdropping and man-in-the-middle attacks, SSL decryption to identify files and malicious traffic, management of all policies for network components from one place on the Umbrella dashboard, among other features. Additionally, with Cisco Umbrella roaming, even if the device is not connected to the corporate LAN, it remains protected against all threats on the Internet. 

The integration of Cisco Umbrella with Cisco Meraki MX is the beginning of the transformation and adaptation for the Secure Access Service Edge (SASE) journey, as it integrates an SD-WAN solution with a Cloud Security solution.

Requirements for Integration

For integration between the solutions, it needs to attend the follow requirements:

  • Meraki MX must have the Advanced Security license.
  • Meraki MX must use firmware version 15.10+.

To check the above requirements, within the Meraki dashboard, navigate to the Organization > Configure > License Info menu , and click on License , and check the type of License applied to the device you want to integrate. In this lab, we see the license applied is MX64-SEC (Advanced Security).

 

jonasresende_1-1703622217184.png

To check the firmware, use the Security & SD-WAN > Monitor > Appliance Status menu, Check Firmware Version at the bottom left side of the page.

 

jonasresende_2-1703622217168.png

Integration in practice

Before policies and filters are pushed from Umbrella to the Meraki network, both dashboards must be connected via API key generated from inside Umbrella dashboard.

Creating the API Key in Umbrella

As a first step towards the integration between Umbrella and Meraki, it is necessary to create an API Key within the Umbrella dashboard. To create the Key and Secret, go to Admin > API Keys > Legacy Keys > Umbrella Network Devices and click on Generate Token .

jonasresende_3-1703622217164.png

Once the Key and Secret are generated, copy the text and store it in a safe place.

jonasresende_4-1703622217171.png

Adding API Key and Secret to the Meraki Dashboard

To add the API Key and secret in the Meraki dashboard, navigate to Network -wide > Configure > General . At the bottom of the page, there is the Cisco Umbrella Account option.

Once you have obtained the API Key and Secret, the next step is to integrate it into the Meraki dashboard. Click on New Credentials , add the key and secret previously created within Umbrella, and click on Save Changes.

jonasresende_5-1703622217198.png

 

jonasresende_6-1703622217161.png

Creating Group Policy in the Meraki Dashboard

After registering the Umbrella API in the Meraki dashboard, it is necessary to create a Group Policy on Meraki to synchronize the Umbrella policy with Meraki.

To create the policy, navigate to the Network-wide > Configure > Group Policies menu , and click Add a group .

jonasresende_7-1703622217177.png

 

Give a name for the policy and in the Firewall and traffic and shaping option, select Custom network firewall & shaping rules. The remaining settings can be left as default. Click Save changes at the bottom of the page.

jonasresende_8-1703622217195.png

 

Note: the other configurations were left default, as it is only being demonstrated how to integrate Meraki with Umbrella, however, depending on the needs of the network, customizations can be applied..

Only after creating the policy it is possible to add the Umbrella policy that will be used in this Group Policy. Therefore, it is necessary to edit the policy that was created minutes ago. Click on the created policy, in this case Umbrella_Policy .

jonasresende_9-1703622217175.png

 

Within the Group policy settings, click on the Enable Umbrella Protection button, a button that was not available when the group policy was created.

jonasresende_10-1703622217631.png

 

When the notification message appears, click Yes. This message is informative saying that Umbrella protection will be activated on the Meraki dashboard. Soon after, it is possible to observe that all policies that are available in Cisco Umbrella will appear within the group policy. In this example, we only have the Default. Click Save Changes at the bottom of the page.

jonasresende_11-1703622217186.png

 

When clicking on Save Changes , return to the Umbrella dashboard in the Deployment > Core Identities > Network Devices menu , and a few minutes later the Meraki device will appear.

Note: In this case, as there are MX (firewall) and MR (access-point) in the Meraki network used for this lab, both appear in Network Devices, however in this article the integration is shown only with the MX, and in another opportunity the integration with MR will be demonstrated.

jonasresende_12-1703622217271.png

The Device Status is shown as Offline because traffic from the Meraki network to Umbrella has not yet been generated, which will be demonstrated in the next topic.

Applying Group Policy

Group Policy can be applied in different ways:

  • In a VLAN created in MX (demonstrated in the article)
  • On a network-connected client device
  • On a Wi-Fi network SSID

Applying policy to a VLAN on MX

To apply the policy, navigate to Security & SD-WAN > Configure > Addressing & VLANs . Go to the Routing option and select the VLAN you want to apply the Group policy, and in Group policy, select the previously created policy. Click Next > Preview > Update , and the Save button at the bottom of the page.

jonasresende_13-1703622217625.png

 

 

jonasresende_14-1703622217263.png

 

jonasresende_15-1703622217193.png

From this moment on, any device that is connected to the VLAN with the Group policy applied will be redirected to Cisco Umbrella and you can see the traffic in the Reporting > Core Reports > Activity Search menu on the Umbrella dashboard.

jonasresende_16-1703622217182.png

Also note that in Network Devices, the Appliance MX is already Active, as the Umbrella cloud is receiving traffic from the Meraki MX.

jonasresende_17-1703622217180.png

An important point is that in the integration between Meraki MX and Umbrella, which is applied by VLAN, the policies will work properly if the device is connected via a wired network, that is, on a LAN port on the MX itself or on the MS. If the device is connected to the VLAN with the applied group applied, however via Wi-Fi, the traffic will not porpely receive the Umbrella policies enforcement.

For this reason, when using a Wi-Fi network, it is necessary that the group policy is also applied to the SSID, and not just to the VLAN, a topic that will be covered in another article.

Creating DNS Exclusion

If it is necessary that some traffic is not handled by the Umbrella cloud, it is possible to create an exclusion in the Meraki dashboard.

To do this, navigate to Security & SD-WAN > Configure > Threat Protection, and click on Enable Umbrella Protection, click Yes and you are ready. Note that the Default Policy policy is selected and you can now specify domains not to route to Cisco Umbrella, in this case meraki.com.

jonasresende_18-1703622217201.png

Note: DNS traffic exclusion is only possible when Umbrella protection is active.

This exclusion aims to prevent traffic from safe/trusted domains from being directed to Umbrella, and thus, the amount of traffic to the Umbrella cloud is reduced. Example of traffic, meraki.com, office365, among others.

Please note that before applying the domain exclusion, traffic is redirected to the Umbrella cloud, after the exclusion, traffic is handled by the local DNS.

Check for this in the Umbrella dashboard on Reporting > Core Reports > Activity.

Conclusion

Therefore, it was demonstrated how to integrate a Meraki MX with the Cisco Umbrella DNS feature.

I hope you enjoyed reading.

Leave your like or kudo.

Thanks!

Jonas Resende

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents