I have a client using UTM firewall and we recently deployed Cisco DNS Umbrella for them with two virtual appliances.
At the moment, internal DNS clients are pointing to internal DNS servers. On the forwarder settings of the DNS server, we have configured VA's IPs. UTM firewall act as transparent proxy and intercepts any incoming web traffic from internal network. As per the recommendation of this article, UTM is also using VA's IP address as forwarder. Everything is working as it should.
The problem is, the customer has isolated internal network for R&D purposes. This network doesn't communicate with corporate network at all. Clients in this network are configured with Google DNS, however, some web pages are behaving improperly and content is getting blocked. And once we remove the VA's IP from UTM, it just works fine.
Sometimes Umbrella will actually redirect you to their proxy. So 1, if your UTM is decrypting, it needs Umbrella's root cert. Your R&D boxes may need it as well, when Umbrella proxies and decrypts and your UTM doesn't (depending upon how those decisions are made)