If there are two policies in umbrella. First which is at the top and has identity of site and network. 2nd policy has identity of a single AD user. A DNS query from that AD user matches all the 3 identities - Network , site and AD ID.
My question is which policy will be matched here. (The reason for asking this here is because I cannot simulate this scenario in our PROD)
As per cisco documentation - Umbrella evaluates policies from the top down and looks for a matching identity and destination. Once a match is found, Umbrella applies that policy's settings to the identity and destination and stops evaluating all other DNS policies. If Umbrella cannot find a matching DNS policy, Umbrella uses the Default DNS policy.
However, same doc says : Umbrella checks for identity matches in this order:
- AD user
- AD computer
- Internal network
- Roaming client
This confused me, whether Umbrella will match 'Top down' and match the first policy OR as per above order, it will match AD user policy which is at bottom.
Another question, does umbrella matches both - Identity AND Destination list, or just the identity.