Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1996
Views
0
Helpful
7
Replies

WSA and Umbrella Co-existing

DAVID
Level 3
Level 3

‎03-23-2020 07:53 AM

What is the best configuration to utilize both the WSA and Umbrella so that each has their own role to play and not duplicate each other?

Labels:
0 Helpful
7 Replies 7

Cristian Matei
VIP Alumni
VIP Alumni

‎03-24-2020 12:16 PM

Hi,

 

   WSA and Umbrella don't really overlapping; what overlaps is Cisco WSA and Cisco CWS. Umbrella provides security at the DNS layer, being able to block access to suspicious/malicious resources right away, redirecting the user to a block page. In case Umbrella considers it to be safe, the proper IP address is returned via DNS, and when the user tries to access it via HTTP/HTTPS, now WSA kicks in with its policies and security features.

  With this integration not only you enhance the overall security, but also ease the load on the WSA, as some traffic will be denied by Umbrella to begin with.


Regards,

Cristian Matei.

 

0 Helpful

DAVID
Level 3
Level 3
In response to Cristian Matei

‎03-24-2020 12:54 PM

Thanks. This helps a lot.  We're just trying to ensure that WSA, Umbrella, and AMP are all doing their own particular roles and they are not competing against each other or being necessarily redundant.

0 Helpful

DAVID
Level 3
Level 3
In response to DAVID

‎03-24-2020 12:55 PM

Are there any design guides that provide any helpful information regarding the co-existence of all three?

0 Helpful

Cristian Matei
VIP Alumni
VIP Alumni
In response to DAVID

‎03-24-2020 01:55 PM

Hi,

 

    Mostly they just coexist. One advantage would be to have common reporting. Here's one good read on WSA and Umbrella with AWSR:

 

Regards,

Cristian Matei.

0 Helpful

Cristian Matei
VIP Alumni
VIP Alumni
In response to DAVID

‎03-24-2020 01:38 PM

Hi,

 

    If you deploy those 3, from an order of operation perspective, Umbrella provides the first layer of security, what passes is inspected by WSA (with or without AMP), what passes is inspected by AMP (if we speak AMP endpoints). This is called defense in depth, not overlapping.

 

Regards,

Cristian Matei.

0 Helpful

DAVID
Level 3
Level 3
In response to Cristian Matei

‎03-24-2020 02:45 PM

Does it make sense to do content filtering at both the WSA and Umbrella? Can't tell you how many times we get requests to whitelist a site only to remember that we have to do it in two different locations. Also HTTPS decryption on WSA has always been a problem for us and I would just as soon disable it.

0 Helpful

Ken Stieers
VIP
VIP

‎03-24-2020 01:09 PM

The differentiater between Umbrella and WSA used to be that Umbrella didn't have full proxy capabilities, it operated only at the DNS layer.  That has gone away with the Secure Web Gateway.  

 

https://learn-umbrella.cisco.com/datasheets/cisco-umbrella-secure-internet-gateway-sig-essentials?_=&_ga=2.182888166.134019945.1584972596-244488116.1564494793

 

AMP is a different thing, and having both or all three may have its place.

Think of AMP as an AV replacement, and a tracker of what files are doing what to what other files.

Yes, it can see that code reached out to a site, but it doesn't know/care about surfing policy. 

 

That said, I still have WSAs, and we put the umbrella client on laptops so they are covered when they AREN'T connected to the network. 

0 Helpful
Customers Also Viewed These Support Documents