WSA to Umbrella Migration

manvik · ‎04-14-2025

has anyone done WSA onprem to umbrella SIG migration. How to get the Identification Profiles, Access Policies from WSA migrated to Umbrella SIG.
What config changes to be done in Endpoint for the new Umbrella SIG proxy control to be effective.

psayafan · ‎04-22-2025

Hybrid Policy and Reporting support in Cisco Secure Web Appliance (SWA) was introduced starting with AsyncOS 15.1. This functionality allows integration with Cisco Umbrella, enabling centralized policy management and visibility through the Umbrella dashboard.

Hybrid Policy: Enables policy translation and push from Umbrella to SWA, allowing centralized control.
Hybrid Reporting: Sends SWA reporting data related to Umbrella-configured policies back to Umbrella for unified reporting.

You can refer to this link for more information: https://docs.umbrella.com/umbrella-user-guide/docs/hybrid-policy

At the endpoints (Clients), you don't need to change anything and they can continue working as before. The difference is that the management of policies can now be done in Umbrella. Additionally, you can have the SWA reports on the Umbrella reporting as well.

Here are some limitations that are important for you to be aware of: https://docs.umbrella.com/umbrella-user-guide/docs/hybrid-policy#lim

Please let me know if you have more question.

manvik · ‎04-22-2025

existing WSA won't be used anymore. It wd be decommissioned.
I think hybrid policy wont work here. Other than manually creating the policies in umbrella, any other mechanism to migrate?

psayafan · ‎04-22-2025

You need to create a policy from scratch in Umbrella. With a Hybrid Policy, you can only push policies from Umbrella to SWA.

wajidhassan · ‎07-07-2025

Since WSA will be decommissioned, Hybrid Policy won’t apply. There’s no automatic migration tool, you’ll need to manually recreate identification and access policies in Umbrella. Endpoints don’t need config changes if they’re already using Umbrella SIG.