Cisco Umbrella

You can configure the device to redirect DNS requests to Cisco Umbrella, so that your FQDN policy defined
in Cisco Umbrella can be applied to user connections. The following topics explain how to configure the
Umbrella Connector to integrate the device with Cisco Umbrella.
• About Cisco Umbrella Connector, on page 1
• Licensing Requirements for Cisco Umbrella Connector, on page 2
• Guidelines and Limitations for Cisco Umbrella, on page 2
• Configure Cisco Umbrella Connector, on page 4
• Monitoring the Umbrella Connector , on page 9
• History for Cisco Umbrella Connector, on page 12

About Cisco Umbrella Connector

If you use Cisco Umbrella, you can configure the Cisco Umbrella Connector to redirect DNS queries to Cisco
Umbrella. This allows Cisco Umbrella to identify requests to black- or grey-list domain names and apply your
DNS-based security policy.
The Umbrella Connector is part of the system’s DNS inspection. If your existing DNS inspection policy map
decides to block or drop a request based on your DNS inspection settings, the request is not forwarded to
Cisco Umbrella. Thus, you have two lines of protection: your local DNS inspection policy and your Cisco
Umbrella cloud-based policy.
When redirecting DNS lookup requests to Cisco Umbrella, the Umbrella Connector adds an EDNS (Extension
mechanisms for DNS) record. An EDNS record includes the device identifier information, organization ID,
and client IP address. Your cloud-based policy can use those criteria to control access in addition to the
reputation of the FQDN. You can also elect to encrypt the DNS request using DNSCrypt to ensure the privacy
of usernames and internal IP addresses.

Cisco Umbrella Enterprise Security Policy

In your cloud-based Cisco Umbrella Enterprise Security policy, you can control access based on the reputation
of the fully-qualified domain name (FQDN) in the DNS lookup request. Your Enterprise Security policy can
enforce one of the following actions:
• Allow—If you have no block rules for an FQDN, and Cisco Umbrella determines that it belongs to a
non-malicious site, then the site’s actual IP address is returned. This is normal DNS lookup behavior.

Cisco Umbrella
1
 Cisco Umbrella
Cisco Umbrella Registration

• Proxy—If you have no block rules for an FQDN, and Cisco Umbrella determines that it belongs to a
suspicious site, then the DNS reply returns the IP address of the Umbrella intelligent proxy. The proxy
can then inspect the HTTP connection and apply URL filtering. You must ensure that intelligent proxy
is enabled from the Cisco Umbrella dashboard (Security Setting > Enable Intelligent Proxy).
• Block—If you explicitly block an FQDN, or Cisco Umbrella determines that it belongs to a malicious
site, then the DNS reply returns the IP address of the Umbrella cloud landing page for blocked connections.

Cisco Umbrella Registration

When you configure the Umbrella Connector on a device, it registers with Cisco Umbrella in the cloud. The
registration process assigns a single device ID, which identifies one of the following:
• One standalone device in single context mode.
• One high availability pair in single context mode.
• One cluster in single context mode.
• One security context in a multiple-context standalone device.
• One security context of a high availability pair
• One security context of a cluster.

Once registered, the device details will appear on the Cisco Umbrella dashboard. You can then change which
policy is attached to a device. During registration, either the policy you specify in the configuration is used,
or the default policy is assigned. You can assign the same Umbrella policy to multiple devices. If you specify
the policy, the device ID you receive differs from what you would get if you did not specify a policy.

Licensing Requirements for Cisco Umbrella Connector

To use the Cisco Umbrella Connector, you must have a 3DES license. If you are using Smart Licensing, your
account must be enabled for export-controlled functionality.
The Cisco Umbrella portal has separate licensing requirements.

Guidelines and Limitations for Cisco Umbrella

Context Mode
• In multiple-context mode, you configure the Umbrella Connector in each context. Each context has a
separate device ID, and is represented as a separate device in the Cisco Umbrella Connector dashboard.
The device name is the hostname configured in the context, plus the hardware model, plus the context
name. For example, CiscoASA-ASA5515-Context1.

Failover
• The active unit in the high availability pair registers the pair as a single unit with Cisco Umbrella. Both
peers use the same device ID, which is formed from their serial numbers:

Cisco Umbrella
2
Cisco Umbrella
Guidelines and Limitations for Cisco Umbrella

primary-serial-number_secondary-serial-number. For multiple context mode, each pair of security

contexts is considered a single unit. You must configure high availability, and the units must have
successfully formed a high-availability group (even if the standby device is currently in a failed state),
before enabling Cisco Umbrella, or the registration will fail.

Cluster
• The cluster control unit registers the cluster as a single unit with Cisco Umbrella. All peers use the same
device ID. For multiple context mode, a security context in the cluster is considered a single unit across
all peers.

Additional Guidelines
• Redirection to Cisco Umbrella is done for DNS requests in through traffic only. DNS requests that the
system itself initiates are never redirected to Cisco Umbrella. For example, FQDN-based access control
rules are never resolved based on Umbrella policy, nor are any FQDNs that are used in other commands
or configuration settings.
• The Cisco Umbrella Connector works on any DNS request in through traffic. However, the block and
proxy actions are effective only if the DNS response is then used for HTTP/HTTPS connections, because
the IP address returned is for a web site. Any blocked or proxied addresses for non-HTTP/HTTPS
connections will either fail or complete in a misleading fashion. For example, pinging a blocked FQDN
would result in pinging the server that hosts the Cisco Umbrella cloud block page.

Note Cisco Umbrella does try to intelligently identify FQDNs that might be
non-HTTP/HTTPS, and does not return the IP address to the intelligent proxy
for those FQDNs for proxied domain names.

• The system sends DNS/UDP traffic only to Cisco Umbrella. If you enable DNS/TCP inspection, the
system does not send any DNS/TCP requests to Cisco Umbrella. However, DNS/TCP requests do not
increment the Umbrella bypass counter.
• If you enable DNScrypt for Umbrella inspection, the system uses UDP/443 for the encrypted session.
You must include UDP/443 along with UDP/53 in the class map that applies DNS inspection for Cisco
Umbrella for DNScrypt to work correctly. Both UDP/443 and UDP/53 are included in the default
inspection class for DNS, but if you create a custom class, ensure that you define an ACL that includes
both ports for the match class.
• DNScrypt uses IPv4 only for the certificate update handshake. However, DNSscrypt does encrypt both
IPv4 and IPv6 traffic.
• Cisco Umbrella and ASA FirePOWER processing are not compatible for a given connection. If you want
to use both services, you must exclude UDP/53 and UDP/443 from ASA FirePOWER processing. For
example, if you are currently redirecting all traffic to the ASA FirePOWER module, you must update
the class to use an access list match. The access list should start by denying any connections to the
Umbrella servers on destination ports UDP/53 and UDP/443, then permit any source to any destination.
The ACL and match statements would be similar to the following:

access-list sfr extended deny udp any host 208.67.220.220 eq domain

access-list sfr extended deny udp any host 208.67.220.220 eq 443
access-list sfr extended permit ip any any

Cisco Umbrella
3
 Cisco Umbrella
Configure Cisco Umbrella Connector

class-map sfr
match access-list sfr
policy-map global_policy
class sfr
sfr fail-open

• There must be an IPv4 route to the Internet that can reach api.opendns.com (registration uses IPv4 only).
You also must have routes to the following DNS resolvers, and your access rules must allow DNS traffic
to these hosts. These routes can go through either the data interfaces or the management interface; any
valid route will work for both registration and DNS resolution. The default servers that the system uses
are indicated; you can use the other servers by configuring the resolver in the Umbrella global settings.
• 208.67.220.220 (system default for IPv4)
• 208.67.222.222
• 2620:119:53::53 (system default for IPv6)
• 2620:119:35::35

• The system does not support the Umbrella FamilyShield service. If you configure the FamilyShield
resolvers, you might get unexpected results.
• When evaluating whether to fail open, the system considers whether the Umbrella resolver is down, or
if an intervening device drops the DNS request or response based on how long it has waited for the
response after sending out the request. Other factors, such as no route to the Umbrella resolver, are not
considered.
• To unregister a device, first delete the Umbrella configuration, then delete the device from the Cisco
Umbrella dashboard.
• Any web requests that use IP addresses instead of FQDN will bypass Cisco Umbrella. In addition, if a
roaming client obtains DNS resolution from a different WAN connection than the one that goes through
an Umbrella-enabled device, connections that use those resolutions bypass Cisco Umbrella.
• If a user has an HTTP proxy, then the proxy might be doing DNS resolution, and the resolutions will not
go through Cisco Umbrella.
• NAT DNS46 and DNS64 are not supported. You cannot translate DNS requests between IPv4 and IPv6
addressing.
• The EDNS record will include both the IPv4 and IPv6 host addresses.
• If the client uses DNS over HTTPS, then the cloud security service will not inspect DNS and HTTP/HTTPS
traffic.

Configure Cisco Umbrella Connector

You can configure the device to interact with Cisco Umbrella in the cloud. The system redirects DNS lookup
requests to Cisco Umbrella, which then applies your cloud-based Enterprise Security fully-qualified domain
name (FQDN) policy. For malicious or suspicious traffic, users can be blocked from a site, or redirected to
an intelligent proxy that can perform URL filtering based on your cloud-based policy.
The following procedure explains the end-to-end process for configuring the Cisco Umbrella Connector.

Cisco Umbrella
4
 Cisco Umbrella
Install the CA Certificate from the Cisco Umbrella Registration Server

Before you begin

In multiple-context mode, perform this procedure in each security context that should use Cisco Umbrella.

Procedure

Step 1 Establish an account on Cisco Umbrella, https://umbrella.cisco.com.

Step 2 Install the CA Certificate from the Cisco Umbrella Registration Server, on page 5.
The device registration uses HTTPS, which requires that you install the root certificate.

Step 3 If it is not already enabled, configure DNS servers and enable DNS lookup on the interfaces.
Configure the settings on the Configuration > Device Management > DNS > DNS Client page.
You can use your own servers, or configure the Cisco Umbrella servers. DNS inspection automatically redirects
to the Cisco Umbrella resolvers even if you configure different servers.
• 208.67.220.220
• 208.67.222.222
• 2620:119:53::53
• 2620:119:35::35

Step 4 Configure the Umbrella Connector Global Settings, on page 6.

Step 5 Enable Umbrella in the DNS Inspection Policy Map, on page 7.
Step 6 Verify the Umbrella Registration, on page 8.

Install the CA Certificate from the Cisco Umbrella Registration Server

You must import the root certificate to establish the HTTPS connection with the Cisco Umbrella registration
server. The system uses the HTTPS connection when registering the device.
Following is the PEM certificate that you must import.

-----BEGIN CERTIFICATE-----
MIIE6jCCA9KgAwIBAgIQCjUI1VwpKwF9+K1lwA/35DANBgkqhkiG9w0BAQsFADBhMQswCQYDVQQG
EwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMSAw
HgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBDQTAeFw0yMDA5MjQwMDAwMDBaFw0zMDA5MjMy
MzU5NTlaME8xCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxKTAnBgNVBAMTIERp
Z2lDZXJ0IFRMUyBSU0EgU0hBMjU2IDIwMjAgQ0ExMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEAwUuzZUdwvN1PWNvsnO3DZuUfMRNUrUpmRh8sCuxkB+Uu3Ny5CiDt3+PE0J6aqXodgojl
EVbbHp9YwlHnLDQNLtKS4VbL8Xlfs7uHyiUDe5pSQWYQYE9XE0nw6Ddng9/n00tnTCJRpt8OmRDt
V1F0JuJ9x8piLhMbfyOIJVNvwTRYAIuE//i+p1hJInuWraKImxW8oHzf6VGo1bDtN+I2tIJLYrVJ
muzHZ9bjPvXj1hJeRPG/cUJ9WIQDgLGBAfr5yjK7tI4nhyfFK3TUqNaX3sNk+crOU6JWvHgXjkkD
Ka77SU+kFbnO8lwZV21reacroicgE7XQPUDTITAHk+qZ9QIDAQABo4IBrjCCAaowHQYDVR0OBBYE
FLdrouqoqoSMeeq02g+YssWVdrn0MB8GA1UdIwQYMBaAFAPeUDVW0Uy7ZvCj4hsbw5eyPdFVMA4G
A1UdDwEB/wQEAwIBhjAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwEgYDVR0TAQH/BAgw
BgEB/wIBADB2BggrBgEFBQcBAQRqMGgwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0
LmNvbTBABggrBgEFBQcwAoY0aHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0R2xv
YmFsUm9vdENBLmNydDB7BgNVHR8EdDByMDegNaAzhjFodHRwOi8vY3JsMy5kaWdpY2VydC5jb20v
RGlnaUNlcnRHbG9iYWxSb290Q0EuY3JsMDegNaAzhjFodHRwOi8vY3JsNC5kaWdpY2VydC5jb20v
RGlnaUNlcnRHbG9iYWxSb290Q0EuY3JsMDAGA1UdIAQpMCcwBwYFZ4EMAQEwCAYGZ4EMAQIBMAgG

Cisco Umbrella
5
 Cisco Umbrella
Configure the Umbrella Connector Global Settings

BmeBDAECAjAIBgZngQwBAgMwDQYJKoZIhvcNAQELBQADggEBAHert3onPa679n/gWlbJhKrKW3EX
3SJH/E6f7tDBpATho+vFScH90cnfjK+URSxGKqNjOSD5nkoklEHIqdninFQFBstcHL4AGw+oWv8Z
u2XHFq8hVt1hBcnpj5h232sb0HIMULkwKXq/YFkQZhM6LawVEWwtIwwCPgU7/uWhnOKK24fXSuhe
50gG66sSmvKvhMNbg0qZgYOrAKHKCjxMoiWJKiKnpPMzTFuMLhoClw+dj20tlQj7T9rxkTgl4Zxu
YRiHas6xuwAwapu3r9rxxZf+ingkquqTgLozZXq8oXfpf2kUCwA/d5KxTVtzhwoT0JzI8ks5T1KE
SaZMkE4f97Q=
-----END CERTIFICATE-----

Procedure

Step 1 Choose Configuration > Firewall > Advanced > Certificate Management > CA Certificates.
Step 2 Click Add.
Step 3 Enter a Trustpoint Name, such as ctx1 or umbrella_server.
Step 4 Select Paste Certificate in PEM Format, then paste the certificate into the box.
It does not matter if you include the BEGIN CERTIFICATE and END CERTIFICATE lines.

Step 5 Click Install Certificate.

The certificate is created on the device. You will need to refresh your view to see the trustpoint listed.

Configure the Umbrella Connector Global Settings

The Umbrella global settings primarily define the API token that is needed to register the device with Cisco
Umbrella. The global settings are not sufficient to enable Umbrella. You must also enable Umbrella in your
DNS inspection policy map, as described in Enable Umbrella in the DNS Inspection Policy Map, on page
7.

Before you begin

• Log into the Cisco Umbrella Network Devices Dashboard (https://login.umbrella.com/) and obtain a
legacy network device API token for your organization. A token will be a hexadecimal string, for example,
AABBA59A0BDE1485C912AFE. Generate a Legacy Network Devices API key from the Umbrella
dashboard.
• Install the certificate for the Cisco Umbrella registration server.

Procedure

Step 1 Choose Configuration > Firewall > Objects > Umbrella.

Step 2 Select Enable Umbrella.
Step 3 Enter the API token in the Token field.
Step 4 (Optional.) If you intend to enable DNScrypt in the DNS inspection policy map, you can optionally configure
the DNScrypt provider Public Key for certificate verification. If you do not configure the key, the default
currently distributed public key is used for validation.
The key is a 32-byte hexadecimal value. Enter the hex value in ASCII with a colon separator for every 2 bytes.
The key is 79 bytes long. Obtain this key from Cisco Umbrella.

Cisco Umbrella
6
 Cisco Umbrella
Enable Umbrella in the DNS Inspection Policy Map

The default key is:

B735:1140:206F:225D:3E2B:D822:D7FD:691E:A1C3:3CC8:D666:8D0C:BE04:BFAB:CA43:FB79
To revert to using the default public key, delete the key from the Public Key field.

Step 5 (Optional.) Select EDNS Timeout and change the idle timeout after which a connection from a client to the
Umbrella server will be removed if there is no response from the server.
The timeout is in hours:minutes:seconds format, and can be from 0:0:0 to 1193:0:0. The default is 0:02:00 (2
minutes).

Step 6 (Optional.) In Resolver IPv4 and Resolver IPv6, configure the addresses of the non-default Cisco Umbrella
DNS servers, which resolve DNS requests, that you want to use.
If you do not configure these options, the system uses the default servers.

Step 7 (Optional.) Configure the local domain names for which Umbrella should be bypassed.
You can identify local domains for which DNS requests should bypass Cisco Umbrella and instead go directly
to the configured DNS servers. For example, you can have your internal DNS server resolve all names for
the organization's domain name on the assumption that all internal connections are allowed.
You can specify either a single regular expression class that includes the regular expression objects that define
the local domains, or enter the names directly as regular expression objects. You can also combine these,
although you can have at most one class.
Click the Manage button next to the Local Domain Bypass Regex Class option to create the class. You can
also click the Manage button from the Add/Edit dialog box for regular expressions to create those objects.

Enable Umbrella in the DNS Inspection Policy Map

Configuring the global Umbrella settings is not enough to register the device and enable DNS lookup redirection.
You must add Umbrella as part of your active DNS inspection.
You can enable Umbrella globally by adding it to the preset_dns_map DNS inspection policy map.
However, if you have customized DNS inspection and applied different inspection policy maps to different
traffic classes, you must enable Umbrella on each class where you want the service.
The following procedure explains how to implement Umbrella globally. If you have customized DNS policy
maps, please see Configure DNS Inspection Policy Map.

Procedure

Step 1 Choose Configuration > Firewall > Objects > Inspect Maps > DNS.
Step 2 Double-click the preset_dns_map inspection map to edit it.
Step 3 Click the Umbrella Connections tab and enable the connection to Cisco Umbrella in the cloud.
• Umbrella—Enables Cisco Umbrella. You can optionally specify the name of the Cisco Umbrella policy
to apply to the device in the Umbrella Tag field. If you do not specify a policy, the default policy is
applied. After registration, the Umbrella device ID is displayed next to the tag.

Cisco Umbrella
7
 Cisco Umbrella
Verify the Umbrella Registration

• Enable Dnscrypt—Enables DNScrypt to encrypt connections between the device and Cisco Umbrella.
Enabling DNScrypt starts the key-exchange thread with the Umbrella resolver. The key-exchange thread
performs the handshake with the resolver every hour and updates the device with a new secret key.
Because DNScrypt uses UDP/443, you must ensure that the class map used for DNS inspection includes
that port. Note that the default inspection class already includes UDP/443 for DNS inspection.
• Fail Open—Enable fail open if you want DNS resolution to work if the Umbrella DNS server is
unavailable. When failing open, if the Cisco Umbrella DNS server is unavailable, Umbrella disables
itself on this policy map and allows DNS requests to go to the other DNS servers configured on the
system, if any. When the Umbrella DNS servers are available again, the policy map resumes using them.
If you do not select this option, DNS requests continue to go to the unreachable Umbrella resolver, so
they will not get a response

Step 4 Click OK.

Verify the Umbrella Registration

After you configure the global Umbrella settings and enable Umbrella in DNS inspection, the device should
contact Cisco Umbrella and register. You can check for successful registration by checking whether Cisco
Umbrella provided a device ID.
Use Tools > Command Line Interface or an SSH session to enter these commands.
First, check the service policy statistics, and look for the Umbrella Registration line. This should indicate the
policy applied by Cisco Umbrella (the tag), the HTTP status of the connection (401 indicates that the API
token was incorrect, and 409 indicates that the device already exists in Cisco Umbrella), and the device ID.
Note that the Umbrella Resolver lines should not indicate that the resolvers are unresponsive. If they are,
verify that you opened DNS communication to these IP addresses in your access control policy. This might
be a temporary situation, or it might indicate a routing problem.

asa(config)# show service-policy inspect dns

Interface inside:
Service-policy: global_policy
Class-map: inspection_default
Inspect: dns preset_dns_map, packet 0, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate
0 pkts/sec, v6-fail-close 0 sctp-drop-override 0
message-length maximum client auto, drop 0
message-length maximum 512, drop 0
dns-guard, count 0
protocol-enforcement, drop 0
nat-rewrite, count 0
umbrella registration: mode: fail-open tag: default, status: 200 success, device-id:
010a13b8fbdfc9aa
Umbrella ipv4 resolver: 208.67.220.220
Umbrella ipv6 resolver: 2620:119:53::53
Umbrella: bypass 0, req inject 0 - sent 0, res recv 0 - inject 0 local-domain-bypass
10
DNScrypt egress: rcvd 402, encrypt 402, bypass 0, inject 402
DNScrypt ingress: rcvd 804, decrypt 402, bypass 402, inject 402
DNScrypt: Certificate Update: completion 10, failure 1

You can also verify the running configuration (filter on policy-map). The umbrella command in the policy
map updates to show the device ID. You cannot directly configure the device ID when you enable this

Cisco Umbrella
8
 Cisco Umbrella
Monitoring the Umbrella Connector

command. The following example edits the output to show the relevant information. You can also see the
device ID in ASDM by editing the DNS inspection map used for Umbrella; the ID is displayed on the Umbrella
Connections tab.

ciscoasa(config)# show running-config policy-map

!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
dnscrypt
umbrella device-id 010a3e5760fdd6d3
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map

Monitoring the Umbrella Connector

The following topics explain how to monitor the Umbrella Connector.

Monitoring the Umbrella Service Policy Statistics

You can view both summarized and detailed statistics for DNS inspection with Umbrella enabled.
Use Tools > Command Line Interface or an SSH session to enter these commands.
show service-policy inspect dns [detail]
Without the detail keyword, you see all the basic DNS inspection counters plus Umbrella configuration
information. The status field provides the HTTP status code for the system’s attempt to register with Cisco
Umbrella.
The Resolver lines indicate which Umbrella servers are being used. These lines will say whether the server
is unresponsive, or if the system is currently probing the server to determine if it has become available. If
the mode is fail-open, the system allows DNS requests to go to other DNS servers (if configured); otherwise,
DNS requests will not get a response so long as the Umbrella servers are unreponsive.

asa(config)# show service-policy inspect dns

Interface inside:
Service-policy: global_policy
Class-map: inspection_default
Inspect: dns preset_dns_map, packet 0, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate
0 pkts/sec, v6-fail-close 0 sctp-drop-override 0
message-length maximum client auto, drop 0
message-length maximum 512, drop 0
dns-guard, count 0
protocol-enforcement, drop 0
nat-rewrite, count 0
umbrella registration: mode: fail-open tag: default, status: 200 success, device-id:
010a13b8fbdfc9aa
Umbrella ipv4 resolver: 208.67.220.220
Umbrella ipv6 resolver: 2620:119:53::53
Umbrella: bypass 0, req inject 0 - sent 0, res recv 0 - inject 0 local-domain-bypass
10
DNScrypt egress: rcvd 402, encrypt 402, bypass 0, inject 402

Cisco Umbrella
9
 Cisco Umbrella
Monitoring the Umbrella Service Policy Statistics

DNScrypt ingress: rcvd 804, decrypt 402, bypass 402, inject 402
DNScrypt: Certificate Update: completion 10, failure 1

The detailed output shows DNScrypt statistics and the keys used.

asa(config)# show service-policy inspect dns detail

Global policy:
Service-policy: global_policy
Class-map: inspection_default
Class-map: dnscrypt30000
Inspect: dns dns_umbrella, packet 12, lock fail 0, drop 0, reset-drop 0,
5-min-pkt-rate 0 pkts/sec, v6-fail-close 0 sctp-drop-override 0
message-length maximum client auto, drop 0
message-length maximum 1500, drop 0
dns-guard, count 3
protocol-enforcement, drop 0
nat-rewrite, count 0
Umbrella registration: mode: fail-open tag: default, status: 200 SUCCESS, device-id:
010af97abf89abc3, retry 0
Umbrella ipv4 resolver: 208.67.220.220
Umbrella ipv6 resolver: 2620:119:53::53
Umbrella: bypass 0, req inject 6 - sent 6, res recv 6 - inject 6 local-domain-bypass
10
Umbrella app-id fail, count 0
Umbrella flow alloc fail, count 0
Umbrella block alloc fail, count 0
Umbrella client flow expired, count 0
Umbrella server flow expired, count 0
Umbrella request drop, count 0
Umbrella response drop, count 0
DNScrypt egress: rcvd 6, encrypt 6, bypass 0, inject 6
DNScrypt ingress: rcvd 18, decrypt 6, bypass 12, inject 6
DNScrypt length error, count 0
DNScrypt add padding error, count 0
DNScrypt encryption error, count 0
DNScrypt magic_mismatch error, count 0
DNScrypt disabled, count 0
DNScrypt flow error, count 0
DNScrypt nonce error, count 0
DNScrypt: Certificate Update: completion 1, failure 1
DNScrypt Receive internal drop count 0
DNScrypt Receive on wrong channel drop count 0
DNScrypt Receive cannot queue drop count 0
DNScrypt No memory to create channel count 0
DNScrypt Send no output interface count 1
DNScrypt Send open channel failed count 0
DNScrypt Send no handle count 0
DNScrypt Send dupb failure count 0
DNScrypt Create cert update no memory count 0
DNScrypt Store cert no memory count 0
DNScrypt Certificate invalid length count 0
DNScrypt Certificate invalid magic count 0
DNScrypt Certificate invalid major version count 0
DNScrypt Certificate invalid minor version count 0
DNScrypt Certificate invalid signature count 0
Last Successful: 01:42:29 UTC May 2 2018, Last Failed: None
Magic DNSC, Major Version 0x0001, Minor Version 0x0000,
Query Magic 0x714e7a696d657555, Serial Number 1517943461,
Start Time 1517943461 (18:57:41 UTC Feb 6 2018)
End Time 1549479461 (18:57:41 UTC Feb 6 2019)
Server Public Key
240B:11B7:AD02:FAC0:6285:1E88:6EAA:44E7:AE5B:AD2F:921F:9577:514D:E226:D552:6836
Client Secret Key Hash

Cisco Umbrella
10
 Cisco Umbrella
Monitoring Umbrella Syslog Messages

48DD:E6D3:C058:D063:1098:C6B4:BA6F:D8A7:F0F8:0754:40B0:AFB3:CB31:2B22:A7A4:9CEE
Client Public key
6CB9:FA4B:4273:E10A:8A67:BA66:76A3:BFF5:2FB9:5004:CD3B:B3F2:86C1:A7EC:A0B6:1A58
NM key Hash
9182:9F42:6C01:003C:9939:7741:1734:D199:22DF:511E:E8C9:206B:D0A3:8181:CE57:8020

Monitoring Umbrella Syslog Messages

You can monitor the following Umbrella-related syslog messages:
• %ASA-3-339001: DNSCRYPT certificate update failed for number tries.
Check that there is a route to the Umbrella server and that the egress interface is up and functioning
correctly. Also check that the public key configured for DNScrypt is correct. You might need to obtain
a new key from Cisco Umbrella.
• %ASA-3-339002: Umbrella device registration failed with error code error_code.
The error codes have the following meanings:
• 400—There is a problem with the request format or content. The token is probably too short or
corrupted. Verify that the token matches the one on the Umbrella Dashboard.
• 401—The API token is not authorized. Try reconfiguring the token. If you refreshed the token on
the Umbrella Dashboard, then you must ensure that you use the new token.
• 409—The device ID conflicts with another organization. Please check with the Umbrella
Administrator to see what the issue might be.
• 500—There is an internal server error. Check with the Umbrella Administrator to see what the issue
might be.

• %ASA-6-339003: Umbrella device registration was successful.

• %ASA-3-339004: Umbrella device registration failed due to missing token.
You must obtain an API token from Cisco Umbrella and configure it in the global Umbrella settings.
• %ASA-3-339005: Umbrella device registration failed after number retries.
Check the syslog 339002 messages to identify the errors that you need to fix.
• %ASA-3-339006: Umbrella resolver IP_address is reachable, resuming Umbrella redirect.
This message indicates that the system is functioning normally again. No action is needed.
• %ASA-3-339007: Umbrella resolver IP_address is unresponsive and fail-close mode used, starting probe
to resolver.
Because you are using fail-close mode, users will not get responses to their DNS requests until the
Umbrella DNS server comes back online. If the problem persists, verify that there is a route from the
system to the Umbrella servers, and that you allow DNS traffic to the servers in your access control
policy.

Cisco Umbrella
11
 Cisco Umbrella
History for Cisco Umbrella Connector

History for Cisco Umbrella Connector

Feature Name Platform Releases Description

Cisco Umbrella support. 9.10(1) You can configure the device to redirect DNS requests to Cisco
Umbrella, so that your Enterprise Security policy defined in Cisco
Umbrella can be applied to user connections. You can allow or block
connections based on FQDN, or for suspicious FQDNs, you can redirect
the user to the Cisco Umbrella intelligent proxy, which can perform
URL filtering. The Umbrella configuration is part of the DNS inspection
policy.
We added or modified the following screens: Configuration > Firewall
> Objects > Umbrella, Configuration > Firewall > Objects >
Inspect Maps > DNS.

Cisco Umbrella Enhancements. 9.12(1) You can now identify local domain names that should bypass Cisco
Umbrella. DNS requests for these domains go directly to the DNS
servers without Umbrella processing. You can also identify which
Umbrella servers to use for resolving DNS requests. Finally, you can
define the Umbrella inspection policy to fail open, so that DNS requests
are not blocked if the Umbrella server is unavailable.
We modified the following screens: Configuration > Firewall >
Objects > Umbrella, Configuration > Firewall > Objects > Inspect
Maps > DNS.

Cisco Umbrella
12