DNS Security over Cisco SDWAN : Cisco SDWAN Integration with Cisco Umbrella

Today I am going to talk about the Cisco Viptela SDWAN and Cisco Umbrella integration. We talked about the earlier articles which we discussed on Cisco SDWAN components, Secure segmentation, ZTP, Zero trust model, Application aware routing and many more. Now in this article i am going to discuss about the Cisco umbrella and the integration with Cisco SDWAN.

Cisco Umbrella 
As many of you know that Cisco Umbrella is first line of defense for any network which means Cisco Umbrella is a DNS layer security which is already take feeds for Cisco Talos in order to understand the website reputation.

The main purpose of Cisco Umbrella is to stay away your network from the malicious URLs. Cisco Umbrella is now having the full proxy features which for deeper visibility and control of web traffic.

Fig 1.1- Cisco SDWAN integrated with Cisco Umbrella

In order to integrate Cisco Umbrella with Cisco SDWAN, you need to create the API keys from Cisco Umbrella first.

Login to Cisco Umbrella > Admin > API Keys > Generate API Key - one from these four options as described ( Umbrella Network devices | Legacy Network devices | Umbrella reporting | Umbrella Management ).

Fig 1.2- Cisco Umbrella API key- Token

As in above shown image, i generate the Cisco Umbrella API key- Token for the Legacy devices which include Cisco ISR, vEdges and other devices.

vManage on Cisco SDWAN
Under CONFIGURATION | SECURITY, choose Custom Options drop-down list at the top right corner, and then select Umbrella API token. Under CONFIGURATION | SECURITY, select Add Security Policy and then choose a scenario that fits your use-case (e.g. custom).

Enter your Umbrella registration token, as shown in the image:

Fig 1.3- Cisco vManage
Now navigate to DNS Security, select Add DNS Security Policy and then select Create new.

Fig 1.4- DNS Policy on Cisco SDWAN vManage

Once you added the DNS policy, it will shown as a template in vManage ( Cisco SDWAN orchestration dashboard)

Fig 1.5- DNS Policy added

DNS Security tab of your policy, you see a configuration similar to this image

Fig 1.6- DNS Security Policy
So with the DNS security policy, you can configure your devices with the additional template on the vManage and attach that template with the device as per the normal process.

To check the umbrella template on the vEdges, check the below command

NDNA_vEdge# show run | sec parameter-map type umbrella
NDNA_vEdge# show umbrella config
NDNA_vEdge# show platform hardware qfp active feature umbrella client config

For checking the device registered with Cisco Umbrella
NDNA_vEdge# show umbrella deviceid 

NDNA_vEdge# show platform hardware qfp active feature umbrella datapath stats