Cisco Umbrella: Web Policy vs DNS Policy

Cisco Umbrella is making a big changes with additional features and components. Now you have two separate policies a DNS Policy and new Policy called Web Policy.

So what policy should you use in your deployement?

In my opinion, there is a consideration when using DNS Policies and Web Policies.

1-DNS Policies will apply for non-browser traffic.
2-Web browsers may be configured in a way that no DNS request is made from the client, for example when using an explicit proxy. In this case only the web policy will be applied.

A DNS Request is made before the HTTP Request.

If a DNS request is blocked, it will remain blocked even if it is allowed on the Web Policy.

If the DNS request is allowed by the DNS Policy, but the web request is blocked by the web policy, the reuests for the page will fail and a block page will be served.

But if you are familiar with Cisco Umbrella solution, in the DNS Policy there is traditional SSL Decryption and File Inspection. And in the New Web Policy there is also HTTPS Inspection and File inspection.

But what is the difference between the SSL Decryption in the DNS Policy and the HTTPS Inspection in the Web Policy?

When File Inspection is enabled for either the DNS or Web policy, File Inspection inspects files through Cisco Advanced Malware Protection (AMP) and Umbrella’s antivirus.

But if files are not blocked through File Inspection and that are unknown to AMP file reputation or Umbrella’s anti-virus (AV).

Cisco Umbrella can submit unknown files to Threat Grid sandboxing.

Threat Grid Malware Analysis is available only in the Web Policy.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s