Redirection methods
both methods will enforce SWG (web protection) but the IPSec tunnels will also provide Cloud Delivered Firewall (this is not available with roaming clients), we always recommend the clients since they will protect your users when they are working from the office or just travelling or working from a cafeteria.
But both options are advantageous for different reasons, you could also configure the clients to backoff when they are at the office, and use the IPSec tunnel to have access to the Cloud Delivered Firewall
IPsec IKEv2 VPN from your firewall > umbrella cloud
secure client with SWG module goes via https > umbrella cloud
Which is recommended, any features lost/gained vpn vs secure lcient
clients > redirection method > umbrella client > CD FW (l7 and ips)
http/https > SWG
non web not blockecd >
DNS > CDFW > SWG > DLP or RBI
DLR scans data for violations
RBI render in cloud browser
PAC files to send users traffic to the SWG
CDFW only available with IPsec tunnel
secure client is using SWG
still need to keep VA's
On policy flow:
The order of operations will depend on what deployment method you are using, for example, if you have a setup of VAs, IPSec tunnel, the order of operations will be: DNS policy enforcement (redirected by VAs to resolvers), CDFW (because you of the IPSec tunnel, and finally SWG
if you use roaming clients only, everything stays the same, with the exception of CDFW, since this is only available via the IPSec tunnel
It is also recommended to have policies on all these layers (in the case that IPSec tunnels are set), this is because protection will happen at different stages, meaning, the CDFW will protect layer 4-7, DNS protection will protect you at the domain resolution level, and the SWG will protect URL level access
Hello Jack, The policies work as order of operations based on your question will hit DNS first, Firewall,Web and then DLP. So if you have policy in place for DNS it will only hit that policy first and for SWG it will hit Web policies. https://docs.umbrella.com/umbrella-sig-gov/docs/best-practices-for-dns-policies. https://docs.umbrella.com/umbrella-sig-gov/docs/best-practices-for-web-policy
We match Web policies from top to button, but we also check identity and destination... that means an user can match multiple rules. Also, we have an implicit allow all at the end.
umbrella support page
Secure client vs PAC.
Hi Jack, if the umbrella module is deployed to endpoints, it is not necessary to deploy the pac file, however, the client is not supported in windows servers, if you wish to protect servers, the pac file is the easiest way to protect servers
No comments:
Post a Comment