Home > Wireless LAN > Other Topics > Cisco Meraki and Umbrella Integration - MR Advanced/Upgrade License

Cisco Meraki and Umbrella Integration - MR Advanced/Upgrade License

Overview

The Meraki MR Advanced + Upgrade Licenses with Cisco Umbrella integration enables Meraki administrators to assign predefined Umbrella content filtering and security policies to an SSID or Group Policy directly from the dashboard and removes the need to integrate with an existing Umbrella dashboard or Umbrella account. Once Umbrella policies are assigned, all DNS requests from wireless clients will be intercepted by the upstream MR access point and redirected to Cisco's Umbrella DNS resolvers for evaluation. That DNS lookup either resolves successfully, allowing the client to connect to the requested web page, or gets blocked which redirects the client to an Umbrella block page.

Prerequisites

In order to use the new MR Advanced & Upgrade License Umbrella integration the following prerequisites have to be met:

  • The organization where the integration will be used must have the Meraki Per-Device Licensing (PDL) model enabled

  • Each network using the integration must have a valid MR Advanced or MR Upgrade + device (Enterprise) license assigned for every access point.

  • All access points in the dashboard network must be running MR 26.1+ firmware.

 

There are two types of MR licenses that can enable the Meraki Umbrella integration: MR Advanced and MR Upgrade license. 

  • The MR Advanced license includes a device (Enterprise) license for an MR access point itself in addition to the Umbrella add-on license which enables Umbrella functionality on that access point. This license is generally purchased for licensing a new MR access point that does not already have a license.
  • The MR Upgrade license is considered an add-on license and enables Umbrella functionality only. It can only be assigned to MR access points with an active device (Enterprise) license. This license is generally purchased for MR access points that already have a basic enterprise license (not enabled for Umbrella).
    • If purchased and assigned together, MR Upgrade and MR device (Enterprise) licenses will share an expiration date. If purchased and assigned separately, they can have different expiration dates. Sets of "1-day licenses" can be used to “true-up” two licenses (make expiration dates the same) with different expiration dates. You can learn more about PDL model in the Meraki Per-Device Licensing Overview document.
    • Note that if a device (Enterprise) license expires before the MR Upgrade license does, the Umbrella functionality will also stop working on that access point. The reverse is true as well. If an MR Upgrade license expires before a device (Enterprise) license does, the Umbrella functionality will stop working on that access point, however, the access point will continue to function without Umbrella features.

 

Note that MR Advanced and MR Upgrade licenses can only be used on organizations using the Meraki Per-Device Licensing model. If you attempt to claim an order containing Meraki MR Advanced and/or Meraki MR Upgrade license(s) into an organization using co-termination licensing, the PDL conversion workflow triggers (see below). After the conversion to PDL completes, you have the ability to claim the order containing MR Advanced or MR Upgrade licenses into your Organization. This conversion to PDL licensing is permanent and cannot be reversed, so please exercise caution when confirming the PDL conversation workflow.

Free trials for Cisco Meraki and Umbrella Integration - MR Advanced/Upgrade License are currently available with the following limitations:

  • Countries supported: the US and Japan only.
  • Trial extensions will not be reflected in the Dashboard. Please work with your Sales Rep to get a new trial expiration date.
  • There is no 30 days grace period for free trials.

 

All access points in the dashboard network must have a valid MR Advanced or MR Upgrade + device (Enterprise) licenses assigned. If some access points are missing these licenses, Umbrella functionality will be disabled for the entire dashboard network.

 

The MR Umbrella integration provides a single pane of glass experience for content filtering and security policies configuration and monitoring. 

Please note that because all configuration and monitoring is done in the Meraki dashboard, there is no access to a Cisco Umbrella dashboard as the integration is automatically provisioned, and only predefined policies in the Meraki dashboard will be used. 

 

A manual API-key-based MR Umbrella integration can be used if you require more in-depth control or access to the Cisco Umbrella dashboard.

Claiming MR Advanced/Upgrade License(s) into a Co-Termination Organization

Note: If your organization already follows the Per-Device Licensing (PDL) model, this section should be skipped. You can claim your order containing MR Advanced or Upgrade licenses or license keys themselves by navigating to Organization > License Info and clicking the Add button on the top-right.

 

To claim MR Advanced/Upgrade licenses into an organization using co-termination (co-term) licensing:

  1. Navigate to Organization > Inventory > Claim and type your Meraki order number.

 

Meraki-Umbrella1.png

 

  1. If your order contains Meraki MR Advanced and/or Meraki MR Upgrade license(s) and your Organization uses the co-term licensing model, this addition triggers the PDL conversion flow. Click Next to proceed.

 

Meraki-Umbrella2.png

 

  1. Follow through the prompts by clicking Next.

 

Meraki-Umbrella3.png


 

Meraki-Umbrella4.png

 

  1. Read and understand Supplemental End User License Agreement, confirm that you understand that the conversion process is irreversible by selecting the checkbox, and proceed by clicking Next.

 

Meraki-Umbrella5.png

 

Note: The conversion process does not actually claim the order that triggered the conversion. Once the process is complete, please go ahead and claim your order or MR Advanced/Upgrade license keys themselves by clicking Done and following the prompts.

 

Meraki-Umbrella6.png

 

  1. Enter your order number or license key and click Next

 

Meraki-Umbrella7.png

 

  1. Confirm that your order or license key is added successfully. Click Next.

 

Meraki-Umbrella8.png


 

Meraki-Umbrella9.png

 

Creating a Dashboard Network and Assigning Access Points

Create a dashboard network if you do not have one. For detailed instructions, refer to the Creating and Deleting Dashboard Networks document.

Note: Access points with MR Advanced or MR Upgrade licenses can be added to either Combined or Wireless-only network types. However, if a network has a manual MX or MR Umbrella integration, that integration has to be disabled before setting up the MR Advanced & Upgrade License with Umbrella integration.

 

Meraki-Umbrella10.png

 

  1. Add access point(s) to your network
  2. Navigate to Organization > Inventory > Devices > Add

 

Meraki-Umbrella11.png

 

  1. Follow through the prompts by clicking Next

 

Meraki-Umbrella12.png

 

Meraki-Umbrella13.png

 

  1. Assign your access point to a network:

 

Meraki-Umbrella14.png

 

Note: You can skip this step by clicking “Assign Later”. In this case, your access point will be added to the Inventory instead.

 

  1. Click Done to finish the network assignment.

 

Meraki-Umbrella15.png

Assigning MR Advanced/Upgrade licenses

In order for the MR Advanced/Upgrade License Umbrella integration to work, all access points (if there are more than one) in the Dashboard Network must have a valid MR Advanced or MR Upgrade + device (Enterprise) licenses assigned.

Assigning MR ADV/UPRG licenses from the Devices tab is not currently supported. Please utilize the Licenses tab as noted below.

 

Follow these steps to assign required licenses:

  1. Navigate to Organization > License Info > Licenses

  2. Check the box next to the desired license(s) in the list and select Assign licenses from the Actions menu 

 

Meraki-Umbrella16.png

 

  1. Select a number of licenses you would like to assign and click Next.

 

Meraki-Umbrella17.png


 

Meraki-Umbrella18.png

Note: PDL model allows Meraki admins to move licenses between Organizations within the same MSP portal without the help of Meraki Support. If you would like to enable the Cisco Meraki and Umbrella Integration with MR Advanced/Upgrade License in a different PDL Organization, there are two options. 1) Move an unassigned MR Advanced/Upgrade license from the source Organization to the destination Organization, assign this license to an MR in the destination Organization, and add this MR to a Dashboard network. 2) Move an access point with MR Advanced/Upgrade License assigned from the source Organization to the destination Organization and add this MR to a Dashboard network.

Upgrading MR Firmware

Upgrade your dashboard network to MR 26.X firmware version. For detailed instructions on upgrading your network firmware version, refer to the Managing Firmware Upgrades document.

Predefined Umbrella Policies in the Meraki Dashboard

There are seven predefined Umbrella policies, which consist of different combinations of security settings and content filtering.

 

Appropriate Filtering

  • Basic Appropriate Use Filtering

  • Moderate Appropriate Use Filtering

  • Full Appropriate Use Filtering

 

Security & Appropriate Filtering

  • Security Filtering Only

  • Security & Basic Appropriate Use Filtering

  • Security & Moderate Appropriate Use Filtering (Default)

  • Security & Full Appropriate Use Filtering

 

There are specific use cases for each of the three Content Filtering Categories.

  • Basic Appropriate Use Filtering is expected to be used in school environments. Students will be protected from viewing inappropriate content with German Youth Protection, Internet Watch Foundation, Pornography, Sexuality, and Tasteless categories while being allowed to do the necessary research for their classwork or homework.

 

  • Moderate Appropriate Use Filtering is meant for the Guest WiFi use case. Content settings for this category will allow users to access common chat apps (e.g. Facebook Messenger, WhatsApp), file storage platforms (e.g. box.com, dropbox.com), photo sharing (e.g. instagram.com), social networking (e.g. facebook.com, twitter.com), and video sharing (e.g. youtube.com) while being blocked from visiting Drugs, Gambling, Hate / Discrimination, Lingerie / Bikini, Nudity, Pornography, Terrorism, Weapons and other content that should not be accessed on a  typical Guest wireless network.

 

  • Full Appropriate Use Filtering is targeting a Corporate SSID use case with the most restrictive content policies. Corporate employees should not have access to categories like Alcohol, Chat, Dating, Drugs, Gambling, Games, Instant Messaging, Lingerie / Bikini, Nudity, Photo Sharing, Pornography, Social Networking, Video Sharing, and others. Custom exceptions can be configured for productivity categories like Chat (e.g. Slack), File Storage, and Webmail.

 

Security settings can be applied on top of these categories with Security & Appropriate Filtering policies.

Predefined Umbrella Policies Breakdown

Basic Appropriate Use Filtering

  • Security Settings - none
  • Content Filtering Settings - block the following categories:
    • German Youth Protection

    • Internet Watch Foundation

    • Pornography

    • Proxy / Anonymizer

    • Sexuality

    • Tasteless

 

Moderate Appropriate Use Filtering

  • Security Settings - none
  • Content Filtering Settings - block the following categories:
    • Adware

    • Alcohol

    • Dating

    • Drugs

    • Gambling

    • German Youth Protection

    • Hate / Discrimination

    • Internet Watch Foundation

    • Lingerie / Bikini

    • Nudity

    • Pornography

    • Proxy / Anonymizer

    • Sexuality

    • Tasteless

    • Terrorism

 

Full Appropriate Use Filtering

  • Security Settings - none
  • Content Filtering Settings - block the following categories:
    • Adult Themes

    • Adware

    • Alcohol

    • Chat

    • Classifieds

    • Dating

    • Drugs

    • File Storage

    • Forums / Message Boards

    • Gambling

    • Games

    • German Youth Protection

    • Hate / Discrimination

    • Instant Messaging

    • Internet Watch Foundation

    • Lingerie / Bikini

    • Nudity

    • P2P / File Sharing

    • Photo Sharing

    • Pornography

    • Proxy / Anonymizer

    • Sexuality

    • Social Networking

    • Tasteless

    • Terrorism

    • Video Sharing

    • Visual Search Engines

    • Weapons 

    • Webmail

 

Security Filtering Only 

  • Security Settings - block the following categories:
    • Malware
    • C&C Callbacks
    • Phishing Attacks
    • Cryptomining
  • Content Filtering Settings - none

 

Security & Basic Appropriate Use Filtering

  • Security Settings - block the following categories:
    • Malware
    • C&C Callbacks
    • Phishing Attacks
    • Cryptomining
  • Content Filtering Settings - block the following categories:
    • German Youth Protection

    • Internet Watch Foundation

    • Pornography

    • Proxy / Anonymizer

    • Sexuality

    • Tasteless

 

Security & Moderate Appropriate Use Filtering

  • Security Settings - block the following categories:
    • Malware
    • C&C Callbacks
    • Phishing Attacks
    • Cryptomining
  • Content Filtering Settings - block the following categories:
    • Adware

    • Alcohol

    • Dating

    • Drugs

    • Gambling

    • German Youth Protection

    • Hate / Discrimination

    • Internet Watch Foundation

    • Lingerie / Bikini

    • Nudity

    • Pornography

    • Proxy / Anonymizer

    • Sexuality

    • Tasteless

    • Terrorism

 

Security & Full Appropriate Use Filtering

  • Security Settings - block the following categories:
    • Malware
    • C&C Callbacks
    • Phishing Attacks
    • Cryptomining
  • Content Filtering Settings - block the following categories:
    • Adult Themes

    • Adware

    • Alcohol

    • Chat

    • Classifieds

    • Dating

    • Drugs

    • File Storage

    • Forums / Message Boards

    • Gambling

    • Games

    • German Youth Protection

    • Hate / Discrimination

    • Instant Messaging

    • Internet Watch Foundation

    • Lingerie / Bikini

    • Nudity

    • P2P / File Sharing

    • Photo Sharing

    • Pornography

    • Proxy / Anonymizer

    • Sexuality

    • Social Networking

    • Tasteless

    • Terrorism

    • Video Sharing

    • Visual Search Engines

    • Weapons 

    • Webmail

Security Categories Definitions

  • Malware - Block requests to access servers hosting malware and compromised websites through any application, protocol, or port.

  • Command Control Callbacks - Prevent compromised devices from communicating with hackers' command and control servers through any application, protocol or port and help identify potentially infected machines on your network

  • Phishing Attacks - Protect users from fraudulent hoax websites designed to steal personal information

  • Cryptomining - Allows you to block identities from accessing known cryptomining pools where miners group together and share resources—processing power—to better gather and share cryptocurrencies, and from known web cryptomining source code repositories. By blocking cryptomining, Umbrella protects you from the recent emergence of cryptomining malware.

Content Categories Definitions

  • Adult Themes—Sites that are adult in nature and are not defined in other rating categories.
    Note: Select this category only if you want to be very restrictive on your network.

  • Adware—Sites that distribute applications that display advertisements without the user's knowledge or choice. It does NOT include sites that serve advertising.

  • Alcohol—Sites about alcohol use, commercial and otherwise.

  • Chat—Sites where you can chat in real-time with groups of people. Includes IRC and video chat sites.

  • Classifieds—Sites for buying and selling (or bartering) goods and services. Includes sites with real estate and housing listings.

  • Dating—Sites for meeting other people.

  • Drugs—Sites about illegal or recreational drug use.

  • File Storage—Sites that offer space for hosting, sharing and backup of digital files.

  • Forums/Message Boards—Sites with discussions, including bulletin boards, message boards, and forums.

  • Gambling—Sites that offer gambling or information about gambling.

  • Games—Sites that offer gameplay and information about games (news, tips, cheat codes).

  • German Youth Protection—Content deemed harmful to minors. This category helps prevent viewing of youth-endangering content in Germany. Block pages for this category will include German text. This list is not controlled by Umbrella and is created to be controlled by the BPjM (Federal Review Board for Media Harmful to Minors) to be compliant with German Law. For more information, see http://www.bundespruefstelle.de/bpjm/Service/english.html.
    Note: Cisco Umbrella does not guarantee compliance with German law.

  • Hate/Discrimination—Sites that promote intolerance based on gender, age, race, nationality, religion, sexual orientation or other group identities.

  • Instant Messaging—Sites that offer access or software to communicate in real-time with other individuals.

  • Internet Watch Foundation (IWF)—Sites that contain child sexual abuse content. For more information about this category, see the Internet Watch Foundation.

  • Lingerie/Bikini—Sites displaying or dedicated to lingerie/bikini that could be considered adult-only.

  • Nudity—Sites that provide images or representations of nudity.

  • P2P/File Sharing—Sites that facilitate the sharing of digital files between individuals, especially through peer-to-peer software, including torrent sites.

  • Photo Sharing—Sites for sharing photographs, as individual images, galleries, and albums.

  • Pornography—Anything relating to pornography, including mild depiction, soft pornography or hard-core pornography.

  • Proxy/Anonymizer—Sites providing proxy bypass information or services. Also, sites that allow the user to surf the net anonymously, including sites that allow the user to send anonymous emails.

  • Sexuality—Sites that provide information, images or implications of bondage, sadism, masochism, fetish, beating, body piercing or self-mutilation. This category is not intended for LGBT-related sites that do not fall under the aforementioned criteria.

  • Social Networking—Sites that promote interaction and networking between people.

  • Tasteless—Sites that contain information on such subjects as mutilation, torture, horror, or the grotesque. Includes Pro-Anorexia and Pro-Suicide related sites.

  • Terrorism—Sites that promote terrorism or are linked with terrorist organizations.

  • Video Sharing—Sites for sharing video content.

  • Visual Search Engines—Sites for searching for images based on keywords.

  • Weapons—Sites about weapons, commercial and otherwise.

  • Webmail—Sites that offer the ability to send or receive email

 

If a site was blocked for a content category, you can do a domain lookup on OpenDNS.com.

Note: If you are running into any issues with Umbrella, please contact Meraki Support. If necessary, a Meraki Support Engineer will escalate with Umbrella Support on your behalf. There is no need to contact Umbrella Support directly, as they are not able to support this Meraki feature.

Applying an Umbrella Policy to an SSID

  1. Navigate to Wireless > Firewall and Traffic Shaping.

  2. Select the desired SSID from the drop-down menu on top.

  3. Select Enable Umbrella Protection under DNS layer Protection to link the SSID to Umbrella.

  4. Select the desired Umbrella policy from the dropdown list.

 

Meraki-Umbrella19.png

 

  1. Click Save Changes on the bottom of the page.

Note: If instead of the "Enable Umbrella Protection" button you see "We're currently provisioning your Umbrella integration. Please try again later" please wait 5-10 minutes. An Umbrella account provisioning takes approximately 5 minutes. 

 

Screenshot at Oct 22 11-36-50.png

 

If there is any other message, please contact Meraki Support. 

DNS Exclusion for an SSID

When an SSID is configured in Bridge mode, the option to configure DNS Exclusion will be available under the Policy selection dropdown menu. This allows administrators to specify domains that should be excluded from Umbrella filtering. DNS requests for excluded domains are not redirected to Umbrella and are instead forwarded to the DNS server specified by the client. This is extremely useful for preventing DNS requests for local resources from being redirected to Umbrella and instead allowing them to reach internal DNS servers to resolve correctly. MRs automatically add the '.local' and 'in-addr.arpa' domains to be excluded from Umbrella redirection by default. 

Note: DNS Exclusion is only available for SSIDs configured in Bridge mode.

Warning: Changing an excluded domain (adding or removing) will result in all clients being temporarily disconnected from the SSID.

Disabling DNS Layer Protection for an SSID

If you wish to disable DNS layer protection for an SSID, select the Disable Umbrella protection button under Wireless > Firewall and Traffic Shaping and click Save Changes on the bottom of the page.

 

Meraki-Umbrella20.png

Creating and Applying a Group Policy with Umbrella Protection Enabled

  1. Navigate to Network-wide > Group Policies > Add a group

  2. Type a name for the Group Policy

  3. Under Firewall and traffic shaping select Custom SSID firewall and shaping rules

  4. Click Save Changes on the bottom of the page

 

Meraki-Umbrella21.png

 

  1. Navigate back to the newly created policy

  2. Select Enable Umbrella Protection under DNS layer protection

  3. Choose a desired policy from the dropdown menu

  4. Select Save Changes on the bottom of the page

 

Meraki-Umbrella22.png

Note: Group Policies do not allow you to configure DNS Exclusions.

 

  1. Navigate to Network-wide > Clients 

  2. Click on the client and select Different policies by SSID and select your Group Policy name. Click Save under the Device policy dropdown

 

Meraki-Umbrella23.png

Disabling DNS Layer Protection for a Group Policy

If you wish to disable DNS layer protection for Group policies, navigate to Network-wide > Group policies, click the desired Group policy, and click Disable Umbrella protection button. Click Save Changes on the bottom of the page.

DNS Traffic Flow

Meraki-Umbrella24.png

 

This section of the article describes, in detail, the expected traffic flow of DNS traffic from clients after an SSID or group policy has been successfully configured in the dashboard.

  1. A client sends a DNS Query for the desired domain name (e.g. twitter.com)

  2. Upstream MR access point intercepts the DNS query and attaches an identifier to it which allows Umbrella to determine which policy to enforce

  3. MR then encrypts the DNS query using DNSCrypt, source NAT's the packet to the MR management IP and redirects it to the appropriate Umbrella resolver

  4. One received, the Umbrella resolver decrypts the DNS query and enforces the appropriate Umbrella policy (based on the attached identifier)

  5. If the request is allowed per configured policy then Umbrella returns an encrypted DNS response with the appropriate IP

  6. If the request should be blocked then Umbrella returns an encrypted DNS response pointing to the Umbrella block page IP address

  7. The client is sent to the desired domain name (e.g. twitter.com) or Umbrella Block page based on the applied policy

 

Please contact Meraki Support if you have any questions. 

Note: Cisco Umbrella DNS filtering has the following general limitations: 

  1. If a client machine is programmed to reach out to an IP address of a remote server directly, DNS filtering solution like Umbrella will not prevent this communication since there is no DNS query that MR can intercept.

  2. If a client is using some form of end-to-end encryption (e.g. VPN solution) that encrypts traffic between the client and a remote server (including DNS queries), MR will not be able to intercept those queries and forward them to an Umbrella resolver.

Note: DNSCrypt Compatibility

Access points that do not support 802.11ac, such as the MR18, will still be able to utilize Umbrella DNS services but do not support the use of DNSCrypt when communicating back to the Umbrella servers. All access points that are capable of 802.11ac or newer fully support the use of DNSCrypt with Umbrella DNS.

Blocking HTTPS websites

 

Some websites (e.g twitter.com, facebook.com, instagram.com, dropbox.com) have a security policy called HTTP Strict Transport Security (HSTS). That means that even if a user types dropbox.com in the web browser address bar, which normally implies http://dropbox.com, the browser will be connecting to https://dropbox.com instead simply because the Dropbox website does not allow HTTP connections.

 

This presents a unique challenge for displaying an Umbrella block page as explained below.

If a user tries to visit an HTTPS website by typing https://example.com, or if the website has an HSTS security policy (e.g. dropbox.com), the following will happen:

  1. Client machine sends a DNS query for dropbox.com asking for an IP address

  2. Upstream MR access point intercepts the DNS query and attaches an identifier to it which allows Umbrella to determine which policy to enforce

  3. MR then encrypts the DNS query using DNSCrypt, source NAT's the packet to the MR management IP and redirects it to the appropriate Umbrella resolver

  4. Once received, the Umbrella resolver decrypts the DNS query and enforces the appropriate Umbrella policy (based on the attached identifier)

  5. Let’s say that “Full Appropriate Use Filtering” is applied to the SSID and, therefore, https://dropbox.com (File Storage) should be blocked.

  6. Umbrella will return an encrypted DNS response pointing to the Umbrella block page IP address (e.g. 146.112.61.106). This response will be decrypted by the MR and sent to the client.

 

Meraki-Umbrella25.png

 

  1. The client will try to establish a TLS session with 146.112.61.106 (Umbrella server) IP address received in the DNS response.

  2. Umbrella’s block page presents an SSL certificate to browsers that make connections to HTTPS sites. The certificate will match the requested site name (Common Name - CN) but will be signed by the Cisco Umbrella Root Certificate Authority (CA). If this CA is not trusted by your browser, an error may be displayed. For example, you can see the TLS certificate presented by OpenDNS, Inc for dropbox.com website here:

 

Meraki-Umbrella26.png

 

As you can see, the main issue here is that “Cisco Umbrella Root CA” is not trusted.

  1. This is an example of what we would see in the Wireshark packet capture taken on the client machine:

 

Meraki-Umbrella27.png

 

  1. Most modern browsers (like Google Chrome, Mozilla Firefox, Safari) will prevent users from going to a website with an untrusted/unexpected TLS certificate. Typical errors include: "Your connection is not private" (Google Chrome) or "Did Not Connect: Potential Security Issue" (Mozilla Firefox), “Safari Can’t Open the page” (Safari). Although the error is expected, the messages displayed can be confusing to the end-users.

 

To avoid these errors entirely, it’s necessary to install the Cisco Root Certificate on the client machines. This can be done on a per-browser or per-machine basis for personal use or small deployments. For larger deployments, an automatic installation through Group Policy (GPO) can be done. Note that the automatic installation through GPO will only work for users with Internet Explorer, Edge, or Chrome on Windows systems. As such, if your network includes some users who use Firefox or Safari browsers, and for users on non-Windows operating systems, the manual installation procedures must be followed.

 

Please follow the steps in Cisco Umbrella's Install the Cisco Certificate document to install the Cisco Root Certificate. Once installed, your users will be presented with Umbrella Block Page even for HTTPS and/or HSTS websites.

Meraki-Umbrella28.png

NOTE: Cisco Umbrella's resolvers live at 208.67.222.222/32 and 208.67.220.220/32; Meraki sends DNS traffic to either one. Make sure any upstream devices allow bi-directional UDP 443 to these addresses.

 

NOTE: the instructions above presume that you have access to an existing Umbrella Dashboard. If you do not have such access you can download the Cisco Umbrella Root CA certificate directly from the Cisco website

 

 Screenshot at Mar 31 12-59-22.png

Using the Security Center to View MR DNS Events

The Meraki Security Center provides reporting functionality for MR DNS events for all networks in the organization. To view these reports, navigate to Organization > Security Center > MR DNS Events.

 

It’s possible to search for a particular blocked website by prepending "uri:" to the search string (e.g. “uri:exampleadult.com”) or a particular blocked client by prepending client: to the search string (e.g. client:192.168.219.13).

 

Meraki-Umbrella29.png

 

Note: For newly provisioned Umbrella accounts it takes up to 60 minutes to start pulling MR DNS events from the Umbrella dashboard. The same applies to newly added MRs after the Umbrella account has been provisioned. It takes 10-20 minutes to pull any subsequent new events.

Last modified

Tags

Classifications

This page has no classifications.

Explore the Product

Click to Learn More

Article ID

ID: 8903

Explore Meraki

You can find out more about Cisco Meraki on our main site, including information on products, contacting sales and finding a vendor.

Explore Meraki

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case

Ask the Community

In the Meraki Community, you can keep track of the latest announcements, find answers provided by fellow Meraki users and ask questions of your own.

Visit the Community