Meraki

Community

MX Umbrella integration

Solved
MK2
A model citizen
‎Feb 29 2024 11:16 AM
‎Feb 29 2024 11:16 AM

MX Umbrella integration

Hi everyone,

 

I have a question for you about the Umbrella integration in Meraki. Is the point on the following screenshot a global setting for all subnets on the MX or does it only refer to MX's with integrated WLAN? The setting is under MX > Threat Protection at the bottom.

 

MK2_0-1709234027387.png

If I want to configure something specifically for subnets or clients, I would do this via the Group Policies, right?

 

0 Kudos
1 Accepted Solution
alemabrahao
Kind of a big deal
Kind of a big deal
‎Feb 29 2024 11:32 AM
‎Feb 29 2024 11:32 AM

Yes Manually Integrating Cisco Umbrella with Meraki Networks - Cisco Meraki Documentation

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

View solution in original post

0 Kudos
10 Replies 10
alemabrahao
Kind of a big deal
Kind of a big deal
‎Feb 29 2024 11:32 AM
‎Feb 29 2024 11:32 AM

Yes Manually Integrating Cisco Umbrella with Meraki Networks - Cisco Meraki Documentation

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
MK2
A model citizen
‎Feb 29 2024 11:55 AM
‎Feb 29 2024 11:55 AM

But if I unlink Umbrelle here, it shows this:

MK2_0-1709236407183.png

 

And this belongs to WiFi or not? So it seems not to be a general configuration? 

I have already read the documentation you suggested up and down.

0 Kudos
In response to MK2
alemabrahao
Kind of a big deal
Kind of a big deal
‎Feb 29 2024 12:12 PM
‎Feb 29 2024 12:12 PM

Have you tried simply ignoring the message and linking with a group policy?🙂

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
MK2
A model citizen
‎Feb 29 2024 12:30 PM
‎Feb 29 2024 12:30 PM

Just going to test drive the Umbrella solution. So your recommendation would be to ignore the setting in the screenshot and work with group policies?

0 Kudos
In response to MK2
alemabrahao
Kind of a big deal
Kind of a big deal
‎Feb 29 2024 12:41 PM
‎Feb 29 2024 12:41 PM

In fact, you have to configure it in the way that best suits you.
 
In my case, I configure via Group policy because I have specific policies for each network in the umbrella.
I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
MK2
A model citizen
‎Mar 1 2024 12:41 AM
‎Mar 1 2024 12:41 AM

Just another question 🙂

Are the global layer 3 firewall rules attached to a group policy or ignored?

0 Kudos
In response to MK2
alemabrahao
Kind of a big deal
Kind of a big deal
‎Mar 1 2024 2:18 AM
‎Mar 1 2024 2:18 AM

If you configure custom network firewall & traffic shaping group policy the answer is yes as long as you apply it directly to the VLAN interface.
 
Otherwise, this statement is only valid for the clients you apply it to.
 
Just a note from the documentation itself:
 

When a group policy is applied to a VLAN, that policy becomes the new "network default" for any other group policies applied to clients in that VLAN. Since this policy is the new "network default," the client devices will still show a "normal" policy applied under Network-wide > Monitor > Clients.

For example, a group policy named "Guest Network" with more restrictive layer 3 firewall rules than the network-wide configuration is applied to the guest VLAN, and a second group policy "Low Bandwidth" has a custom bandwidth limit, but is set to Use network firewall & shaping rules. If the Low Bandwidth group policy is applied to a client on the guest VLAN, the client will use the layer 3 firewall rules configured on the Guest Network group policy, not the network-wide layer 3 firewall rules configured on the Security & SD-WAN > Configure > Firewall page.

 

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Creating_and_Applying...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
bradly
Getting noticed
2 weeks ago
2 weeks ago

Hey @alemabrahao 

About the below: 

@alemabrahao wrote:
If you configure custom network firewall & traffic shaping group policy the answer is yes as long as you apply it directly to the VLAN interface.
 
Otherwise, this statement is only valid for the clients you apply it to.
 
Just a note from the documentation itself:
 

When a group policy is applied to a VLAN, that policy becomes the new "network default" for any other group policies applied to clients in that VLAN. Since this policy is the new "network default," the client devices will still show a "normal" policy applied under Network-wide > Monitor > Clients.

For example, a group policy named "Guest Network" with more restrictive layer 3 firewall rules than the network-wide configuration is applied to the guest VLAN, and a second group policy "Low Bandwidth" has a custom bandwidth limit, but is set to Use network firewall & shaping rules. If the Low Bandwidth group policy is applied to a client on the guest VLAN, the client will use the layer 3 firewall rules configured on the Guest Network group policy, not the network-wide layer 3 firewall rules configured on the Security & SD-WAN > Configure > Firewall page.

 

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Creating_and_Applying...

I've got a problem that I am unsure about that you have touched on here. 
 
We have a bunch of VLANs, and we want to enable Umbrella for some specific VLANs using group policies linked to Umbrella. However, to do this, we need to enable Custom Firewall & Traffic Shaping on the VLAN group policy. 
 
The VLANs we want to enable Umbrella DNS snooping on, currently have mx network wide layer 3 firewall rules in place. 
 
If we enable Custom Firewall & Traffic Shaping on our VLAN group policies, which activates the group policies layer 3 ruleset. Will this....
 
A) Override the firewall settings for any devices on that VLAN, that do not have a group policy applied to them in any other way? 
B) Override the firewall settings for any devices on that VLAN, that do have a group policy applied to them in any other way? 
0 Kudos
MK2
A model citizen
‎Mar 1 2024 3:07 PM
‎Mar 1 2024 3:07 PM

Tested it again. 
It is a global setting, even if it says something with SSID that makes me think of WLAN. 
The problem is the MX firmware MX 18.208, with which there seem to be problems when sending requests from the MX clients via LAN, funnily enough WLAN works - there is no response from the Umbrella DNS servers.
 
Thanks for everything, now I'm smarter again
0 Kudos
In response to MK2
alemabrahao
Kind of a big deal
Kind of a big deal
‎Mar 1 2024 4:15 PM
‎Mar 1 2024 4:15 PM

It's not the stable version.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2026 Cisco Systems, Inc.