📘CompTIA Security+ (SY0-701)
This content is written in simple English, suitable for non-IT learners, while still covering everything required for the CCNP Security (350-701) exam. It is also structured so you can publish it directly on your website.
1. Overview of Web Security Controls in Cisco Umbrella
Cisco Umbrella provides cloud-based web security that protects users from accessing malicious, risky, or unwanted web content.
Web security controls in Umbrella allow administrators to:
- Identify who is accessing the internet
- Control which websites or web content users can access
- Create allow or block lists for destinations
- Monitor and analyze internet usage and security events
The key web security control components covered in this topic are:
- Identities
- URL Content Settings
- Destination Lists
- Reporting
2. Identities in Cisco Umbrella
2.1 What Are Identities?
An identity in Cisco Umbrella defines where internet traffic comes from and who the policy applies to.
Umbrella uses identities to apply different security policies to different users, devices, or networks.
Without identities, Umbrella would not know:
- Which user generated traffic
- Which network the request came from
- Which policy should be applied
2.2 Types of Identities in Cisco Umbrella
Cisco Umbrella supports multiple identity types:
a. Network Identities
- Based on public IP addresses
- Used for office networks, data centers, branch sites
- Created by adding the organization’s public IP address to Umbrella
Use case:
Apply web filtering policies to all users behind a company firewall.
b. Roaming Client Identities
- Based on individual endpoints
- Used for laptops and remote users
- Traffic is protected even when users are outside the office
Use case:
Apply web security to employees working from home or traveling.
c. Active Directory (AD) Identities
- Based on user or group accounts
- Integrated with Microsoft Active Directory
- Allows user-based and group-based policies
Use case:
Different web access rules for IT staff, finance users, and guests.
d. Virtual Appliance (VA) Identities
- Used for internal networks
- Provides internal IP visibility
- Commonly deployed in enterprise environments
2.3 Policy Order and Identity Priority (Exam Important)
Umbrella evaluates policies in this order:
- User or Group policy
- Roaming Client policy
- Network policy
- Default policy
➡️ The most specific identity always wins
This concept is very important for the exam.
3. URL Content Settings
3.1 What Are URL Content Settings?
URL content settings define what type of web content is allowed or blocked.
Umbrella uses:
- URL categories
- Content types
- Security risk levels
These settings help protect users from:
- Malware
- Phishing
- Inappropriate or risky websites
3.2 URL Categorization
Umbrella automatically classifies websites into categories, such as:
- Malware
- Phishing
- Gambling
- Adult content
- Social media
- File sharing
- News and media
- Cloud applications
Each category can be set to:
- Allow
- Block
- Monitor (log only)
Exam Tip:
Umbrella uses DNS-layer intelligence and cloud threat data for categorization.
3.3 Content Type Filtering
Umbrella can filter based on content type, such as:
- Executable files
- Archives (ZIP, RAR)
- Scripts
- Media files
This helps reduce:
- Malware downloads
- Risky file transfers
3.4 Security Categories (High Importance)
Umbrella includes built-in security categories:
- Malware
- Phishing
- Command and Control
- Cryptomining
- Newly Seen Domains
These categories are blocked by default in most security policies.
Exam Focus:
Blocking Newly Seen Domains reduces exposure to zero-day attacks.
3.5 SafeSearch and YouTube Controls
Umbrella can enforce:
- SafeSearch on search engines
- YouTube Restricted Mode
These controls prevent:
- Inappropriate content
- Unsafe search results
4. Destination Lists
4.1 What Are Destination Lists?
Destination lists are custom lists of domains, IPs, or URLs that administrators define.
They allow manual control over specific destinations, regardless of category.
4.2 Types of Destination Lists
a. Allow List
- Always allows access
- Overrides category-based blocking
Use case:
Allow a business-critical website that is incorrectly categorized.
b. Block List
- Always blocks access
- Overrides allowed categories
Use case:
Block known malicious domains or unwanted applications.
4.3 Destination List Components
A destination list can include:
- Domain names (example.com)
- Subdomains
- IP addresses
- CIDR ranges
- URLs (depending on Umbrella package)
4.4 Destination Lists and Policy Assignment
- Destination lists are attached to policies
- Different lists can be used for different identities
- Lists can be shared across multiple policies
Exam Tip:
Destination lists provide granular control beyond URL categories.
5. Reporting in Cisco Umbrella
5.1 Purpose of Reporting
Reporting allows administrators to:
- Verify that policies are working
- Monitor user internet activity
- Detect security threats
- Investigate incidents
Reporting is critical for verification, which is explicitly mentioned in the exam topic.
5.2 Types of Reports
Cisco Umbrella provides multiple report types:
a. Activity Search
- Shows detailed logs of DNS and web requests
- Includes:
- User or identity
- Destination
- Action taken (allowed or blocked)
- Policy applied
- Timestamp
Exam Focus:
Used for troubleshooting and verification.
b. Security Activity Reports
- Focus on threats such as:
- Malware
- Phishing
- Command-and-control traffic
- Helps identify infected devices
c. Destination Reports
- Shows most accessed domains
- Identifies risky or high-traffic websites
d. Policy Reports
- Shows which policy blocked or allowed traffic
- Useful for confirming policy order and identity matching
5.3 Reporting Filters
Reports can be filtered by:
- Identity
- Policy
- Time range
- Destination
- Action
This makes it easier to:
- Investigate incidents
- Validate security rules
5.4 Logs and Data Retention
- Umbrella stores logs in the cloud
- Retention depends on the license level
- Logs can be exported for compliance or auditing
6. Configure and Verify (Exam Perspective)
Configuration Tasks You Should Understand
- Creating identities
- Assigning policies to identities
- Enabling URL categories and security settings
- Creating and applying destination lists
Verification Tasks You Should Understand
- Using activity search to confirm blocked traffic
- Checking which identity matched the request
- Verifying the applied policy
- Reviewing security events in reports
7. Key Exam Takeaways (Very Important)
- Identities define who the policy applies to
- Policy order matters (most specific wins)
- URL categories and security categories control web access
- Destination lists override categories
- Reporting is used to verify and troubleshoot policies
- Umbrella operates at the DNS and web layer
- All controls are managed through the Umbrella cloud dashboard
8. Summary
Cisco Umbrella web security controls provide centralized, cloud-based protection by:
- Identifying users and networks
- Filtering web content using categories and security intelligence
- Manually allowing or blocking destinations
- Reporting and verifying security events
Understanding how to configure and verify these controls is essential for passing the CCNP Security (350-701) exam.
