Understand IP Persistence in Secure Web Gateway

Introduction

This document describes Persistent IP in Cisco Secure Web Gateway (SWG).

Prerequisites

Requirements

There are no specific requirements for this document.

Components Used

The information in this document is based on Secure Web Gateway.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

Overview

Secure Web Gateway (SWG) traffic is load-balanced across a number of proxy instances with different IP addresses.  However, as of February 2022 SWG now provides a consistent egress IP for all outgoing web requests using a feature called Persistent IP.

Persistent IP now applies to (almost) all web traffic. This feature mitigates potential problems that can occur when websites track the source IP address as part of the session.

Note: Persistent IP is not currently available for traffic using Umbrella's Remote Browser Isolation feature (RBI). This only applies when the "Isolate" action is configured for a rule in your Web Policy.

Egress IP Range

The introduction of this feature means SWG now uses a new egress IP address range. For details on the IP address range used by Umbrella SWG, see this article.

IP Persistence Problems

A websitecanchoose to store the source IP of the user along with their "session".  Typically (but not always), this includes websites which require login credentials and the source IP is also "validated" to check the session is still valid. A persistent IP is also required for websites that use TLS session resumption (rfc5077).

If a persistent IP is not used ,these websites can behave unexpectedly and can intermittently "log out" the user or present intermittent error messages.

Umbrella SWG Website Compatibility 

If you think a website is having problems related to IP Persistence, please check the following:

• Check if the category / application / destination is subject to Isolate action in your web policy. Verify if the issue still happens without Remote Browser Isolation. This traffic does not use the Persistent IP feature.
• Contact Umbrella support to check your organization settings.  A small number of customers have temporarily disabled the Persistent IP feature to allow time to account for the new IP range.

Additional Information

• You do not need to take any action to enable Persistent IP for a website. In the past .this feature was only enabled for some domains (those with HTTPS inspection disabled). However, this feature now applies to all destinations.
• This feature works for both HTTP / HTTPS traffic.
• You do not get a fixed static IP address. This feature provides a persistent egress IP address for subsequent web requests in the same session.  But Umbrella does not provide a fixed/static IP address for each organization.  Umbrella is a multi-tenant platform, and multiple customers can share the same egress IP address.