Configure FTD Application-Based PBR for Umbrella SIG

Available Languages

Download Options

  • PDF     (1.2 MB)
    View with Adobe Reader on a variety of devices
  • ePub     (1.3 MB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (1.2 MB)
    View on Kindle device or Kindle app on multiple devices
Updated:September 29, 2025
Document ID:225087

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes how to configure Firewall Threat Defense (FTD) application-based policy based routing (PBR) for Umbrella SIG.

    Prerequisites

    Requirements

    Cisco recommends that you have knowledge of these topics:

    • Access to Umbrella Dashboard
    • Admin access to the FMC running 7.1.0+ to deploy the configuration to the FTD version 7.1.0+. PBR based on apps is supported only on version 7.1.0 and higher
    • (Preferred) Knowledge on FMC/FTD configuration and Umbrella SIG
    • (Optional but highly recommended): Umbrella Root Certificate installed, this is used by SIG when the traffic is either proxied or blocked. For further details of the Root Certificate installation, read more in the Umbrella documentation.

    Components Used

    The information in this document is based on Cisco Umbrella Secure Internet Gateway (SIG).

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

    Overview

    The information in this document is meant to cover the configuration steps on how to deploy Application-Based PBR on the FTD when establishing a SIG IPsec VTI Tunnel to Umbrella, so you can exclude or include traffic on a VPN based on applications using PBR.


    The configuration example described in this article focuses on how to exclude certain applications from the IPsec VPN while sending everything else over the VPN.

    Full information about PBR on FMC can be found in the Cisco documentation.

    Limitations

    • You cannot have both application and destination address defined in an ACE.

    • While defining the ACL for the policy match criteria, you can select multiple applications from a list of predefined applications to form an Access Control Entry (ACE).
      Currently, you cannot add to or modify the predefined applications list.
    • For those applications not listed on the predefined applications list on the FMC or any unexpected behavior with an application, IPs can be used instead of applications in the PBR.
    • For a list of full limitations please referrer to the PBR's documentation.

    Application-Based PBR

    1. Start by configuring the IPsec tunnel on the FMC as well as on the Umbrella Dashboard. The instructions of how to perform this configuration can be found in the Umbrella documentation.

    2. Make sure that the DNS server that the end user's device behind the FTD is using is listed as a trusted DNS server under Devices > Platform Settings > DNS > Trusted DNS Servers

    If the devices are using a DNS server that is not listed, the DNS snooping can fail, and therefore the PBR based on apps cannot work. Optionally (but not recommended for security reasons), you can toggle on Trust Any DNS server so that adding the DNS server(s) is required.

    note-icon

    Note: If VAs are used as internal DNS resolvers, they must be added as Trusted DNS Servers.



    DNS Platform Settings15669097907860

    3. Create an extended ACL that can be used by the FTD for the PBR process in order to decide whether traffic is sent to Umbrella for SIG or if it is excluded from the IPsec and not sent to Umbrella at all.

    • A deny ACE on the ACL means the traffic is excluded from SIG.
    • A permit ACE on the ACL means the traffic is sent over the IPsec and can apply a SIG policy (CDFW, SWG, etc).

    This example is excluding the applications "Office365", "Zoom" and "Cisco Webex" with a deny ACE. The rest of the traffic is being sent to Umbrella for further inspection. 

    1. Go to Object > Object Management > Access List > Extended.
    2. Define the source network and ports as you normally would, and then add the applications to participate on the PBR.

      Extended ACL15669947000852
      The first ACE can "deny" for those applications mentioned earlier, and the second ACE is a permit to send the rest of the traffic over the IPsec.
      ACE15670006987156

    4. Create the PBR under Devices > Device Management > [select the FTD Device] > Routing > Policy Based Routing.

    • Ingress Interface: The interface where the local traffic is coming from.
    • Matching ACL: Extended ACL created on previous step, ACL "PBR_ACL_1".
    • Send To: IP Address
    • IPv4 Addresses: Next-hop when the PBR finds a permit statement, so the traffic is routed to the IP you add here. In this example, this is Umbrella's IPsec IP. If your VTI VPN's IP is 10.1.1.1, then the Umbrella's IPsec IP would be anything inside that same network (10.1.1.2 for example).

    Forwarding Actions15670209158036
    Edit PBR15670247521556

    5. Deploy the changes on the FMC.

    Verification

    On the testing PC located behind the FTD, check:

    • The traffic from the PC is actually being sent over the IPsec to Umbrella.
      Go to: https://policy-debug.checkumbrella.com/
      Policy Debug for Umbrella15670737148948
    • Try going to any of the sites that are excluded on the PBR/ACL config and make sure the Umbrella Root CA is not presented, meaning the connection is not being proxied:
      Excluded Site15670820980756

    • Try going to any other site that is not based on the applications excluded from the PBR and make sure Umbrella is indeed proxying the connection: 
      note-icon

      Note: In order to avoid issues with a warning page not being trusted, make sure the Umbrella Root CA Certificate is installed.

    Example of Other Site

    • On the FTD's CLI, you can run a few commands to confirm the configuration was properly pushed and working:
      • show run route-map (checks the PBR configuration):
        Command Output15670322054036
      • show run interface gigabitEthernet 0/1 (checks the PBR is applied to the proper interface)
        Command Output15678344219540
      • show run access-list PBR_ACL_1, show object-group id FMC_NSG_17179869596 (confirms the domains added to the ACL for exclusion)
        Command Output15670420887316

        Command Output15670635784852
      • packet-tracer input inside tcp 172.16.72.10 1234 fqdn office.com 443 detailed (verifies the outside interface is used as output and not the VTI one)
    • On the Umbrella Dashboard, under activity search, you can see that web traffic going to office.com was never sent to Umbrella, while traffic going to espn.com was sent.

      Web Traffic in Umbrella Dashboard15671098042516
      Web Traffic in Umbrella Dashboard15671302832788

    Revision History

    Revision Publish Date Comments
    1.0
    29-Sep-2025
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products