Cisco
Login
Search
Activity Upgrade

Start Upgrade Getting Started with Internet Access Rules

Last updated: Jul 17, 2025

Getting Started with Internet Access Rules

When upgrading from Umbrella to Secure Access, you will see a change in how policies are structured. Unlike Umbrella, where a policy may include multiple block and allow components, Secure Access employs a unified policy model. Each rule within this model can be configured to either block or allow traffic. During the transition, an Umbrella policy is transformed into a maximum of three distinct rules in Secure Access, following this specific order:

  1. Allow Rule (Primary): The first rule is an allow rule that permits traffic as specified in the original Umbrella policy.

  2. Block Rule (Secondary): The second rule is a block rule that enforces restrictions on traffic as defined in the original Umbrella policy.

  3. Allow Rule (Default): A third rule may be introduced as an implicit allow rule to ensure policy evaluation is consistent with Umbrella's unified model. This rule accounts for scenarios where no explicit match is found for a destination and prevents unintended traffic disruptions.

    • Non-terminal Allow: To support the implicit allow rule, Secure Access introduced the Non-terminal Allow feature. This feature ensures that the default rule:

    • Does not terminate rule evaluation on the enforcement side, enabling further analysis of traffic.

    • Allows general access to safe and non-malicious websites by default. Websites are permitted unless explicitly flagged as malicious by Cisco's threat intelligence.

    • The default rule applies to all sources from the original Umbrella policy until custom rules are configured.

    • Destinations is set to Any.

    How the Default Rule Operates:

    • If the Non-terminal Allow rule is matched, no rules beyond it will be evaluated during the same query cycle.

    • However, the rule allows subsequent evaluations for the same query under specific circumstances, such as: When analyzing CNAME records and after retrieving resolved IP addresses from DNS resolution.


     

    The sources remain the same in these newly separated rules.

Umbrella Policy upgraded to Secure Access Rules

Example: An Umbrella policy named, New Policy has AD Groups, AD Users, AD Computers as identities, Content Category blocks all adult related websites and illegal activity, and Application Settings allows Box Cloud Storage.

Umbrella policy appears in Secure Access' Access Policy:

  1. 1st rule's name, 3/3 New Policy (Umbrella). Sources: AD Groups, AD Users, AD Computers. Allow Application List: Box Cloud Storage.

  2. 2nd rule's name is 2/3 New Policy (Umbrella). Sources: AD Groups, AD Users, AD Computers. Block Content Category List: all adult related websites and illegal activity.

  3. 3rd rule's name is 1/3 New Policy Default (Umbrella). Sources: AD Groups, AD Users, AD Computers. Allow Any. To see Non-terminal Allow navigate to Secure > Access Policy > Click Edit next to the Default (Umbrella) rule > Configure Security > Next > Advanced > Non-terminal Allow.

    Umbrella policy upgraded to Secure Access rules and policy

    Non-Terminal Allow

For more information, see Get Started With Internet Access Rules and Manage the Access Policy.

Table 1. Policy Components Mapping
Umbrella Policy Components Secure Access Internet Access Rules
Policies Internet Access Policy
Application Settings Application List
Block Page Appearance Notification Page
Content Categories Content Categories
Destination Lists Destination Lists
Identities Sources
Mobile Device and Roaming Computer Roaming Device
Security Settings Threat Categories
Selective Decryption Do Not Decrypt List
Previous topic Upgrade to Secure Access - DNS Defense Next topic Redirect Traffic