Cisco Umbrella Content Filtering

Cisco Umbrella content filtering is a service provided via a cloud-based DNS filter. The service derives its name from capabilities that control user access to the Internet and protect users from web-borne threats regardless of whether users are connected to a corporate network.

Cisco Umbrella content filtering has advantages over some “standard” web filtering solutions inasmuch as businesses can prevent employees accessing certain categories of web content during working hours (i.e., adult content, shopping channels, gambling services, etc.) and accessing unsafe or compromised websites that harbor malware – even from personal devices and even when not connected to the corporate network.

However, navigating the range of Cisco Umbrella content filtering packages and optional extras is not straightforward. Furthermore, failing to understand what capabilities are included in each package – and how they should be configured – can result in security vulnerabilities or in businesses paying more than necessary for an adequate Cisco Internet filter. This article aims to clarify some of the most common causes of confusion for Cisco Umbrella customers.

Cisco Umbrella Content Filtering Packages

Cisco Umbrella was originally developed by OpenDNS. Cisco Systems Inc. acquired OpenDNS in 2015 and although the personal DNS filtering solutions for individuals and families remained branded as OpenDNS solutions, the Umbrella DNS filtering service is now provided under the Cisco name. Since the acquisition, the Cisco Umbrella DNS filtering service has grown from one enterprise package into four enterprise packages – each with its own range of capabilities.

The table below represents a snapshot of capabilities by package. The full Cisco Umbrella package comparison is five pages in length, while the small print on page six lists some of necessary “optional extras” for tasks such as AD integration and controlling Internet access for off-network users. It is also important to note that Cisco charges extra for onboarding assistance and technical support even if onboarding assistance and technical support is not required.

Cisco Umbrella Content Filtering

DNS Essentials

DNS Essentials – formerly Cisco Umbrella Professional – is the entry level cloud-based web filtering solution from Cisco. The package offers a minimal set of features to block malware, phishing sites, and botnets, and limited web filtering capabilities via 80 pre-defined filtering categories.

The package also includes real-time organization-wide reporting and supports blacklists and whitelists. The Cisco DNS Essentials package can be integrated with existing tools and APIs, but businesses should be aware that many integrations attract additional costs.

DNS Advantage

DNS Advantage – formerly Cisco Umbrella Insights – provides more comprehensive protection from web-based threats than DNS Security Essentials. In addition, this package allows you to proxy risky domains for URL and file inspection using Cisco and AMP AV engines.

The second-tier package also includes SSL inspection to give you visibility into “risky” HTTPS sites, which are now commonly used by cybercriminals to host phishing kits and malware. You also get access to the Umbrella Investigate console to give you greater context during investigations and, via the enrichment API, you can send threat intelligence to other tools and systems.

Secure Internet Gateway (SIG) Essentials

Secure Internet Gateway Essentials – formerly Cisco Umbrella Platform – is the first of two secure access service edge (SASE) solutions. This Cisco Umbrella content filtering package has more granular filtering controls, and the ability to proxy all web traffic for URL and file inspection.

With the package, you also get access to the Cisco Threat Grid Cloud Sandbox to analyze suspicious files, a cloud-delivered firewall, access to the cloud access security broker to discover and block shadow IT based on URLs, and much greater control over users’ online activities, such as allowing policies to block uploads, downloads, attachments, and posts on selected apps.

Secure Internet Gateway (SIG) Advantage

The most recent addition to the Cisco Umbrella web filtering portfolio is its most advanced SASE solution yet. It includes most of the capabilities that are “optional extras” for other Umbrella packages and has been referred to as the crème de la crème of SASE solutions.

However, although the crème de la crème of SASE solutions, the package may include capabilities some businesses will be unable to take advantage of due to a lack of internal skills or because some of the package´s capabilities already exist in other security solutions used by the business.

Price of Cisco Umbrella

The Cisco Umbrella content filtering packages are priced according to

  • The number of licenses required
  • The length of the subscription
  • Whether the subscription is paid all upfront
  • If not, whether it is paid monthly, quarterly, or annually
  • The region in which a business is located
  • Discounts negotiated with Cisco, a reseller, or MSP

Most of the optional extras are also subject to variable costs, and it can be the case that a business wants to take advantage of an optional extra for some, but not all, of its workforce – making any calculation of a final price of Cisco Umbrella more complicated than it needs to be.

Based on a quick Internet search, it would appear that the price of Cisco Umbrella DNS Advantage ranges from $2.50 per user per month to $5.56 per user per month before any discounts are taken into account for long term subscriptions, upfront payments, and vendor negotiations. However, these prices do not account for any “optional extras” or non-optional technical support.

So how does the Cisco Umbrella price compare to other DNS filtering solutions? The starting point for an easy to use DNS filter that offers powerful anti-malware and anti-phishing protection – and content control capabilities with SSL decryption and inspection – is around $1.20 per user per month depending on the number of users, length of subscription, etc.

Alternatives to the Cisco Umbrella Content Filtering Solution

Competitor solutions may not be like for like, but you will find that they usually include the capabilities of the DNS Advantage package with many of the optional extras included in the price as standard. Most Cisco Umbrella alternatives also include technical support in the subscription price.

As with all potential implementations, it is important to conduct a comparison of at least two or three solutions. You should assess the features of each, its ease of integration, the level of protection provided, usability, and the cost. Be sure to check user reviews to gauge how easy the solution is to use, the management overhead, and how it performs before making a decision.

Many DNS filtering solution providers also offer product demonstrations and free trials so you can evaluate each before committing to a subscription. These will help you make an informed decision about the best product, at the best price, that will best meet your requirements.


How might implementing a Cisco web filtering service result in security vulnerabilities?

The implementation of a Cisco web filtering service won´t result in security vulnerabilities by itself. How the service is configured might do if administrators do not understand how to configure advanced features such as tenancy controls or remote browser isolation. In scenarios in which any lack of understanding exists, it may be necessary to pay extra for premium technical support.

Why do Cisco Umbrella packages have so many add-ons?

As with most security software, there is no one-size-fits-all solution that can meet every business´s requirements. Cisco tries to overcome this by offering packages businesses can add to by subscribing to “optional extras”. Unfortunately, due to a lack of price transparency, businesses cannot calculate in advance how much the final cost of Cisco Umbrella package will be.

Why are the security features of the DNS Essentials package described as “minimal”?

The DNS Essentials package lacks SSL decryption and inspection – which prevents it identifying threats in encrypted traffic. Encrypted traffic accounts for more than 80% of all Internet traffic, so it could be said the DNS Essentials package can only identify 20% of threats. Previously, it was possible to purchase SSL decryption and inspection as an add-on, but it appears this is no longer the case.

What is the difference between blocking access by domain and by URL?

Being able to block access by URL gives businesses more granularity over filtering policies. For example, if you were to block by domain, you would block access to every page on However, if you block access by URL, only access to this page would be blocked.

Is it possible to negotiate discounts on the price of Cisco Umbrella SIG Advantage?

Most software vendors have a “flexible” pricing model inasmuch as if they think they may lose a customer, they are willing to negotiate on price. While this is no guarantee you will be successful if you try to negotiate a discount on the price of Cisco Umbrella SIG Advantage, there is no harm in trying. However, it is important to be wary of introductory discounts that may not be an option when your subscription is due for renewal.