1. Problem Summary

An administrator is attempting to block all web access to URLs that contain the keywords “game” or “games” for users protected by the Cisco Umbrella Roaming Client. The initial approach involved creating a custom Destination List within a DNS Policy and adding wildcard entries such as *game* and *games*. This method proved ineffective, as users were still able to access websites like www.crazygames.com and other game-related URLs. The core issue stems from a misunderstanding of the capabilities and limitations of Cisco Umbrella’s DNS-layer security versus its Secure Web Gateway (SWG) functionality.

2. Root Cause Analysis: DNS Policy vs. Web Policy

The fundamental reason the initial attempt failed is that DNS-layer security operates exclusively on fully qualified domain names (FQDNs). When a user’s device makes a DNS query for www.crazygames.com, the Umbrella DNS resolvers only see that specific domain. They do not have visibility into the full URL path, such as https://www.example.com/path/to/a/page.html?query=string.

Limitations of DNS-Layer Security for Keyword Blocking:

• No URL Path Visibility: The DNS policy cannot inspect anything beyond the domain name. It cannot block www.example.com/games/new-game based on the /games/ path.
• Limited Wildcard Support: In Umbrella’s DNS Destination Lists, wildcards (*) are only supported at the beginning of a domain to block subdomains (e.g., *.example.com). They are not supported for matching substrings in the middle or at the end of a domain (e.g., *game*.com is an invalid entry and will not function as intended).

To achieve granular control based on keywords or patterns within the full URL, it is necessary to use a full web proxy that can perform deep packet inspection of HTTP/S traffic. In Cisco Umbrella, this functionality is provided by the Secure Web Gateway (SWG), which is configured via Web Policies.

Capabilities of the Secure Web Gateway (SWG):

• Full URL Inspection: The SWG intercepts web traffic and can inspect the entire URL string, including the protocol, domain, path, and query parameters.
• Advanced Matching: It supports powerful matching criteria, including regular expressions (regex), allowing for the creation of highly specific rules to identify and block content based on patterns within the URL.

Therefore, the correct solution is to leverage the SWG and a Web Policy to implement the desired keyword-based blocking.

3. Prerequisites

Before implementing the solution, ensure the following prerequisites are met:

1. Correct Umbrella Subscription: Your organization must be subscribed to a package that includes the Secure Web Gateway feature. This typically includes Cisco Umbrella SIG Essentials or SIG Advantage licenses. The DNS Security Essentials and Advantage packages do not include SWG functionality.
2. Traffic Steering to SWG: You must have a method in place to forward web traffic from your endpoints or networks to the Umbrella SWG. Common methods include:
   • Cisco Umbrella Roaming Client: The client must be configured with the “Web Policy” enabled in its policy.
   • Cisco Secure Client (with Umbrella Module): Similar to the Roaming Client, it must be configured to forward web traffic.
   • Network Tunnel: A configured IPsec IKEv2 or AnyConnect SWG tunnel from your network edge device (router/firewall) to the Umbrella cloud.
   • PAC File Deployment: Using a Proxy Auto-Config file to direct browser traffic.

The user in the source post was using the Roaming Client, which is a valid method for steering traffic to the SWG.

4. Step-by-Step Implementation Guide

Follow these steps to create and apply a Web Policy rule that blocks URLs containing “game” or “games”.

Step 1: Create a URL Destination List with Regular Expressions

1. Log in to your Cisco Umbrella dashboard.

2. Navigate to Policies > Policy Components > URL Destination Lists.

3. Click Add in the top right corner.

4. Provide a descriptive List Name, for example, Block URLs - Game Keywords.

5. Under “Add URLs,” select the Regular Expression option from the dropdown menu. This is critical for pattern matching.

6. Enter the regular expression to match the desired keywords. Here are a few effective options:

   • Simple Match: .*games?.*
     • This expression matches any URL containing the substring “game” or “games” (the s? makes the ‘s’ optional).
   • Word Boundary Match (Recommended): .*\b(game|games)\b.*
     • This is a more precise expression. The \b represents a word boundary, which prevents the rule from blocking legitimate URLs that happen to contain “game” as part of another word (e.g., www.videogamer.com would be matched by the simple pattern but not this one, though in this use case that may be desirable. Conversely, it prevents blocking words like “megabyte” or “ingame” if they were part of a URL path). The (game|games) part matches either “game” or “games”.

7. Click the plus (+) icon to add the expression to the list.

8. Click Save.

Step 2: Apply the URL Destination List to a Web Policy Rule

1. Navigate to Policies > Management > Web Policy.
2. Identify the policy you wish to modify. This should be the policy that applies to the users or devices for whom you want to block this content. Click on the policy name to edit it.
3. In the policy editor, find the Ruleset section and click Add Rule (or edit an existing one if appropriate). Rules are processed in order from top to bottom.
4. In the rule configuration screen:
   • Rule Action: Select Block.
   • Rule Identity: Define which identities (Users, Groups, Roaming Computers, etc.) this rule will apply to. Select “All Roaming Computers” or a more specific group as needed.
   • Destinations:
     • Click the URL Destination Lists tab.
     • Begin typing the name of the list you created in Step 1 (Block URLs - Game Keywords).
     • Select it from the search results.
   • Logging Settings: Ensure logging is enabled so you can verify the rule’s activity in reports.
5. Click Save to add the rule to your ruleset.
6. Review the order of your rules. Ensure this new block rule is positioned correctly (e.g., above any less restrictive “Allow” rules that might otherwise apply).
7. Click Save on the main policy page to commit your changes.

5. Verification and Testing

1. Policy Propagation: Allow a few minutes for the policy changes to propagate across the Umbrella global network.
2. Test Endpoint: On a device that is subject to this policy (e.g., a laptop running the Umbrella Roaming Client), clear the browser cache or use an incognito/private browsing window.
3. Attempt Access: Try to navigate to a URL that should be blocked, such as https://www.crazygames.com or https://www.puzzles-games.net.
4. Confirm Block: You should be presented with an Umbrella block page indicating that the site is blocked by your organization’s policy.
5. Check Reports: In the Umbrella dashboard, navigate to Reporting > Core Reports > Activity Search. Filter by the identity of your test machine. You should see “Blocked” events corresponding to your attempts, with the policy listed as the “Web Policy” and your new rule as the reason for the block.

By following this solution, you will effectively use the full capabilities of the Cisco Umbrella Secure Web Gateway to enforce content policies based on specific keywords within URLs, providing more granular and powerful control than DNS-layer filtering alone can offer.