Exam 350-701 topic 1 question 397 discussion

For identities that are configured to use a DNS policy, this must be the Cisco Umbrella root certificate. For identities that are configured to use the Web policy, this can be either the Cisco Umbrella root certificate or your own CA signed root certificate.

Here is a discussion about SSL-decryption in Umbrella. Answer C, self-signed (generated with root CA of Cisco Umbrella). https://community.spiceworks.com/t/security-concern-of-installing-the-cisco-umbrella-root-certificate/807776/3

Answer b

For the Web policy, you can use either the Cisco Umbrella root certificate or your own CA-signed certificate. "B. organization owned root" is NOT equal to "Cisco Umbrella" root cert so you have to use in this context of the given answes "self-signed". that is an self-signed cert. https://docs.umbrella.com/umbrella-user-guide/docs/add-customer-ca-signed-root-certificate

Umbrella doesn't use self-signed or 3rd party certificates. The only two options are: 1) Distribute Cisco's Umbrella root CA on all your endpoints. 2) Customer CA Signed Root Certificate uploaded to Umbrella. So the certificate that will be presented is signed by the organization's root CA (answer B is the closest) https://docs.umbrella.com/umbrella-user-guide/docs/add-customer-ca-signed-root-certificate

https://docs.umbrella.com/deployment-umbrella/docs/rebrand-cisco-certificate-import-information#:~:text=The%20Cisco%20Umbrella%20root%20certificate%20is%20required%20in%20any%20circumstance,traffic%20intended%20for%20a%20website. The Cisco Umbrella root certificate is required in any circumstance where Umbrella must proxy and decrypt HTTPS traffic intended for a website. The Cisco Umbrella root certificate is required for these core features: Block Pages—If you visit a blocked domain through HTTPS, the Cisco Umbrella root certificate must be installed so that Umbrella can present a block page instead of the browser presenting an error page. Intelligent Proxy with SSL Decryption—If a domain is proxied, the Cisco Umbrella root certificate must be installed to decrypt HTTPS traffic instead of the browser presenting an error page.

When using SSL decryption in Cisco Umbrella Secure Internet Gateway to filter all traffic, a self-signed certificate should be presented to the end-user. SSL decryption is a feature that allows the firewall to inspect encrypted traffic by decrypting it and then re-encrypting it with a new certificate. To avoid generating trust errors in the end-user's web browser, a new certificate must be presented to the user that matches the hostname of the website being accessed. A self-signed certificate is a digital certificate that is not signed by a trusted third-party certificate authority (CA). Instead, it is generated and signed by the organization itself. While not as trusted as a certificate signed by a third-party CA, a self-signed certificate can be used for SSL decryption as long as it is installed on all client devices that will be accessing the network.

https://docs.umbrella.com/umbrella-user-guide/docs/add-customer-ca-signed-root-certificate You must install a trusted root certificate in all browsers that an identity uses.

SSL Inspection/Decryption In order for SSL inspection appliances to decrypt and re-encrypt content, it must be able to issue certificates as needed. This means it needs its own subordinate CA and these cannot be publicly trusted. https://www.globalsign.com/en/blog/what-is-an-intermediate-or-subordinate-certificate-authority#:~:text=SSL%20Inspection%2FDecryption,these%20cannot%20be%20publicly%20trusted.