Guidelines for configuring SASE tunnels on Umbrella

SASE topology supports:

Only PSK-based authentication
IKEv2
High availability

General configuration guidelines

Cloud-Delivered Firewall Management Center does not discover tunnels created directly on Umbrella or by other applications.
You can add only devices managed by the Cloud-Delivered Firewall Management Center as endpoints for the SASE topology. You cannot add extranet devices.

For high availability pairs, the HA pair names appear in the endpoint list.
If you check the Deploy configuration on threat defense nodes check box in the wizard, the Umbrella SASE topology configuration is deployed on the Firewall Threat Defense only after the tunnels are deployed on Umbrella.

The Cloud-Delivered Firewall Management Center requires the local tunnel ID to deploy the Umbrella configuration in Firewall Threat Defense. Umbrella generates the complete tunnel ID (<prefix>@<umbrella generated ID>-umbrella.com) only after the Cloud-Delivered Firewall Management Center deploys the tunnel on Umbrella.

Version migration guideline (Pre-version 7.3)

You must create new SASE topologies in version 7.3 and delete the existing SASE topologies because Cloud-Delivered Firewall Management Center does not recognize topologies using Umbrella data center as an extranet hub created before version 7.3 as SASE topologies.

Deployment status and monitoring guideline

You can track the tunnel deployment status in three places:

Cisco Umbrella Configuration dialog box of the wizard
Notifications page under the Deployments and Tasks tabs
Site to Site VPN Monitoring dashboard

Tunnel deletion guidelines

You cannot edit or delete a SASE topology while deployment to Umbrella is in progress.
When you delete a tunnel from Cloud-Delivered Firewall Management Center and if it is unable to delete the tunnel from Umbrella, you must manually delete it by logging into Umbrella.