Re: FTD Management - FMC vs FDM vs Cisco Defence Orchestrator

TONY SMITH · ‎02-24-2021

Hi,

We've been looking at the Firepower and FTD and the various management options. At a quick glance it seems like registering the FTD with CDO gives only a very limited configuration capability, compared to FMC. To take just one example it doesn't appear possible to create and attach Prefilter Policy via CDO.

Is this the case, that CDO doesn't support the full capabilities? Or is there some documentation somewhere covering non-trivial configuration via CDO?

Thanks, Tony S

Rob Ingram · ‎02-24-2021

Hi @TONY SMITH

Correct, CDO does not currently support all the features the FMC does and FDM doesn't support all the features FMC does either.

CDO relies on the FTD being configured for local management using FDM and therefore can only configure the features (or most of them) that are available in FDM.

CDO is updated regularly, updates posted here:-

https://community.cisco.com/t5/security-documents/what-s-new-for-cisco-defense-orchestrator-cdo/ta-p/4066742

TONY SMITH · ‎02-25-2021

Thanks. Rummaging around it seems like you can also "onboard" an FMC to CDO. By doing that do you get the best of both worlds, access to full configuration via FMC as well as bringing it into the SecureX/CDO dashboard?

Rob Ingram · ‎02-25-2021

FMC support is limited to onboarding an FMC, viewing the devices it manages, and cross-launching to the FMC UI.

CDO imports the objects from the FMC-managed FTD devices. Once imported to CDO, the objects are read-only. Though the FMC objects are read-only, CDO allows you to apply a copy of the objects to other devices on your tenant that are not managed by the FMC. The copy is disassociated from the original object so you can edit the copy without changing the value of the object that was imported from the FMC.

Yes you can launch to SecureX

Andrew Mallio · ‎03-10-2021

The complete CDO documentation is here - https://docs.defenseorchestrator.com/

if anyone is looking for more detail.