Showing results for 
Search instead for 
Did you mean: 

How Does Cisco Defense Orchestrator Manage Adaptive Security Appliance?

Cisco Employee

Cisco Defense Orchestrator (CDO) is a cloud-based, multi-device manager that provides a simple, consistent, and highly secure way of managing security policies on all your ASA devices. CDO helps you optimize your ASA environment by identifying problems with objects and policies and gives you ways to fix them. Use CDO to:

  • Upgrade your ASA and ASDM images on multiple devices.
  • Optimize ASA security policies.
  • Monitor all your ASAs.
  • Troubleshoot policies.
  • Monitor VPN connections.

How Do I Initialize My Account?

The CDO team creates a tenant in our cloud infrastructure for you and helps you create an SDC, which enables your ASAs to communicate with CDO. All you need to do is complete a simple questionnaire by providing information about your network environment, primary ASA use cases, and model of ASA device and quantity required. 

Onboard Multiple ASAs 

Onboard one, or hundreds of ASAs at once using bulk onboarding option in CDO.  For more information, see Onboard ASAs in Bulk and Onboard an ASA.

Manage ASAs using GUI and CLI

CDO is a web-based management product that provides you with both a GUI and CLI to manage your devices one at a time or many at once.

Upgrade ASA and ASDM 

CDO provides an intuitive wizard for upgrading ASA and ASDM to the newest available version. Customers have reported time-savings of 75%-90% when upgrading their ASAs using CDO. It's awesome! Ain't it cool? For more information, see ASA and ASM Upgrade Prerequisites and Bulk ASA and ASDM Upgrade.

Optimize Your ASA Policies

Now that you have all your ASAs onboarded, start using CDO to identify and correct problems with network objects, optimize your existing policies, review your VPN connections, and upgrade your ASAs to the newest releases.

CDO helps you perform the following tasks:

Manage Your Daily Activities

CDO allows you to perform all day-to-day activities such as monitoring, troubleshooting and responding to user requests.

  • CDO change log continuously captures network policy change events as they are performed in CDO. The change log displays information like changes deployed from CDO to your device, changes imported from your device to CDO, and change added and deleted from the device configuration, when it happened and who did it. 
  • Use the ASA Packet Tracker to test the path of a synthetic packet through policy and determine if a rule is inadvertently blocking or allowing access.
  • Do your ASAs have issues? Maybe they're just a little out of sync, or they need some conflict resolution. Sometimes, your ASAs are unreachable, and all you need to is reconnect. CDO identifies all kinds of problems your ASAs are having. If a change was made to an ASA directly and that change is not reflected in CDO's configuration, CDO shows that there was a conflict detected with that device. For information, see resolve the configuration conflicts.
  • CDO reports VPN issues that you have on the ASA and ASAv devices in your network. For more information, see Identify VPN Issues
  • Are your policies evaluating network traffic? CDO gathers hit rate data on your policies every hour. The longer your devices are managed by CDO, the more meaningful the hit rate data on a particular policy will be. Filter network policies by device and hit count to learn if a policy is effective. If it is not, consider rewriting it or deleting it.