Cisco Defense Orchestrator (CDO) is a cloud-based, multi-device manager that provides a simple, consistent, and highly secure way of managing security policies on all your ASA devices. CDO helps you optimize your ASA environment by identifying problems with objects and policies and gives you ways to fix them. Use CDO to:
Upgrade your ASA and ASDM images on multiple devices.
Optimize ASA security policies.
Monitor all your ASAs.
Monitor VPN connections.
How Do I Initialize My Account?
The CDO team creates a tenant in our cloud infrastructure for you and helps you create an SDC, which enables your ASAs to communicate with CDO. All you need to do is complete a simple questionnaire by providing information about your network environment, primary ASA use cases, and model of ASA device and quantity required.
CDO is a web-based management product that provides you with both a GUI and CLI to manage your devices one at a time or many at once.
Upgrade ASA and ASDM
CDO provides an intuitive wizard for upgrading ASA and ASDM to the newest available version. Customers have reported time-savings of 75%-90% when upgrading their ASAs using CDO. It's awesome! Ain't it cool? For more information, see ASA and ASM Upgrade Prerequisites and Bulk ASA and ASDM Upgrade.
Optimize Your ASA Policies
Now that you have all your ASAs onboarded, start using CDO to identify and correct problems with network objects, optimize your existing policies, review your VPN connections, and upgrade your ASAs to the newest releases.
CDO allows you to perform all day-to-day activities such as monitoring, troubleshooting and responding to user requests.
CDO change log continuously captures network policy change events as they are performed in CDO. The change log displays information like changes deployed from CDO to your device, changes imported from your device to CDO, and change added and deleted from the device configuration, when it happened and who did it.
Use the ASA Packet Tracker to test the path of a synthetic packet through policy and determine if a rule is inadvertently blocking or allowing access.
Do your ASAs have issues? Maybe they're just a little out of sync, or they need some conflict resolution. Sometimes, your ASAs are unreachable, and all you need to is reconnect. CDO identifies all kinds of problems your ASAs are having. If a change was made to an ASA directly and that change is not reflected in CDO's configuration, CDO shows that there was a conflict detected with that device. For information, see resolve the configuration conflicts.
CDO reports VPN issues that you have on the ASA and ASAv devices in your network. For more information, see Identify VPN Issues.
Are your policies evaluating network traffic? CDO gathers hit rate data on your policies every hour. The longer your devices are managed by CDO, the more meaningful the hit rate data on a particular policy will be. Filter network policies by device and hit count to learn if a policy is effective. If it is not, consider rewriting it or deleting it.
Hi,we have enabled URL filtering to block access all dodgy sites for internal employees but how to make sure if all this working. I can test with few sites but is there any Cisco recommended test destinations to make sure All Good. I have tried...
I had a couple of questions regarding authentication periodic.If you do not have authentication periodic configured on a switch port, does that mean a device will only have to authenticate 1 time until the inactivity timer expires?Would it be a bad practi...
We are integrating Twilio as SMS gateway service for ISE guest notifications. Twilio recommends using E.164 number formatting which requires +1 for US. We would prefer that our guests only enter the 10 digit US number. Is there a wa...
This is to address those customers coming to ISE from ACS or new to ISE that need a password change portal (UCP)
What are the licensing requirements for this solution?
My Devices - For using the password change with My Devices you need plus licenses as ...