Cisco Community
English
Register
We're here for you! LEARN about free offerings and business continuity best practices during the COVID-19 pandemic
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel

What's New for Cisco Defense Orchestrator (CDO)

1348
Views
25
Helpful
1
Comments
Andrew Mallio
Cisco Employee
‎04-20-2020 08:32 AM
edited on: ‎05-21-2020 ‎07:13 AM

cdo-is-awesome.jpg

Cisco Defense Orchestrator (CDO) is a cloud-based, multi-device manager that manages security products like Adaptive Security Appliance (ASA), Firepower Threat Defense next-generation firewall, and Meraki devices, to name a few. 

We make improvements to CDO every week and when we have some big news to share, we're going to tell you about it here. Here are the latest features that we have deployed on CDO.

If you're not already a CDO customer, you can get a demo account by contacting cdosales@cisco.com.

May 20, 2020 - New API Only User

CDO now allows a Super Admin to create an “API Only User” that can be used to generate an API token for authenticating to CDO when making CDO REST API calls. This user account and the corresponding API token continues to function even after the original Super Admin departs your organization.

See Create API Only Users for more information.

May 7, 2020

These are the features that we released and improved this week:

Backup Firepower Threat Defense Devices Using CDO

manage_backups.jpgYou can now use CDO to back up a Firepower Threat Defense's (FTD's) system configuration. With CDO you can:

  • Backup devices on demand.
  • Schedule recurring backups on a cadence from every day to every month, at the time you choose.
  • Download backups and use Firepower Device Manager (FDM) to restore them.

See Backing Up FTDs for more information.

Monitor and Terminate Remote Access VPN Sessions

You can now use CDO to monitor live AnyConnect Remote Access VPN sessions across all Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) VPN head-ends in your tenant. It gathers information on the total number of active VPN sessions, currently connected users and sessions, the volume of data received and transferred.

You can view the performance of each RA VPN head-end in your tenant, filter sessions by head-ends, and select the session properties that you want to view in the VPN monitoring table. Also, you can export the RA VPN sessions of one or more devices to a comma-separated value (.csv) file. See Export RA VPN Sessions to a CSV File for more information.

You can terminate all the active RA VPN sessions of a single user on an ASA, and terminate all active RA VPN sessions of all users on an ASA. See Disconnect Active RA VPN Sessions on ASA and Disconnect Active RA VPN Sessions on FTD for more information.

Open the Remote Access VPN Monitoring screen from the navigation bar by clicking VPN > Remote Access VPN Monitoring. See Monitoring Remote Access VPN Sessions for more information.

 

ravpn_menu.jpg

April 16, 2020

These are the features that we released this week:

CDO Support for Devices Running Firepower Threat Defense 6.6.0

CDO now manages FTD 6.6.0 devices. These are the new aspects of support CDO provides:

For more information about the FTD features CDO supports, review Managing Firepower Threat Defense with Cisco Defense Orchestrator. See Firepower Threat Defense Support Specifics for a complete list of supported device types. 

April 9, 2020 - Firepower Threat Defense Command Line Interface

You can now issue CLI requests to your FTD devices directly from CDO. See FTD Command Line Interface Documentation and Using the CDO Command Line Interface for more information.

April 2, 2020 - Improved License Management for Firepower Threat Defense Devices

Viewing FTD device license information, enabling and disabling licenses, and refreshing licenses is now all managed from a single button in the Device Actions pane on the Devices & Services page.

manage_licenses_button.jpg

 

 

 

 

 

 

March 2020

These are the highlights of the features that we deployed in March 2020.

FTD Security Database Updates 

CDO allows you to immediately update and, simultaneously, schedule future updates for security databases when you onboard you FTD device. This feature updates the SRU, security intelligence (SI), vulnerability (VDB), and geolocation databases. Note that you can only schedule future updates as part of the onboarding process. See Update FTD Security Databases for more information. 

Support for Port Ranges in FTD Service Objects

CDO now supports creating service objects (also referred to as port objects in FTD) that contain a range of port numbers. See Create a Firepower Service Object for more information.

Cisco Secure Sign-on Domain Migration

On Tuesday March 24, 2020, at 5pm Pacific Daylight Savings Time, the official domain for Cisco Security Single Sign-on solution was moved from https://security.cisco.com to https://sign-on.security.cisco.com.

We recommend that you update any saved links and update any password managers, so they are referencing the new URL.

If you experience any issues please contact Cisco TAC, who can provide you with technical support.

FTD Rulesets

CDO introduces Rulesets for Firepower Threat Defense devices. A ruleset is a collection of access control rules that can be shared by multiple FTD devices. Any change made to the rules of a ruleset affects the other FTD devices that use the ruleset. An FTD policy can have both device-specific (local) and shared (rulesets) rules. You can also create rulesets from existing rules in an FTD device. 

This feature is currently available for devices running Firepower Threat Defense 6.5 and later releases. 

See FTD Rulesets for more information. 

Copy or Move rules within an FTD Policy or to Another FTD Policy

It’s now possible to copy or move rules from the policy on one FTD to the policy on another FTD. We have also made it easier to move rules within an FTD policy so you can fine-tune the order in which rules evaluate network traffic.See Copy FTD Access Control Rules and Move FTD Access Control Rules for more information.

AnyConnect Software Package Upload to FTD Version 6.5+

You can now use CDO's Remote Access VPN wizard to upload AnyConnect packages from a remote server to a Firepower Threat Defense (FTD) device running FTD 6.5 or later. Ensure that the remote server supports HTTP or HTTPS protocol.See Upload AnyConnect Software Packages to an FTD Device Running FTD Version 6.5 or Later for more information.

Terminology Update in CDO's Interface

In order to manage a device, Cisco Defense Orchestrator (CDO) must have a copy of the device's configuration stored in its own database. When CDO "reads" a configuration, it makes a copy of the configuration stored on the device and saves it to CDO's database. We have renamed some interface options to better describe what you are doing when you perform a read action. This is the new terminology:

  • Check for Changes. If a device's configuration status is Synced, the Check for Changes link is available. Clicking Check for Changes directs CDO to compare its copy of the device's configuration with the device's copy of the device's configuration. If there is a difference CDO immediately overwrites its copy of the device's configuration with the copy stored on the device. 
  • Discard Changes. If a device's configuration is Not Synced, clicking Discard Changes deletes any changes CDO made to its copy of the device configuration and also overwrites it with a copy of the configuration found on the device. 
  • Accept Without Review. This action overwrites CDO's copy of a device's configuration with the copy of the configuration stored on the device. CDO does not prompt you to confirm the action. 

See Reading, Discarding, Checking for, and Deploying Configuration Changes for more information.

Comments
gilbert.aispuro1
Beginner
Beginner
‎04-25-2020 10:58 PM
‎04-25-2020 10:58 PM

Would be nice to have the following features implemented for FTD Devices:

- EVERYTHING that's available for the ASA devices. 

 

Definitely underwhelmed when I got this up for my firepower devices. 

 

Latest Contents
ISE hostname changed but not updated in Internal CA Certs
Created by pranav nandgaonkar on 05-25-2020 01:00 AM
3
5
3
5
Hello,Need help with CN name not updated in Internal CA Certs issue.I have freshly installed Cisco ISE on 3615 hardware.No configuration is present on the box and I changed serial number of ISE and restarted the services.Updated serial number is visible e... view more
ASA 5516 route traffic to outside3
Created by stc_Chuong on 05-24-2020 11:28 PM
1
0
1
0
Hi all, We have a server which requires to go out on a specific interface "outside3".  I tried to set it up so it will route to outside3 but somehome the traffic still go out at outside2.  This is what I configure for that change:acces... view more
We Cannot Access website With Public IP But Can With Private...
Created by yuttakarninsorn91289 on 05-24-2020 11:06 PM
1
0
1
0
We are hosting a web page and it can be viewed internally by it's private IP (192.168.42.4). It can be viewed externally when using our public IP address. However it cannot be loaded internally by using the external IP. It asks to log in (to the router) w... view more
Cisco ISE Device Admin Licensing
Created by Maurice Ball on 05-24-2020 12:15 PM
5
5
5
5
Do I need a Cisco ISE device admin license for every PSN I enable the service on? For example: If I enabled the device admin service on 5 of my policy nodes. Does this mean I would need 5 device admin licenses installed on the primary admin node?
Error 1714. The older version of Cisco AnyConnect Secure Mob...
Created by ArmandoManahan34195 on 05-24-2020 10:17 AM
1
0
1
0
Hi,I got this error when trying to install version 4.7.04056. The old version is 4.2....Error 1714. The older version of Cisco AnyConnect Secure Mobility Client cannot be removed.Thanks. 
CreatePlease to create content
Discussion
Blog
Document
Video
Content for Community-Ad
Cisco Community April 2020 Spotlight Award Winners

Follow our Social Media Channels