Showing results for 
Search instead for 
Did you mean: 

What's New for Cisco Defense Orchestrator (CDO)



Cisco Defense Orchestrator (CDO) is a cloud-based, multi-device manager that manages security products like Adaptive Security Appliance (ASA), Firepower Threat Defense next-generation firewall, and Meraki devices, to name a few. 

We make improvements to CDO every week and when we have some big news to share, we're going to tell you about it here. Here are the latest features that we have deployed on CDO.

If you're not already a CDO customer, you can get a demo account by contacting

May 20, 2020 - New API Only User

CDO now allows a Super Admin to create an “API Only User” that can be used to generate an API token for authenticating to CDO when making CDO REST API calls. This user account and the corresponding API token continues to function even after the original Super Admin departs your organization.

See Create API Only Users for more information.

May 7, 2020

These are the features that we released and improved this week:

Backup Firepower Threat Defense Devices Using CDO

manage_backups.jpgYou can now use CDO to back up a Firepower Threat Defense's (FTD's) system configuration. With CDO you can:

  • Backup devices on demand.
  • Schedule recurring backups on a cadence from every day to every month, at the time you choose.
  • Download backups and use Firepower Device Manager (FDM) to restore them.

See Backing Up FTDs for more information.

Monitor and Terminate Remote Access VPN Sessions

You can now use CDO to monitor live AnyConnect Remote Access VPN sessions across all Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) VPN head-ends in your tenant. It gathers information on the total number of active VPN sessions, currently connected users and sessions, the volume of data received and transferred.

You can view the performance of each RA VPN head-end in your tenant, filter sessions by head-ends, and select the session properties that you want to view in the VPN monitoring table. Also, you can export the RA VPN sessions of one or more devices to a comma-separated value (.csv) file. See Export RA VPN Sessions to a CSV File for more information.

You can terminate all the active RA VPN sessions of a single user on an ASA, and terminate all active RA VPN sessions of all users on an ASA. See Disconnect Active RA VPN Sessions on ASA and Disconnect Active RA VPN Sessions on FTD for more information.

Open the Remote Access VPN Monitoring screen from the navigation bar by clicking VPN > Remote Access VPN Monitoring. See Monitoring Remote Access VPN Sessions for more information.



April 16, 2020

These are the features that we released this week:

CDO Support for Devices Running Firepower Threat Defense 6.6.0

CDO now manages FTD 6.6.0 devices. These are the new aspects of support CDO provides:

For more information about the FTD features CDO supports, review Managing Firepower Threat Defense with Cisco Defense Orchestrator. See Firepower Threat Defense Support Specifics for a complete list of supported device types. 

April 9, 2020 - Firepower Threat Defense Command Line Interface

You can now issue CLI requests to your FTD devices directly from CDO. See FTD Command Line Interface Documentation and Using the CDO Command Line Interface for more information.

April 2, 2020 - Improved License Management for Firepower Threat Defense Devices

Viewing FTD device license information, enabling and disabling licenses, and refreshing licenses is now all managed from a single button in the Device Actions pane on the Devices & Services page.








March 2020

These are the highlights of the features that we deployed in March 2020.

FTD Security Database Updates 

CDO allows you to immediately update and, simultaneously, schedule future updates for security databases when you onboard you FTD device. This feature updates the SRU, security intelligence (SI), vulnerability (VDB), and geolocation databases. Note that you can only schedule future updates as part of the onboarding process. See Update FTD Security Databases for more information. 

Support for Port Ranges in FTD Service Objects

CDO now supports creating service objects (also referred to as port objects in FTD) that contain a range of port numbers. See Create a Firepower Service Object for more information.

Cisco Secure Sign-on Domain Migration

On Tuesday March 24, 2020, at 5pm Pacific Daylight Savings Time, the official domain for Cisco Security Single Sign-on solution was moved from to

We recommend that you update any saved links and update any password managers, so they are referencing the new URL.

If you experience any issues please contact Cisco TAC, who can provide you with technical support.

FTD Rulesets

CDO introduces Rulesets for Firepower Threat Defense devices. A ruleset is a collection of access control rules that can be shared by multiple FTD devices. Any change made to the rules of a ruleset affects the other FTD devices that use the ruleset. An FTD policy can have both device-specific (local) and shared (rulesets) rules. You can also create rulesets from existing rules in an FTD device. 

This feature is currently available for devices running Firepower Threat Defense 6.5 and later releases. 

See FTD Rulesets for more information. 

Copy or Move rules within an FTD Policy or to Another FTD Policy

It’s now possible to copy or move rules from the policy on one FTD to the policy on another FTD. We have also made it easier to move rules within an FTD policy so you can fine-tune the order in which rules evaluate network traffic.See Copy FTD Access Control Rules and Move FTD Access Control Rules for more information.

AnyConnect Software Package Upload to FTD Version 6.5+

You can now use CDO's Remote Access VPN wizard to upload AnyConnect packages from a remote server to a Firepower Threat Defense (FTD) device running FTD 6.5 or later. Ensure that the remote server supports HTTP or HTTPS protocol.See Upload AnyConnect Software Packages to an FTD Device Running FTD Version 6.5 or Later for more information.

Terminology Update in CDO's Interface

In order to manage a device, Cisco Defense Orchestrator (CDO) must have a copy of the device's configuration stored in its own database. When CDO "reads" a configuration, it makes a copy of the configuration stored on the device and saves it to CDO's database. We have renamed some interface options to better describe what you are doing when you perform a read action. This is the new terminology:

  • Check for Changes. If a device's configuration status is Synced, the Check for Changes link is available. Clicking Check for Changes directs CDO to compare its copy of the device's configuration with the device's copy of the device's configuration. If there is a difference CDO immediately overwrites its copy of the device's configuration with the copy stored on the device. 
  • Discard Changes. If a device's configuration is Not Synced, clicking Discard Changes deletes any changes CDO made to its copy of the device configuration and also overwrites it with a copy of the configuration found on the device. 
  • Accept Without Review. This action overwrites CDO's copy of a device's configuration with the copy of the configuration stored on the device. CDO does not prompt you to confirm the action. 

See Reading, Discarding, Checking for, and Deploying Configuration Changes for more information.


Would be nice to have the following features implemented for FTD Devices:

- EVERYTHING that's available for the ASA devices. 


Definitely underwhelmed when I got this up for my firepower devices.