Cisco Defense Orchestrator (CDO) is a cloud-based, multi-device manager that manages security products like Adaptive Security Appliance (ASA), Firepower Threat Defense next-generation firewall, and Meraki devices, to name a few. 

We make improvements to CDO every week and when we have some big news to share, we're going to tell you about it here. Here are the latest features that we have deployed on CDO.

If you're not already a CDO customer, you can get a demo account by contacting cdosales@cisco.com.

May 12, 2022

ASA Policy Support for IPv6

ASA access policies and NAT configurations now support rules that use network objects and network groups containing IPv6 addresses. In addition, these rules can also specify ICMP and ICMPv6 protocols. Finally, ASAs now support AnyConnect Connection Profiles containing IPv6 addresses. See ASA Network Policies for more information.

Navigation to the Secure Connectors Page

The Secure Connectors page is accessible from the CDO menu bar. To view the Secure Connectors page, choose Admin > Secure Connectors. 

April 14, 2022

This is the new feature we released this week.

Monitor AWS VPC tunnels using AWS Transit Gateway

CDO can now monitor AWS VPC tunnels using AWS Transit Gateway. For more information, see Monitor AWS VPC tunnels using AWS Transit Gateway.

April 6, 2022

Global Search

Global search provides an option to search for all onboarded devices and associated objects available within CDO. The search results allow you to navigate to the corresponding device and object pages. Currently, CDO supports global search for ASA, Firepower Management Center, Firepower Threat Defense, Meraki, and Secure Firewall Cloud Native devices. 

For more information, see "Global Search" in the following documents:

• Managing ASA with Cisco Defense Orchestrator

• Managing FMC with Cisco Defense Orchestrator

• Managing FTD with Cisco Defense Orchestrator

• Managing Meraki with Cisco Defense Orchestrator

• Managing Cisco Secure Firewall Cloud Native with Cisco Defense Orchestrator

Support for Cisco Secure Firewall 3100

Cisco Defense Orchestrator supports onboarding ASA and Firepower Threat Defense devices running on new Cisco Secure Firewall 3100 Series devices. Firepower Threat Defense devices can be onboarded using Low Touch Provisioning or by using a registration key or serial number.

February 3, 2022

Active Directory (AD) Groups in User Management

For an easier way to manage users in CDO, you can now map your Active Directory (AD) groups in CDO instead of managing individual users. Any user changes, such as a new user(s) addition, removing existing user(s), or changing roles can now be done in Active Directory without changing anything within CDO. CDO now also supports multiple-roles per user with AD. For more information, see the "Active Directory Groups in User Management" section of the User Management chapter of you're device's configuration guide.

Improved Charts View for Active Remote Access VPN Sessions

CDO now provides a new and improved charts view for your active RA VPN sessions. In addition to the charts you are already familiar with, CDO now displays a heat map of the location of users connected to your RA VPN headends. This map is available only in the live view.To view the new charts view, on the RA VPN Monitoring page, click the Show Charts View icon appearing at the top-right corner of the screen. For more information, see "Monitoring Remote Access Virtual Private Network Sessions" in Managing FTD with Cisco Defense Orchestrator, Managing ASA with Cisco Defense Orchestrator, or Managing Cisco Secure Firewall Cloud Native with Cisco Defense Orchestrator depending on your firewall.

January 20, 2022

Geolocation Information of Remote Access VPN Users

The remote access VPN monitoring page now shows the location of all users who are connected to the VPN headend. CDO obtains this information by geolocating the public IP addresses of the users. This information is available on live and historical views. On clicking the location in the User Details area in the left pane, the precise location of the user is shown on a map.

Devices & Services Page Renamed to Inventory

The Devices & Services page has been renamed, "Inventory." The Inventory table lists all the devices and services you manage with CDO. No features were added or removed as a result of the name change.

January 13, 2022

Enhanced Devices & Services Interface

The CDO Devices & Services interface now classifies devices and templates based on their type and displays them in the corresponding tabs dedicated to each device type.

 

 

December 9, 2021

CDO Support for Firepower Threat Defense, Version 7.1

CDO now supports Firepower Threat Defense (FTD), version 7.1 devices. These are the aspects of support CDO provides:

• Onboard a supported physical or virtual device running Firepower Threat Defense version 7.1.
• Upgrade from Firepower Threat Defense versions 6.4+ to version 7.1.
• Support for existing Firepower Threat Defense features.

These caveats apply to Firepower Threat Defense, version 7.1 support:

• CDO currently does not support backing up Firepower Threat Defense devices running version 7.1. Support for this functionality is planned for the first maintenance release of Firepower Threat Defense, version 7.1.
• CDO does not support features introduced in the Firepower Threat Defense, version 7.1 release.

For more information about the FTD features CDO currently supports, see Managing FTD with Cisco Defense Orchestrator.

New CDO Documentation Platform

Online Help

• Content describing all your devices in a single place.
• Context-sensitivity.
• Content matches found as you search.
• Search results highlighted in a table of contents puts information in a larger context.

Content Maintained on Cisco.com

• Availability on Cisco.com places all your Cisco documentation on one site.
• Device-specific configuration guides makes finding information easier.
• What's New for Cisco Defense Orchestrator continues to describe the latest features available in CDO.

November 11, 2021

This is the new feature we are releasing this week:

New SASE Tunnel Functionality in CDO

You can now edit SASE tunnels that have been read into or created through the CDO UI. Note that this function only supports tunnels between an Umbrella organization and an ASA peer device that is already onboarded to CDO. See Edit a SASE Tunnel for more information. 

October 21, 2021

Improved SecureX Integration

For users who have not already linked SecureX with their CDO tenant, CDO now offers a streamlined integration with SecureX. This process allows you to quickly and securely connect your CDO tenant to your SecureX Organization and add a CDO module to the SecureX dashboard with a single click. If you do not have a SecureX Organization, you can create one during this process. See SecureX and CDO Integration for more information.

Upload an AnyConnect Package from CDO Repository  

September 16, 2021

CDO Notifications with Service Integrations

CDO notifications now integrate with webhooks. The notifications selected in the Notification Settings page will be sent to the application or service integration of your choice. See Enable Service Integrations for CDO Notifications for more information.

Cisco Secure Firewall Cloud Native Support for Cisco Security Analytics and Logging

Cisco Security Analytics and Logging has been greatly expanded to support logging events from Secure Firewall Cloud Native!

Secure Firewall Cloud Native logging: Security Analytics and Logging (SAL SaaS) now supports logging from any Secure Firewall Cloud Native device. Users can choose to store Secure Firewall Cloud Native events in syslog format, NetFlow Security Event Logs (NSEL) format, or both in the Cisco Cloud and use Cisco Secure Cloud Analytics to analyze them. Customers that want to enable logging analytics will be required to enable NSEL logs to provide the necessary telemetry for the higher-tier SAL licenses.

• Traffic Analysis: Secure Firewall Cloud Native logs can be run through SAL’s traffic analysis and observations and alerts can be reviewed by cross-launching Cisco Secure Cloud Analytics from CDO. Cloud Native customers only logging syslog events must switch to NSEL logs to enable traffic analytics.
• Customers acquiring Logging Analytics and Detection and Total Network Analytics Detection licenses can provision and use a Secure Cloud Analytics portal for analysis. Secure Cloud Analytics detections include observations and alerts specifically enabled using firewall logging data, in addition to the other detections available to SAL users as part of Secure Cloud Analytics core capability. Existing Logging and Troubleshooting license holders can test the detection capabilities of higher licenses with no commitment for 30 days.
• Free Trials: You can start a no-commitment 30-day SAL trial for all licenses by filling out this form. This trial requires only a minimal set of on-premises connectors for exporting data to the cloud. You can use this trial to evaluate SAL capabilities, and estimate the data volume required to support production environments, as a precursor to purchasing the appropriate daily volume for SAL licenses. To this end, the SAL trial will not throttle data for most user volumes. In addition, an estimator tool helps you estimate SAL daily volume.

See Cisco Security Analytics and Logging for Secure Firewall Cloud Native and Implementing Cisco Security Analytics and Logging for Secure Firewall Cloud Native for more information.

August 26, 2021

CDO and Umbrella Integration

CDO now supports Umbrella integration. You can onboard Umbrella organizations and view, manage, and create SASE tunnels that exist between Umbrella and ASA devices. ASA devices utilize Umbrella's SIG tunnel and inspection which provides centralized management for easy-to-use security. For more information about what Umbrella is and how CDO communicates with it, see Managing Umbrella with Cisco Defense Orchestrator.

When you onboard an Umbrella organization, we recommend onboarding the ASA devices associated with that organization as well. See Onboard an Umbrella Organization for more information.

August 13, 2021

Duo Configuration Support using LDAP for FTD RA VPN

You can now configure Duo two-factor authentication using LDAP for an FTD Remote Access VPN connection.

Use the Duo LDAP server as the secondary authentication source along with a Microsoft Active Directory (AD) or RADIUS server as the primary authentication source. With Duo LDAP, the secondary authentication validates the primary authentication with a Duo passcode, push notification, phone call, or SMS.

See Duo Two-Factor Authentication using LDAP for more information.

July 8, 2021

Digital Certificate Management Support for ASA

CDO now manages digital certificates on ASA devices. You can add a digital certificate such as identity certificates and trusted CA certificates as trustpoint objects and install them on one or more managed ASA devices. You can also export an installed identity certificate to duplicate a trustpoint configuration on a different ASA manually.

You can upload or create an identity certificate  in the following formats:

• PKCS12 file with a passphrase
• Self-signed certificate
• Certificate Signing Request (CSR) signed by a certificate authority 

The Remote Access VPN uses digital certificates for authenticating ASA and AnyConnect clients to establish a secure VPN connection. 

See ASA Certificate Management for more information.

AnyConnect Module Support for RA VPN ASA and FTD

CDO now supports managing AnyConnect modules on ASA and FTD devices.
        Note: This feature is supported on FTD running software version 6.7 or later versions.

As part of your RA VPN group policy creation, you can now configure a variety of optional modules to be downloaded and installed when a user downloads the Cisco AnyConnect VPN client. These modules can provide services such as web security, malware protection, off-network roaming protection, and so on.

You can associate each module with a profile containing your custom configurations, created in the AnyConnect Profile Editor and uploaded to the CDO as an AnyConnect File object.

July 1, 2021

This is the new feature we are releasing this week:

Snort 3 Support

CDO now supports the Snort 3 processing engine for FTD devices running Version 6.7 and later. The Snort engine automatically updates new snort rules to keep your device compliant with the latest vulnerabilities. You can perform a standalone upgrade from Snort 2 to Snort 3 or upgrade the device system and the Snort engine simultaneously for an abridged upgrade experience.

See Upgrade Snort 3 for more information.

Custom Intrusion Prevention System Policy 

CDO now supports Snort 3 and customized Intrusion Prevention System (IPS) policies for FTD devices running Version 6.7 and later. The improved Snort 3 processing engine allows you to create and customize IPS policies using rules provided by the Cisco Talos Intelligence Group (Talos). The best practice is to create your own policy based on the provided Talos policy templates and change that if you need to adjust rule actions. See Custom Firepower Intrusion Prevention System Policy for more information. 

Note: Be aware of the differences and limitations when you upgrade to or from Snort 3, as the upgrade may change how your rules are configured. See About Snort 3 for more information. 

June 10, 2021

This is the new feature we are releasing this week:

Cisco Secure Firewall Cloud Native Support

The Cisco Secure Firewall Cloud Native seamlessly extends Cisco's industry-leading security to a cloud-native form factor (CNFW) using Kubernetes (K8s) orchestration to achieve scalability and manageability. Amazon Elastic Kubernetes Service (Amazon EKS) gives you the flexibility to start, run, and scale Kubernetes applications in the AWS cloud. Amazon EKS helps you provide highly-available and secure clusters and automates key tasks such as patching, node provisioning, and updates.

CDO allows onboarding of this firewall and provides complete firewall management:

• View real-time and historical data from AnyConnect RA VPN sessions.
• Create and manage objects and use them in different policies that handle ingress and egress traffic in your network.
• Recognizes and reconciles changes made to the firewall outside of CDO, using the Kubernetes command-line tool.

See Managing Cisco Secure Firewall Cloud Native With CDO for more information. You can also read Cisco Secure Firewall Cloud Native At-a-Glance for additional information. 

Enhanced Remote Access VPN Monitoring

In addition to monitoring the live AnyConnect Remote Access VPN session, CDO now allows monitoring the historical data from AnyConnect Remote Access VPN sessions recorded over the last three months.

You can monitor VPN sessions across all Adaptive Security Appliance (ASA), Firepower Threat Defense (FTD), and Cisco Secure Firewall Cloud Native (SFCN) VPN head-ends in your tenant.

These are some of the salient enhancements made to the current release:

• Displays intuitive graphical visuals to provide at-a-glance views from all active VPN head-ends managed by CDO.
• The live session screen shows the most used operating system and VPN connection profile in the CDO tenant. It also shows the average session duration and data uploaded and downloaded.
• The historical session screen plots a bar graph to show data recorded for all devices in the last 24 hours, 7 days, and 30 days.
• Provides new filtering capabilities to narrow down your search based on criteria such as device type, session length, and upload and download data range.
  Open the Remote Access VPN Monitoring screen from the navigation bar by clicking VPN > Remote Access VPN Monitoring.

Open the Remote Access VPN Monitoring screen from the navigation bar by clicking VPN > Remote Access VPN Monitoring.

See Remote Access Virtual Private Network Monitoring for more information.

New User Role

CDO now provides a new user role, the VPN Sessions Manager user role, that allows specific users the ability to terminate VPN sessions per tenant. Note that terminating VPN sessions is the only action this role allows; users designated with this role are otherwise limited with read-only capabilities. See User Roles for more information. 

May 27, 2021

This is the new feature we are releasing this week:

Improved Device Notifications in CDO

You can now subscribe to CDO email alerts and view recent notifications within the CDO UI.

 

Receive email alerts for when a device associated with your tenant experiences a workflow or event change. Workflow changes include deployments, upgrades, or backups; event changes include devices going online or offline, conflict detection, HA or failover state, and site-to-site VPN connection status. 

Note that these customizable notifications and alerts are applied to all devices associated with your tenant and are not device-specific. See Notification Settings for more information.

 

March 25, 2021

Cisco Security Analytics and Logging Availability in APJC 

Cisco Security Analytics and Logging is now available in the Asia (APJC) region through the newly commissioned Tokyo data store. Security Analytics-enabled accounts will have access to the Cisco Stealthwatch Cloud service in Sydney, Australia for security-related alerting. With this, the Asia region has been brought up to par with capabilities available in the Americas and EU regions. See the Cisco Security Analytics and Logging Ordering Guide for more information.

March 18, 2021

EtherChannel Interface Support

CDO now supports EtherChannel interface configuration on supported models running Firepower Version 6.5 and later, such as the Firepower 1010, 1120,1140,1150, 2110, 2120, 2130, 2140. EtherChannel is a port link aggregation technology or port-channel architecture that allows the grouping of several physical Ethernet links to create one logical Ethernet link for the purpose of providing links between switches, routers and servers.

Note that the configuration that you apply to the physical ports affects only the LAN port where you apply the configuration. For more information about device support and configuration limitations, see Guidelines and Limitations for Firepower Interface Configuration for more information. 

March 15, 2021

These are the new features we are releasing this week.

ASA Remote Access VPN Support

CDO now allows creating Remote Access Virtual Private Network (RA VPN) configuration on Adaptive Security Appliance (ASA) devices to enable remote users to connect to the ASA and securely access the remote network. It also allows managing the RA VPN settings that have already been configured using other ASA management tools, such as the Adaptive Security Defense Manager (ASDM) or Cisco Security Manager (CSM).

AnyConnect is the only client that is supported on endpoint devices for RA VPN connectivity.

CDO supports the following aspects of RA VPN functionality on ASA devices:

• SSL client-based remote access
• IPv4 and IPv6 addressing
• Shared RA VPN configuration across multiple ASA devices

See Configuring Remote Access VPN for an ASA for more information.

ASA File Management Support

CDO provides the File Management tool for performing basic file management tasks such as viewing, uploading, or deleting files present on the ASA device's flash (disk0) space. Using this tool, you can upload any files such as the AnyConnect software images, DAP.xml, data.xml, host scan image files to a single or multiple ASA device using URL-based file upload from the remote server.

This tool helps you to upload the newly released AnyConnect image to multiple ASA devices simultaneously.

See ASA File Management for more information.

February 11, 2021

This is the new feature deployed by CDO this week:

Multiple Secure Device Connector Support

You can now deploy more than one on-premises Secure Device Connector (SDC) for your tenant. This allows you to manage more devices with CDO and maintain communication performance between CDO, your SDCs, and your managed devices.

You can move managed ASA, AWS VPC, and Meraki MX devices from one SDC to another. 

Having multiple SDCs also allows you to use one CDO tenant to manage devices in isolated network segments. Do this by assigning all managed devices in the isolated network segment to a single SDC.

See Using Multiple SDCs on a Single CDO Tenant for more information.

January 21, 2021

This is the feature and improvement to CDO made this week.

Firepower Management Center Object Reading

Now when you onboard an FMC to CDO, CDO imports the objects from the FMC-managed FTD devices. Once imported to CDO, the objects are read-only. Though the FMC objects are read-only, CDO allows you to apply a copy of the objects to other devices on your tenant that are not managed by the FMC. The copy is disassociated from the original object so you can edit the copy without changing the value of the object that was imported from the FMC. FMC objects can be used on any device you manage that support that object type. See FMC Objects for more information. 

January 14, 2021

Exporting CLI Command Results

You can export the results of CLI commands issued to a standalone device, or several devices, to a comma separated value (.csv) file so you can filter and sort the information in it however you like. You can export the CLI results of a single device, or many devices at once. See Export CLI Command Results for more information.

Configuring Cloud Services for your FTD Devices

Connecting to the Cisco Success Network and configuring which events are sent to the Cisco cloud are features that can be configured on FTD devices running software version 6.6 or higher.

Cisco Success Network

By enabling Cisco Success Network, you are providing usage information and statistics to Cisco to improve the FTD and to make you aware of unused or additional features that will help you maximize the value of Cisco products in your network. When you enable the Cisco Success Network, your device establishes a secure connection to the Cisco Cloud and maintains this secure connection at all times. See Connecting to the Cisco Success Network for more information.

Send Events Directly to Cisco Cloud

You can now specify which types of events you send from your FTD directly to the Cisco cloud. Once stored in the Cisco cloud, you can use cloud applications, such as Cisco Threat Response, to analyze the events and to evaluate threats that the device might have encountered. See Sending Events to the Cisco Cloud for more information.

Web Analytics

Enabling web analytics provides anonymous product usage information to Cisco based on page hits. The information includes pages viewed, the time spent on a page, browser versions, product version, device hostname, and so forth. This information can help Cisco determine feature usage patterns and improve the product. All usage data is anonymous and no sensitive data is transmitted. See Enabling or Disabling Web Analytics for more information. You can use CDO to configure this feature on all versions of FTD.

 

January 7, 2021

This is the new feature and improvement CDO released this week. 

FTD HA Pair Onboarding

CDO has enhanced the process of onboarding an FTD HA pair. Once you onboard one of the HA peers with either the registration token method or the login credentials method, CDO automatically detects that the corresponding peer is not onboarded yet and prompts you to take action. The improvement minimizes the effort required to onboard both devices, shortens how long it takes to onboard the peer device, and reuses any registration keys or smart license tokens you may have used to onboard the first device. See Onboard an FTD HA Pair with a Registration Key or Onboard an FTD HA Pair using Username, Password, and IP Address respectively for more information. 

You can onboard either the active or the standby device, and once synced, CDO will always detect that the device is part of an HA pair. 

Note: We strongly recommend onboarding your FTD devices with the registration key method. 

December 17, 2020 - CDO Public API

CDO has published its public API and provided you with documentation, examples, and a playground to try things out. The goal of our public API is to provide you with a simple and effective way to perform a lot of what you would normally be able to do in the CDO UI, but in code.

To use this API, you will need to know GraphQL. It is very easy to learn, and their official guide (https://graphql.org/learn/) provides a thorough, light read. We chose GraphQL because it is flexible, strongly typed, and auto-documenting.

To find the full schema documentation, simply go to the GraphQL Playground, and click the docs tab on the right side of the page.

You can launch the CDO Public API by selecting it from the user menu.

 

December 10, 2020

November 13, 2020

Low Touch Provisioning and Serial Number Onboarding

Low touch provisioning is a feature that allows a new factory-shipped or re-imaged Firepower 1000 or 2100 series device, running FTD software version 6.7 or later, to be plugged in to your network, onboarded to CDO automatically, and then configured remotely. This eliminates many of the manual tasks involved with onboarding the device to CDO. The low touch provisioning process minimizes the need to log in to a physical device. It's intended for remote offices or other locations where your employees are less experienced working with networking devices.

Firepower 1000 and 2100 series devices with factory-installed FTD 6.7 images are expected to be orderable from Cisco at the end of calendar year 2020 or the beginning of calendar year 2021.

It is also possible to onboard a configured Firepower Threat Defense (FTD) version 6.7+ device to FTD 6.7, to CDO using the device's serial number.

See these articles for more information:

• Low Touch Provisioning
• Onboarding a FTD 6.7 Device with its Serial Number
• Firepower Easy Deployment Guide for Cisco Firepower 1000 or 2100 Firewalls

Assigning Firepower Threat Defense Interfaces to Security Zones

You can now assign an FTD interface to a security zone to further classify and manage traffic. See Assign a Firepower Interface to a Security Zone for more information.

November 6, 2020

CDO now supports Firepower Threat Defense (FTD), versions 6.6.1 and 6.7. You can onboard a new FTD device running FTD 6.6.1 or 6.7, or use CDO to upgrade to those versions. CDO continues to support existing FTD features and these new FTD 6.7 features:

• Secure Group Tags and SGT Groups
• Active Directory Realm Objects
• CDO TLS Server Identity Discovery and TLS 1.3

See Managing FTD with Cisco Defense Orchestrator for more information about the FTD features CDO currently supports. 

October 15, 2020

New User Roles

CDO now provides two additional user roles that divide the responsibilities of editing policies and deploying policies. The new Edit-Only role allows users to make configuration changes to devices, but they are not allowed to deploy those changes. The new Deploy-Only role allows users to deploy pending configuration changes, but they are not allowed to make configuration changes. For the full list of capabilities and limitations of these new roles, see User Roles. 

October 2, 2020

FTD API Support

CDO now provides the API tool interface to execute the Representational State Transfer (REST) Application Programming Interface (API) requests for performing advanced actions on an FTD device. Additionally, this interface provides the following features:

• Records a history of already executed API commands.
• Provides system-defined API macros that can be reused.
• Allows creating user-defined API macros using the standard API macros, from a command you have already executed, or another user-defined macro.

For more information about the FTD API tool, see Using FTD API Tool.

September 25, 2020

Multi-Tenant Portal Support

CDO now introduces a Multi-Tenant Portal that provides a consolidated view of devices from tenants across various regions. This view helps you glean information from your tenants in a single-window. You can have the CDO support team create one or more portals based on your requirements.

• Provides the Device Details view that provides the following information:
  • Shows device location, software version, onboarding method, and many more details for each device.
  • Allows you to manage the device on the CDO tenant page that owns that device.
  • Provides a link to sign in to the CDO tenant in a different region and manage that device.
• Exports the portal's information to a comma-separated value (.csv) file to analyze or send it to someone who doesn't have access.
• Allows seamless addition of a new tenant using its API token.
• Allows switching between the portals without signing out from CDO.

For more information, see Manage Multi-Tenant Portal.

Secure Event Connector Support for Cloud-based Secure Device Connectors

Cisco Security Analytics and Logging (SaaS) customers can now install Secure Event Connectors when their Secure Device Connector is installed in the Cisco cloud. They no longer need to switch to an on-premises Secure Device Connector to configure Cisco Security Analytics and Logging.

See Installing Secure Event Connectors for more information.

September 17, 2020

Support for Multiple Secure Event Connectors

The Secure Event Connector (SEC) forwards events from ASAs and FTDs to the Cisco cloud so that you can view them in the Event Logging page and investigate them with Stealthwatch Cloud, depending on your Cisco Security Analytics and Logging licensing. Having more than one SEC allows you to install them in different locations and distribute the work of sending events to the Cisco cloud.

See these articles to learn how to install additional SECs on your tenant:

• Installing Multiple SECs, Using CDO Images, on Tenants with On-Premises SDCs
• Install Multiple SECs Using Your VM Image

Learn more about Cisco Security Analytics and Logging.

August 20, 2020

These are the new features and improvements CDO released this week.  

Firepower Management Center Support

 

CDO can now onboard an Firepower Management Center (FMC) running Version 6.4 or later and all of its managed devices. FMC support is limited to onboarding an FMC, viewing the devices it manages, and cross-launching to the FMC UI.

 

• To review how CDO manages an FMC appliance, see Managing FMC with Cisco Defense Orchestrator.
• To onboard an FMC, see Onboard an FMC.
• To review supported FMC hardware and software versions, see Software and Hardware Support by CDO.

Customizable Event Filters

Cisco Security Analytics and Logging (SaaS) customers can create and save customized event filters on the Event Logging page for repeated use. See Customizable Event Filters for more information. 

Improved Search Capabilities in the Event Logging Page

Cisco Security Analytics and Logging (SaaS) customers will now benefit from these improvements to the search capability on the Event Logging page:

• Click an element attribute to add it to the search field.
• Drag and drop columns on the Event Logging page to view your event information the way you want to.
• New AND NOT and OR NOT search operators in the Event Logging page provide more granular event search capability.

See Searching for and Filtering Events in the Event Logging Page for more information.

August 13, 2020

These are the new features we are releasing this week.

Custom Conflict Detected Polling Interval

You can now configure custom polling intervals by device, regardless of the device type or any previously configured polling intervals. This includes detection for device state or any detected out of band changes.

See Schedule Polling for Device Changes for more information.

Custom FTD Templates

You can now create a custom FTD template by selecting one or more parts (Access Rules, NAT Rules, Settings, Interfaces, and Objects) of an onboarded FTD device's configuration. Applying a custom template to other FTDs will retain, update, or remove the existing configuration based on the included parts. However, CDO still allows you to select all parts to create a complete template and apply it to other FTDs.  

See FTD Templates for more information.

July 30, 2020

These are the new features we are releasing this week.

Object Overrides

CDO introduces “Object Overrides” that allow you to provide an alternate value for a shared network object, which the system uses for the devices that you specify. It enables you to create a smaller set of shared policies for use across devices without giving up the ability to alter policies when needed for individual devices. Object override makes it possible to create an object that can be overridden on some or all devices that use it in a shared policy or ruleset.

To override an object, see Object Overrides.

Improved Network Group Wizard

The Network Group editing wizard has been improved to create new network objects instantly and modify the existing ones. It also allows you to add device-specific additional values to devices on which the shared network group is defined.

For more information about the improvements made to Network Group Wizard, see Create or Edit a Firepower Network Object or Network Group and Create or Edit ASA Network Objects and Network Groups.

July 9, 2020

These are the features and improvements deployed today!

Customize the RA VPN and Events Views

July 2, 2020

These are the features and improvements deployed today!

SecureX

You can now incorporate CDO into SecureX, which provides a summarization of devices, policy, and applied objects per tenant to strengthen your visibility and automation across your security portfolio. See SecureX for more about how to incorporate CDO and SecureX.

For more information about SecureX capabilities, see Cisco's SecureX product page. To log into your SecureX account, click here.

Cisco Security Analytics and Logging Event Downloads

After filtering ASA and FTD events on the Event Logging page, you can now download your results in a compressed .CSV file.

• The events you add to a downloadable .CSV file are defined by a time range.
• A single .CSV file can accommodate up to approximately 50 GB of compressed information.
• Generation of downloadable files can be done in parallel.
• Once created, the .CSV files are stored in Cisco cloud and downloaded directly from there. These files do not consume any CDO/SWC server resources.
• Completed downloadable .CSV files are stored for 7 days and then deleted.

See Downloading Events for more information.

June 18, 2020

These are the new features we are releasing this week.

Firepower Threat Defense Executive Summary Report

You can now generate a custom Executive Summary Report on any or all of your onboarded Firepower Threat Defense (FTD) devices. The report displays a collection of operational statistics such as encrypted traffic, intercepted threats, detected web categories, and more. Read FTD Executive Summary Report for more information about what the report offers and how you can use it to improve your network infrastructure. To create and manage your reports, see Generating FTD Executive Summary Reports.

Cisco Security Analytics and Logging Improvements

ASA Syslog and NSEL Events Support

Cisco Security Analytics and Logging has been greatly expanded to support logging events from ASAs!

• ASA logging: Security Analytics and Logging (SAL) now supports logging from any Cisco ASA Firewall, regardless of how it is managed. Users can choose to send ASA logs in syslog format, NetFlow Security Event Logs (NSEL) format, or both. Customers that want to enable logging analytics will be required to enable NSEL logs to provide the necessary telemetry for the higher-tier SAL licenses.

In addition to existing FTD logging, this makes CDO the first product in Cisco’s Security portfolio to truly aggregate and unify logging for Cisco’s entire firewall fleet.

See Cisco Security Analytics and Logging for ASA Devices and Implementing Cisco Security Analytics and Logging for ASA Devices for more information.

• Longer-term Storage and Download: Users can now opt-in to store logs for 1, 2, or 3 years when initially ordering SAL, or as an add-on later. Note that the default retention period of firewall logging remains 90 days. See Data Storage Plans.
• Traffic Analysis: Both FTD connection-level logs and ASA (NSEL) logs can be run through SAL’s traffic analysis, and observations and alerts can be reviewed by cross-launching to Stealthwatch Cloud using SecureX Sign-On. ASA customers only logging syslog must switch to NSEL logs to enable traffic analytics. Customers acquiring Logging Analytics and Detection and Total Network Analytics and Detection licenses can provision and use a Stealthwatch Cloud portal for analysis at no extra charge. Stealthwatch Cloud detections include observations and alerts specifically enabled using firewall logging data, in addition to the other detections available to SAL users as part of Stealthwatch Cloud’s core capability. Existing Logging and Troubleshooting license holders can test the detection capabilities of higher licenses with no commitment for 30 days.
• Free Trials: You can start a no-commitment 30-day SAL trial for all licenses by filling out this form. This low-touch trial requires only a minimal set of on-prem connectors for exporting data to the cloud. You can use this trial to evaluate SAL capabilities, and estimate the data volume required to support production environments, as a precursor to purchasing the appropriate daily volume for SAL licenses. To this end, the SAL trial will not throttle data for most user volumes. In addition, an estimator tool helps you estimate SAL daily volume.

Improved Event Monitoring for Security Analytics and Logging

• The Event Logging page in CDO now provides filtering of ASA events by type. You can see all your syslog events or NSEL events separately or together. 
• Many ASA syslog events are parsed, providing greater detail about the event. That detail can be used to analyze the event in SWC.
• You can customize your view of the Event Logging page by showing only the columns of information you want to see and by hiding the rest.
• See Filtering Events in the Event Logging Page for more information.

June 4, 2020

Take a look at the new features and offers we are highlighting this week.

Monitor and Terminate Remote Access VPN Sessions

You can now use CDO to monitor live AnyConnect Remote Access VPN sessions across all Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) VPN head-ends in your tenant. It gathers information on the total number of active VPN sessions, currently connected users and sessions, the volume of data received and transferred.

You can view the performance of each RA VPN head-end in your tenant, filter sessions by head-ends, and select the session properties that you want to view in the VPN monitoring table. Also, you can export the RA VPN sessions of one or more devices to a comma-separated value (.csv) file. See Export RA VPN Sessions to a CSV File for more information.

You can terminate all the active RA VPN sessions of a single user on an ASA, and terminate all active RA VPN sessions of all users on an ASA. See Disconnect Active RA VPN Sessions on ASA and Disconnect Active RA VPN Sessions on FTD for more information.

Open the Remote Access VPN Monitoring screen from the navigation bar by clicking VPN > Remote Access VPN Monitoring. See Monitoring Live AnyConnect Remote Access VPN Sessions for more information.

 

AWS Virtual Private Cloud Management - Free Trial

Try managing your AWS VPC from CDO for free for 90 days. Open the Devices & Services page in CDO and onboard your AWS VPC to get started. See Onboard an AWS VPC for more information.

What's New Tile

The CDO landing page now has a What's New tile to showcase the latest features and when CDO implemented those features. If there is a feature that interests you, click the title of the feature to read the documentation about that specific feature.

May 20, 2020 - New API Only User

CDO now allows a Super Admin to create an “API Only User” that can be used to generate an API token for authenticating to CDO when making CDO REST API calls. This user account and the corresponding API token continues to function even after the original Super Admin departs your organization. See Create API Only Users for more information.

May 7, 2020 - Backup Firepower Threat Defense Devices Using CDO

You can now use CDO to back up a Firepower Threat Defense's (FTD's) system configuration. With CDO you can:

• Backup devices on demand.
• Schedule recurring backups on a cadence from every day to every month, at the time you choose.
• Download backups and use Firepower Device Manager (FDM) to restore them.

See Backing Up FTDs for more information.

April 16, 2020

These are the features that we released this week:

CDO Support for Devices Running Firepower Threat Defense 6.6.0

CDO now manages FTD 6.6.0 devices. These are the new aspects of support CDO provides:

• Onboading a device running Firepower Threat Defense (FTD) 6.6.0.
• Upgrading FTD 6.4.x+ devices to FTD 6.6.0 devices. Devices can be individual FTDs or FTDs configured in a high-availability pair. These caveats apply to upgrade support: 
  • Upgrades for Firepower 4100 and Firepower 9300 devices is not currently supported.
  • Customers can upgrade to FTD 6.6.0 using the drop-down in the upgrade page in CDO.
• CDO continuously develops support for FTD features and releases new feature support as it is ready.

For more information about the FTD features CDO supports, review Managing Firepower Threat Defense with Cisco Defense Orchestrator. See Firepower Threat Defense Support Specifics for a complete list of supported device types. 

April 9, 2020 - Firepower Threat Defense Command Line Interface

You can now issue CLI requests to your FTD devices directly from CDO. See FTD Command Line Interface Documentation and Using the CDO Command Line Interface for more information.

 

These are the highlights of the features that we deployed in March 2020.

FTD Security Database Updates 

CDO allows you to immediately update and, simultaneously, schedule future updates for security databases when you onboard you FTD device. This feature updates the SRU, security intelligence (SI), vulnerability (VDB), and geolocation databases. Note that you can only schedule future updates as part of the onboarding process. See Update FTD Security Databases for more information. 

Support for Port Ranges in FTD Service Objects

CDO now supports creating service objects (also referred to as port objects in FTD) that contain a range of port numbers. See Create a Firepower Service Object for more information.

Cisco Secure Sign-on Domain Migration

On Tuesday March 24, 2020, at 5pm Pacific Daylight Savings Time, the official domain for Cisco Security Single Sign-on solution was moved from https://security.cisco.com to https://sign-on.security.cisco.com.

If you experience any issues please contact Cisco TAC, who can provide you with technical support.

FTD Rulesets

CDO introduces Rulesets for Firepower Threat Defense devices. A ruleset is a collection of access control rules that can be shared by multiple FTD devices. Any change made to the rules of a ruleset affects the other FTD devices that use the ruleset. An FTD policy can have both device-specific (local) and shared (rulesets) rules. You can also create rulesets from existing rules in an FTD device. 

This feature is currently available for devices running Firepower Threat Defense 6.5 and later releases. 

See FTD Rulesets for more information. 

Copy or Move rules within an FTD Policy or to Another FTD Policy

It’s now possible to copy or move rules from the policy on one FTD to the policy on another FTD. We have also made it easier to move rules within an FTD policy so you can fine-tune the order in which rules evaluate network traffic.See Copy FTD Access Control Rules and Move FTD Access Control Rules for more information.

AnyConnect Software Package Upload to FTD Version 6.5+

You can now use CDO's Remote Access VPN wizard to upload AnyConnect packages from a remote server to a Firepower Threat Defense (FTD) device running FTD 6.5 or later. Ensure that the remote server supports HTTP or HTTPS protocol.See Upload AnyConnect Software Packages to an FTD Device Running FTD Version 6.5 or Later for more information.

Terminology Update in CDO's Interface

In order to manage a device, Cisco Defense Orchestrator (CDO) must have a copy of the device's configuration stored in its own database. When CDO "reads" a configuration, it makes a copy of the configuration stored on the device and saves it to CDO's database. We have renamed some interface options to better describe what you are doing when you perform a read action. This is the new terminology:

• Check for Changes. If a device's configuration status is Synced, the Check for Changes link is available. Clicking Check for Changes directs CDO to compare its copy of the device's configuration with the device's copy of the device's configuration. If there is a difference CDO immediately overwrites its copy of the device's configuration with the copy stored on the device. 
• Discard Changes. If a device's configuration is Not Synced, clicking Discard Changes deletes any changes CDO made to its copy of the device configuration and also overwrites it with a copy of the configuration found on the device. 
• Accept Without Review. This action overwrites CDO's copy of a device's configuration with the copy of the configuration stored on the device. CDO does not prompt you to confirm the action. 

See Reading, Discarding, Checking for, and Deploying Configuration Changes for more information.