Cisco Defense Orchestrator (CDO) is a cloud-based, multi-device manager that manages security products like Adaptive Security Appliance (ASA), Firepower Threat Defense next-generation firewall, and Meraki devices, to name a few.
We make improvements to CDO every week and when we have some big news to share, we're going to tell you about it here. Here are the latest features that we have deployed on CDO.
If you're not already a CDO customer, you can get a demo account by contacting cdosales@cisco.com.
This is the feature and improvement to CDO made this week.
Now when you onboard an FMC to CDO, CDO imports the objects from the FMC-managed FTD devices. Once imported to CDO, the objects are read-only. Though the FMC objects are read-only, CDO allows you to apply a copy of the objects to other devices on your tenant that are not managed by the FMC. The copy is disassociated from the original object so you can edit the copy without changing the value of the object that was imported from the FMC. FMC objects can be used on any device you manage that support that object type. See FMC Objects for more information.
You can export the results of CLI commands issued to a standalone device, or several devices, to a comma separated value (.csv) file so you can filter and sort the information in it however you like. You can export the CLI results of a single device, or many devices at once. See Export CLI Command Results for more information.
Connecting to the Cisco Success Network and configuring which events are sent to the Cisco cloud are features that can be configured on FTD devices running software version 6.6 or higher.
By enabling Cisco Success Network, you are providing usage information and statistics to Cisco to improve the FTD and to make you aware of unused or additional features that will help you maximize the value of Cisco products in your network. When you enable the Cisco Success Network, your device establishes a secure connection to the Cisco Cloud and maintains this secure connection at all times. See Connecting to the Cisco Success Network for more information.
You can now specify which types of events you send from your FTD directly to the Cisco cloud. Once stored in the Cisco cloud, you can use cloud applications, such as Cisco Threat Response, to analyze the events and to evaluate threats that the device might have encountered. See "Sending Events to the Cisco Cloud" in FTD Settings for more information.
Enabling web analytics provides anonymous product usage information to Cisco based on page hits. The information includes pages viewed, the time spent on a page, browser versions, product version, device hostname, and so forth. This information can help Cisco determine feature usage patterns and improve the product. All usage data is anonymous and no sensitive data is transmitted. See "Enabling or Disabling Web Analytics" in FTD Settings for more information. You can use CDO to configure this feature on all versions of FTD.
This is the new feature and improvement CDO released this week.
CDO has enhanced the process of onboarding an FTD HA pair. Once you onboard one of the HA peers with either the registration token method or the login credentials method, CDO automatically detects that the corresponding peer is not onboarded yet and prompts you to take action. The improvement minimizes the effort required to onboard both devices, shortens how long it takes to onboard the peer device, and reuses any registration keys or smart license tokens you may have used to onboard the first device. See Onboard an FTD HA Pair with a Registration Key or Onboard an FTD HA Pair using Username, Password, and IP Address respectively for more information.
You can onboard either the active or the standby device, and once synced, CDO will always detect that the device is part of an HA pair.
Note: We strongly recommend onboarding your FTD devices with the registration token method.
CDO has published its public API and provided you with documentation, examples, and a playground to try things out. The goal of our public API is to provide you with a simple and effective way to perform a lot of what you would normally be able to do in the CDO UI, but in code.
To use this API, you will need to know GraphQL. It is very easy to learn, and their official guide (https://graphql.org/learn/) provides a thorough, light read. We chose GraphQL because it is flexible, strongly typed, and auto-documenting.
To find the full schema documentation, simply go to the GraphQL Playground, and click the docs tab on the right side of the page.
You can launch the CDO Public API by selecting it from the user menu.
You can now export the complete configuration of an FTD device as a CDO-readable JSON file. You can import this file as an FTD model (FTD template) on any CDO tenant that you manage. For more information, see Export FTD Configuration.
You can now add comments to rules in FTD policies and rulesets. Rule comments are are only visible in CDO; they are not written to the FTD nor are they visible in FDM. See Adding Comments to Rules in FTD Policies and Rulesets for more information.
Low touch provisioning is a feature that allows a new factory-shipped or re-imaged Firepower 1000 or 2100 series device, running FTD software version 6.7 or later, to be plugged in to your network, onboarded to CDO automatically, and then configured remotely. This eliminates many of the manual tasks involved with onboarding the device to CDO. The low touch provisioning process minimizes the need to log in to a physical device. It's intended for remote offices or other locations where your employees are less experienced working with networking devices.
Firepower 1000 and 2100 series devices with factory-installed FTD 6.7 images are expected to be orderable from Cisco at the end of calendar year 2020 or the beginning of calendar year 2021.
It is also possible to onboard a configured Firepower Threat Defense (FTD) version 6.7+ device to FTD 6.7, to CDO using the device's serial number.
See these articles for more information:
You can now assign an FTD interface to a security zone to further classify and manage traffic. See Assign a Firepower Interface to a Security Zone for more information.
CDO now supports Firepower Threat Defense (FTD), versions 6.6.1 and 6.7. You can onboard a new FTD device running FTD 6.6.1 or 6.7, or use CDO to upgrade to those versions. CDO continues to support existing FTD features and these new FTD 6.7 features:
See Managing FTD with Cisco Defense Orchestrator for more information about the FTD features CDO currently supports.
CDO now provides two additional user roles that divide the responsibilities of editing policies and deploying policies. The new Edit-Only role allows users to make configuration changes to devices, but they are not allowed to deploy those changes. The new Deploy-Only role allows users to deploy pending configuration changes, but they are not allowed to make configuration changes. For the full list of capabilities and limitations of these new roles, see User Roles.
CDO now provides the API tool interface to execute the Representational State Transfer (REST) Application Programming Interface (API) requests for performing advanced actions on an FTD device. Additionally, this interface provides the following features:
For more information about the FTD API tool, see Using FTD API Tool.
CDO now introduces a Multi-Tenant Portal that provides a consolidated view of devices from tenants across various regions. This view helps you glean information from your tenants in a single-window. You can have the CDO support team create one or more portals based on your requirements.
For more information, see Manage Multi-Tenant Portal.
Cisco Security Analytics and Logging (SaaS) customers can now install Secure Event Connectors when their Secure Device Connector is installed in the Cisco cloud. They no longer need to switch to an on-premises Secure Device Connector to configure Cisco Security Analytics and Logging.
See these topics for more information:
The Secure Event Connector (SEC) forwards events from ASAs and FTDs to the Cisco cloud so that you can view them in the Event Logging page and investigate them with Stealthwatch Cloud, depending on your Cisco Security Analytics and Logging licensing. Having more than one SEC allows you to install them in different locations and distribute the work of sending events to the Cisco cloud.
See these articles to learn how to install additional SECs on your tenant:
Learn more about Cisco Security Analytics and Logging.
These are the new features and improvements CDO released this week.
CDO can now onboard an Firepower Management Center (FMC) running Version 6.4 or later and all of its managed devices. FMC support is limited to onboarding an FMC, viewing the devices it manages, and cross-launching to the FMC UI.
Cisco Security Analytics and Logging (SaaS) customers can create and save customized event filters on the Event Logging page for repeated use. See Customizable Event Filters for more information.
Cisco Security Analytics and Logging (SaaS) customers will now benefit from these improvements to the search capability on the Event Logging page:
See Searching for and Filtering Events in the Event Logging Page for more information.
These are the new features we are releasing this week.
You can now configure custom polling intervals by device, regardless of the device type or any previously configured polling intervals. This includes detection for device state or any detected out of band changes.
See Schedule Polling for Device Changes for more information.
You can now create a custom FTD template by selecting one or more parts (Access Rules, NAT Rules, Settings, Interfaces, and Objects) of an onboarded FTD device's configuration. Applying a custom template to other FTDs will retain, update, or remove the existing configuration based on the included parts. However, CDO still allows you to select all parts to create a complete template and apply it to other FTDs.
See FTD Templates for more information.
These are the new features we are releasing this week.
CDO introduces “Object Overrides” that allow you to provide an alternate value for a shared network object, which the system uses for the devices that you specify. It enables you to create a smaller set of shared policies for use across devices without giving up the ability to alter policies when needed for individual devices. Object override makes it possible to create an object that can be overridden on some or all devices that use it in a shared policy or ruleset.
To override an object, see Object Overrides.
The Network Group editing wizard has been improved to create new network objects instantly and modify the existing ones. It also allows you to add device-specific additional values to devices on which the shared network group is defined.
For more information about the improvements made to Network Group Wizard, see Create or Edit a Firepower Network Object or Network Group and Create or Edit ASA Network Objects and Network Groups.
These are the features and improvements deployed today!
You can now customize the tables generated for Remote Access Virtual Private Network (RA VPN), as well as both live and historical event views. Organize and save the tables in the manner that best suits your needs and what is crucial to your portfolio. To customize the RA VPN view, see Monitor ASA and FTD Remote Access VPN. To customize the Events view, see Viewing Live and Historical Events in CDO.
These are the features and improvements deployed today!
You can now incorporate CDO into SecureX, which provides a summarization of devices, policy, and applied objects per tenant to strengthen your visibility and automation across your security portfolio. See SecureX for more about how to incorporate CDO and SecureX.
For more information about SecureX capabilities, see Cisco's SecureX product page. To log into your SecureX account, click here.
After filtering ASA and FTD events on the Event Logging page, you can now download your results in a compressed .CSV file.
See Downloading Events for more information.
These are the new features we are releasing this week.
You can now generate a custom Executive Summary Report on any or all of your onboarded Firepower Threat Defense (FTD) devices. The report displays a collection of operational statistics such as encrypted traffic, intercepted threats, detected web categories, and more. Read FTD Executive Summary Report for more information about what the report offers and how you can use it to improve your network infrastructure. To create and manage your reports, see Managing Reports.
ASA Syslog and NSEL Events Support
Cisco Security Analytics and Logging has been greatly expanded to support logging events from ASAs!
In addition to existing FTD logging, this makes CDO the first product in Cisco’s Security portfolio to truly aggregate and unify logging for Cisco’s entire firewall fleet.
See Cisco Security Analytics and Logging for ASA Devices and Implementing Cisco Security Analytics and Logging for ASA Devices for more information.
Improved Event Monitoring for Security Analytics and Logging
Take a look at the new features and offers we are highlighting this week.
You can now use CDO to monitor live AnyConnect Remote Access VPN sessions across all Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) VPN head-ends in your tenant. It gathers information on the total number of active VPN sessions, currently connected users and sessions, the volume of data received and transferred.
You can view the performance of each RA VPN head-end in your tenant, filter sessions by head-ends, and select the session properties that you want to view in the VPN monitoring table. Also, you can export the RA VPN sessions of one or more devices to a comma-separated value (.csv) file. See Export RA VPN Sessions to a CSV File for more information.
You can terminate all the active RA VPN sessions of a single user on an ASA, and terminate all active RA VPN sessions of all users on an ASA. See Disconnect Active RA VPN Sessions on ASA and Disconnect Active RA VPN Sessions on FTD for more information.
Open the Remote Access VPN Monitoring screen from the navigation bar by clicking VPN > Remote Access VPN Monitoring. See Monitoring Remote Access VPN Sessions for more information.
Try managing your AWS VPC from CDO for free for 90 days. Open the Devices & Services page in CDO and onboard your AWS VPC to get started. See Onboard an AWS VPC for more information.
The CDO landing page now has a What's New tile to showcase the latest features and when CDO implemented those features. If there is a feature that interests you, click the title of the feature to read the documentation about that specific feature.
CDO now allows a Super Admin to create an “API Only User” that can be used to generate an API token for authenticating to CDO when making CDO REST API calls. This user account and the corresponding API token continues to function even after the original Super Admin departs your organization. See Create API Only Users for more information.
You can now use CDO to back up a Firepower Threat Defense's (FTD's) system configuration. With CDO you can:
See Backing Up FTDs for more information.
These are the features that we released this week:
CDO now manages FTD 6.6.0 devices. These are the new aspects of support CDO provides:
For more information about the FTD features CDO supports, review Managing Firepower Threat Defense with Cisco Defense Orchestrator. See Firepower Threat Defense Support Specifics for a complete list of supported device types.
You can now issue CLI requests to your FTD devices directly from CDO. See FTD Command Line Interface Documentation and Using the CDO Command Line Interface for more information.
Viewing FTD device license information, enabling and disabling licenses, and refreshing licenses is now all managed from a single button in the Device Actions pane on the Devices & Services page.
These are the highlights of the features that we deployed in March 2020.
CDO allows you to immediately update and, simultaneously, schedule future updates for security databases when you onboard you FTD device. This feature updates the SRU, security intelligence (SI), vulnerability (VDB), and geolocation databases. Note that you can only schedule future updates as part of the onboarding process. See Update FTD Security Databases for more information.
CDO now supports creating service objects (also referred to as port objects in FTD) that contain a range of port numbers. See Create a Firepower Service Object for more information.
On Tuesday March 24, 2020, at 5pm Pacific Daylight Savings Time, the official domain for Cisco Security Single Sign-on solution was moved from https://security.cisco.com to https://sign-on.security.cisco.com.
If you experience any issues please contact Cisco TAC, who can provide you with technical support.
CDO introduces Rulesets for Firepower Threat Defense devices. A ruleset is a collection of access control rules that can be shared by multiple FTD devices. Any change made to the rules of a ruleset affects the other FTD devices that use the ruleset. An FTD policy can have both device-specific (local) and shared (rulesets) rules. You can also create rulesets from existing rules in an FTD device.
This feature is currently available for devices running Firepower Threat Defense 6.5 and later releases.
See FTD Rulesets for more information.
It’s now possible to copy or move rules from the policy on one FTD to the policy on another FTD. We have also made it easier to move rules within an FTD policy so you can fine-tune the order in which rules evaluate network traffic.See Copy FTD Access Control Rules and Move FTD Access Control Rules for more information.
You can now use CDO's Remote Access VPN wizard to upload AnyConnect packages from a remote server to a Firepower Threat Defense (FTD) device running FTD 6.5 or later. Ensure that the remote server supports HTTP or HTTPS protocol.See Upload AnyConnect Software Packages to an FTD Device Running FTD Version 6.5 or Later for more information.
In order to manage a device, Cisco Defense Orchestrator (CDO) must have a copy of the device's configuration stored in its own database. When CDO "reads" a configuration, it makes a copy of the configuration stored on the device and saves it to CDO's database. We have renamed some interface options to better describe what you are doing when you perform a read action. This is the new terminology:
See Reading, Discarding, Checking for, and Deploying Configuration Changes for more information.
Would be nice to have the following features implemented for FTD Devices:
- EVERYTHING that's available for the ASA devices.
Definitely underwhelmed when I got this up for my firepower devices.