Skip to main content

 

 

Cisco Defense Orchestrator

ASA File Management

CDO provides the File Management tool to help you perform basic file management tasks such as viewing, uploading, or deleting files present on the ASA device's flash (disk0) space.

Note: You cannot manage files present on disk1.

The File Management screen lists all the files present on the device's flash (disk0). On a successful file upload, you can click the refresh icon to see the file. By default, this screen refreshes automatically every 10 minutes. The Disk Space field shows the amount of disk space on the disk0 directory.

ASA_File_Management.jpg

You can upload the AnyConnect image to single or multiple ASA devices. After a successful upload, the AnyConnect image is associated with the RA VPN configuration on the selected ASA devices. This helps you to upload the newly released AnyConnect package to multiple ASA devices simultaneously.  

Upload File to the Flash System

CDO supports only URL based file upload from the remote server. The supported protocols for uploading the file are HTTP, HTTPS, TFTP, FTP, SMB, or SCP. You can upload any files such as the AnyConnect software images, DAP.xml, data.xml, and host scan image files to a single or multiple ASA device.   

Note: CDO doesn't upload the file to selected ASA devices if the remote server's URL path is invalid or for any issues that may occur. You can navigate to the device Workflows for more details.

Suppose the device is configured for High Availability, CDO uploads the file to the standby device first, and only after a successful upload, the file is uploaded to the active device. The same behavior applies during the file removal process.

The syntax of supported protocols for uploading the file:

Protocol Syntax Example
HTTP http://[[path/ ]filename] http://www.geonames.org/data-sources.html
HTTPS https://[[path/ ]filename] https://docs.aws.amazon.com/amazov/tagging.html
TFTP tftp:// [[path /]filename] tftp://10.10.16.6/ftd/components.html
FTP ftp:// [[user [: password ]@ ]server [:port ]/ [path /]filename ftp://'dlpuser:rNrKYTX9g7z3RgJRmxWuGHbeu'@ftp.dlptest.com/image0-000.jpg
SMB smb: //[[path / ]filename ] smb://10.10.32.145//sambashare/hello.txt 
SCP scp:// [[user [: password ]@ ]server [/ path ]/filename scp://root:cisco123@10.10.16.6//root/events_send.py

Before You Begin

  • Make sure that the remote server is accessible from the ASA device. 
  • Make sure that the file is already uploaded to the remote server.
  • Make sure that there is a network route from the ASA device to that server.  
  • If FQDN is used in the URL, make sure that DNS is configured.
  • The remote server's URL must be a direct link without prompting for authentication. 
  • If the remote server IP address is NATed, you have to provide the NATed public IP address of the remote server location. 

Note: If you upload a file to an ASA that is configured as a peer in a failover, CDO does not acknowledge the new file for the other peer in the failover pair and the device status changes to Not Synced. You must manually deploy changes to both devices for CDO to recognize the file in both devices.

Upload File to a Single ASA Device

Use this procedure to upload a file to a single ASA device. 

  1. On the CDO navigation bar, click Devices & Services and select a single ASA device.
  2. In the Management pane on the right, click File Management.
    You can view available disk space and the files present on the ASA device.  
  3. Click the Upload button on the right.
  4. In the URL link, specify the server's path where the file is pre-uploaded.
    The Destination Path field shows the name of the file that is being uploaded to the disk0 directory. If you want to upload the file to a specific directory within disk0, specify its name in this field. For example, if you're going to upload a dap.xml file to the "DAPFiles" directory, specify "disk0:/DAPFiles/dap.xml" in the field.

Note: You can view the directories present in the disk0 folder by executing the dir command in the CDO ASA CLI interface. 

  1. If the specified server path points to an AnyConnect file, the Associate file with RA VPN Configuration check box is enabled.
    Note: This check box is enabled only for an AnyConnect file name that follows the right naming convention, which is 'anyconnect-win-xxx.pkg', 'anyconnect-linux-xxx.pkg', or 'anyconnect-mac-xxx.pkg' format.

    On selecting this check box, CDO associates the AnyConnect file to the RA VPN configuration on the selected ASA device after a successful upload.
  2. Click Upload.
    CDO uploads the file to the device. 
  3. If you have chosen to associate the AnyConnect package with the RA VPN configuration in step 5, deploy the new RA VPN configuration to the ASA device.

You don't have to deploy the configuration changes on the device.`

Upload File to Multiple ASA Devices

Use this procedure to upload a file to multiple ASA devices at the same time. 

  1. On the CDO navigation bar, click Devices & Services and select multiple ASA devices to perform a bulk upload. 
  2. In the Device Actions pane on the right, click Upload File
    Note: The Upload File link appears if ASA devices are online.
  3. In the URL link, specify the server's paths where the file is pre-uploaded.
    The Destination Path field shows the name of the file that is being uploaded to the disk0 directory. If you want to upload the file to a specific directory within disk0, specify its name in this field. For example, if you're going to upload a dap.xml file to the "DAPFiles" directory, specify "disk0:/DAPFiles/dap.xml" in the field.

Note: You can view the directories present in the disk0 folder by executing the dir command in the CDO ASA CLI interface.

  1. If the specified server path points to an AnyConnect file, the Associate file with RA VPN Configuration check box is enabled.
    Note: This check box is enabled only for an AnyConnect file name that follows the right naming convention, which is 'anyconnect-win-xxx.pkg', 'anyconnect-linux-xxx.pkg', or 'anyconnect-mac-xxx.pkg' format.

    On selecting this check box, CDO associates the AnyConnect file to the RA VPN configuration on the selected ASA devices after a successful upload. 
  2. Click Upload.​​
  3. If you have chosen to associate the AnyConnect package with the RA VPN configuration in step 4, deploy the new RA VPN configuration to ASA devices.

You can view the progress of uploading the file on individual devices. Select the ASA device, and in the Management pane on the right, click File Management. If the file upload is in progress, wait for the operation to complete. 

You don't have to deploy the configuration changes on the device.` 

Remove Files from ASA

You cannot remove AnyConnect files associated with the RA VPN configuration. You have to disassociate the AnyConnect file from the corresponding RA VPN configuration and then remove the file from the File Management tool. 

Note:  If you upload a file to an ASA that is configured as a peer in a failover, CDO does not acknowledge the new file for the other peer in the failover pair and the device status changes to Not Synced. You must manually deploy changes to both devices for CDO to recognize the file in both devices.

The remove operation deletes the selected files permanently from the flash memory. A message appears when deleting files asking for confirmation.

Use the following procedure to remove files from a selected ASA device:

  1. On the CDO navigation bar, click Devices & Services and select a single ASA device.
  2. In the Management pane on the right, click File Management.
  3. Select the files you want to remove, and under Actions on the right, click Remove. A maximum of 25 files can be selected.
    If CDO fails to remove some files, you can see the device Workflows to determine the removed and retained files. 
  4. If you have chosen to remove the AnyConnect package, deploy the new RA VPN configuration to the ASA device.
  • Was this article helpful?