Cisco Defense Orchestrator (CDO) offers users the ability to manage ASA, SSH, and Cisco IOS devices using a command-line interface (CLI). Users can send commands to a single device or to multiple devices simultaneously. This article describes sending CLI commands to a single ASA, SSH, or Cisco IOS device
- For detailed ASA CLI documentation, see ASA Command Line Interface Documentation.
- For Cisco IOS CLI documentation, see Networking Software (IOS & NX-OS) for your IOS version.
- For FTD SSH CLI documentation, see Cisco Firepower Threat Defense Command Reference.
How to enter commands
A single command can be entered on a single line or several commands can be entered sequentially on several lines and CDO will execute them in order as a batch. The following ASA example sends a batch of commands which creates three network objects and a network object group that contains those network objects.
Entering ASA or SSH device Commands: CDO begins executing commands in Global configuration mode.
Entering Cisco IOS commands: CDO begins executing commands in User EXEC mode. You will need to start a sequence of commands with enable followed by config t if they need to be executed in global configuration mode.
Long Commands: If you enter a very long command, CDO attempts to break up your command into multiple commands so that they can all be run against the ASA API or Cisco IOS API. If CDO is unable to determine a proper separation in your command, it will prompt you for a hint on where to break the list of commands. For example:
Error: CDO attempted to execute a portion of this command with a length that exceeded 600 characters. You can give a hint to CDO at where a proper command separation point is by breaking up your list of commands with an additional empty line between them.
If you receive this error:
- Click the command in the CLI history pane that caused error. CDO populates the command box with the long list of commands.
- Edit the long list of commands by entering an empty line after groups of related commands. For example, add an empty line after you define a list of network objects and add them to a group like in the example above. You may want to do this at a few different points in the list of commands.
- Click Send.
Using the CLI on a Single Device
- Open the Devices & Services page.
- Select the device you want to manage using the command line interface.
Note: Make sure that the device you choose is reachable and synced. Only the following commands are allowed when the device is not synced: show, ping, traceroute, vpn-sessiondb, changeto, and dir.
- In the Device Actions pane for the device, click >_Command Line Interface.
- Enter your command, or commands, in the top "command pane" and click Send. The device's response to the command(s) are displayed below in the "response pane."
Work with Command History
After you send a CLI command, CDO records that command in the history pane on the Command Line Interface page. You can rerun the commands saved in the history pane or use the commands as a template:
- On the Devices & Services page, select the device you want to configure.
- Click >_Command Line Interface.
- Click the Clock icon to expand the history pane if it is not already expanded.
- Select the command in the history pane that you want to modify or resend.
- Reuse the command as it is or edit it in the command pane and click Send. CDO displays the results of the command in the response pane.
Note: CDO displays the Done! message in the response pane in two circumstances:
- After a command has executed successfully without errors.
- When the command has no results to return. For example, you may issue a show command with a regular expression searching for a certain configuration entry. If there is no configuration entry that meets the criteria of the regular expression, CDO returns Done!.