Skip to main content



Cisco Defense Orchestrator


An object is a container of IP addresses, fully qualified domain names (FQDNs), or port numbers that you can use in one or more network policies. You can create them in CDO or, when you onboard a device, CDO recognizes all the imported objects, saves them, and lists them on the Objects page.

In CDO, you can create network objects and service objects. A network object contains an individual IPv4 address, a range of IPv4 addresses, or an FQDN. A network group is a collection of network objects. A service object contains a TCP, UDP, or other transport layer protocol, port number. A service object may also contain a collection of port numbers which CDO calls a port group. A service group is a collection of service objects.

Objects make it easy to maintain policies because you can modify an object in one place and that change affects all the other policies that use that object. Without objects, you would need to modify all the policies, individually, that require the same change. CDO calls objects with the same name and same values on multiple devices, shared objects. Shared objects are identified by this icon: badge_shared.png

Sometimes a shared object develops some issue and is no longer perfectly shared across multiple policies or devices:

  • Duplicate objects are two or more objects on the same device with different names but the same values. These objects usually serve similar purposes and are used by different policies. Duplicate objects are identified by this issue icon: badge_duplicate.png
  • Inconsistent objects are objects on two or more devices with the same name but different values. Sometimes users create objects in different configurations with same name and content but over time the values of these objects diverge which creates the inconsistency. Inconsistent objects are identified by this issue icon: badge_inconsistent.png
  • Unused objects are objects that exist in a device configuration but are not referenced by another object, an access-list, or a NAT rule. Unused objects are identified by this issue icon: badge_unused.png

You can view the objects managed by CDO by navigating to the Objects menu or by viewing them in the details of a network policy.

CDO allows you to manage network and service objects across supported devices from one location. With CDO, you can manage objects in these ways:

  • Search for and filter all your objects based on a variety of criteria.
  • Find duplicate, unused, and inconsistent objects on your devices and consolidate, delete, or resolve those object issues.  
  • Discover shared objects that are common across devices.
  • Evaluate the impact of changes to an object on a set of policies and devices before committing the change.
  • Compare a set of objects and their relationships with different policies and devices.
  • Capture objects in use by a device after it has been on-boarded to CDO.


  • Was this article helpful?