Skip to main content



Cisco Defense Orchestrator


An object is a container of information that you can use in one or more security policies. Objects make it easy to maintain policy consistency. You can create a single object, use it different policies, modify the object, and that change is propagated to every policy that uses the object. Without objects, you would need to modify all the policies, individually, that require the same change.

When you onboard a device, CDO recognizes all the objects used by that device, saves them, and lists them on the Objects page. From the Objects page, you can edit existing objects and create new ones to use in your security policies.

CDO calls an object used on multiple devices a "shared object" and identifies them in the Objects page with this badge badge_shared.png

Sometimes a shared object develops some "issue" and is no longer perfectly shared across multiple policies or devices:

  • Duplicate objects are two or more objects on the same device with different names but the same values. These objects usually serve similar purposes and are used by different policies. Duplicate objects are identified by this issue icon: badge_duplicate.png
  • Inconsistent objects are objects on two or more devices with the same name but different values. Sometimes users create objects in different configurations with the same name and content but over time the values of these objects diverge which creates inconsistency. Inconsistent objects are identified by this issue icon: badge_inconsistent.png
  • Unused objects are objects that exist in a device configuration but are not referenced by another object, an access-list, or a NAT rule. Unused objects are identified by this issue icon: badge_unused.png

Note: CDO does not identify duplicate, inconsistent, or unused objects read from an FMC.

You can view the objects managed by CDO by navigating to the Objects menu or by viewing them in the details of a network policy.

CDO allows you to manage network and service objects across supported devices from one location. With CDO, you can manage objects in these ways:

  • Search for and filter all your objects based on a variety of criteria.
  • Find duplicate, unused, and inconsistent objects on your devices and consolidate, delete, or resolve those object issues.  
  • Discover shared objects that are common across devices.
  • Evaluate the impact of changes to an object on a set of policies and devices before committing the change.
  • Compare a set of objects and their relationships with different policies and devices.
  • Capture objects in use by a device after it has been on-boarded to CDO

Object Types

The following table describes the objects that you can create and manage using CDO.

Object Device Type Description
Application Filter Firepower Threat Defense (FTD) An application filter object defines the applications used in an IP connection, or a filter that defines applications by type, category, tag, risk, or business relevance. You can use these objects in policies to control traffic instead of using port specifications. 
Certificate Filter Firepower Threat Defense (FTD) Digital certificates provide digital identification for authentication. Certificates are used for SSL (Secure Socket Layer), TLS (Transport Layer Security), and DTLS (Datagram TLS) connections, such as HTTPS and LDAPS.
Geolocation Firepower Threat Defense (FTD) A geolocation object defines countries and continents that host the device that is the source or destination of traffic. You can use these objects in policies to control traffic instead of using IP addresses.

Adaptive Security Appliance (ASA)

Firepower Threat Defense (FTD)

Firepower Management Center (FMC)


Network groups and network objects (collectively referred to as network objects) define the addresses of hosts or networks.


Note: FMC objects are read-only.

Security Zone Firepower Threat Defense (FTD) A security zone is a grouping of interfaces. Zones divide the network into segments to help you manage and classify traffic.

Adaptive Security Appliance (ASA)

Firepower Threat Defense (FTD)

Firepower Management Center (FMC)


Service objects, service groups, and port groups are reusable components that contain protocols or ports considered part of the TCP/IP protocol suite.
Syslog Server Firepower Threat Defense (FTD) A syslog server object identifies a server that can receive connection-oriented or diagnostic system log (syslog) messages.
Trustpoints Adaptive Security Appliance (ASA)

Trustpoints let you manage and track digital certificates in ASA.  

  • Was this article helpful?