Skip to main content

 

 

Cisco Defense Orchestrator

Object Overrides

An object override allows you to override the value of a shared network object on specific devices. CDO uses the corresponding value for the devices that you specify when configuring the override. Although the objects are on two or more devices with the same name but different values, CDO doesn’t identify them as "Inconsistent objects" only because these values are added as overrides.

You can create an object whose definition works for most devices, and then use overrides to specify modifications to the object for the few devices that need different definitions. You can also create an object that needs to be overridden for all devices, but its use allows you to create a single policy for all devices. Object overrides allow you to create a smaller set of shared policies for use across devices without giving up the ability to alter policies when needed for individual devices. 

For example, consider a scenario where you have a printer server in each of your offices, and you have created a printer server object “print-server”. You have a rule in your ACL to deny printer servers from accessing the internet. The printer server object has a default value that you want to change from one office to another. You can do this by using object overrides and maintain rule and “printer-server” object consistent across all locations, although their values may be different.

Note: CDO allows you to override objects associated with the rules in a ruleset. When you add a new object to a rule, you can override it only after you attach a device to the ruleset and save the changes. See Configure Rulesets for an FTD for more information.

Note: If there are inconsistent objects, you can combine them into a single shared object with overrides. See Resolve Inconsistent Object Issues for more information. 

Add Object Overrides to a Shared Network Object

  1. In the CDO navigation bar on the left, click Objects
  2. Locate the shared network object you want to edit by using object filters and search field.
  3. Select the shared network object and click the edit icon edit.png in the Actions pane. 
    • The Devices field shows the devices the shared object is present. 
    • The Usage field shows the rulesets associated with the shared object.
    • The Default Value field specifies the default value of the shared object that was provided during its creation. Next to this field, you can see the number of devices that contain this default value, and you can click to see their names and device types. You can also see the rulesets associated with this value. 
  4. In the Override Values field, enter the alternate value of the object and click Add Value.
  5. Click Add Value to add a new value to the shared network object.
  6. In the Devices column, click on the cell associated with the newly added object and click Add Devices.
  7. Select the devices that you want and click OK
  8. Click Save.
    CDO displays the devices that will be affected by the change.
  9. Click Confirm to finalize the change to the object and any devices affected by it. 
    You can see "Overrides" labels for those objects having alternate values. It also shows the total number of overrides present the object contains.
  10. Preview and Deploy Configuration Changes for All Devices.

Note: When you want to search objects with overrides, use the Override Values filter to narrow down your search results. 

Note: When you create a new network object, CDO auto assigns its value as an override to an existing shared network object with the same name. This is also applicable when a new device is onboarded to CDO.

The auto-assignment happens only when the following criteria are met: 

  1. The new network object must be assigned to a device.
  2. Only one shared object with the same name and type must be existing in the tenant.
  3. The shared object must already contain overrides.

Edit Object Overrides 

You can modify the value of an existing override as long as the object is present on the device.

  1. In the CDO navigation bar at the left, click Objects
  2. Locate the object having override you want to edit by using object filters and search field.
  3. Select the object having override and click the edit icon edit.png in the Actions pane. 
  4. Modify the override value:
    • Click the edit icon to modify the value.
    • Click on the cell in the Devices column in Override Values to assign new devices. You can select an already assigned device and click Remove Overrides to remove overrides on that device. 
    • Click UpArrow.JPG arrow in Override Values to push and make it as the default value of the shared object.
    • Click the delete icon next to the override you want to remove.
  5. Click Save.
    CDO displays the devices that will be affected by the change.
  6. Click Confirm to finalize the change to the object and any devices affected by it.
  7. Preview and Deploy Configuration Changes for All Devices.
  • Was this article helpful?