Skip to main content

 

 

Cisco Defense Orchestrator

Manage Security Group Rules

Edit a Security Group Rule

Use this procedure to edit an access control rule for an AWS VPC using CDO:

  1. Open the Devices & Services page.
  2. Select the AWS VPC whose access control policy you want to edit. 
  3. In the Management pane at the right, select policy_shield_icon.png Policy.
  4. To edit an existing security group rule, select the rule and click the edit icon pencil.png in the Actions pane. (Simple edits may also be performed inline without entering edit mode.) See AWS VPC Security Group Rules for rule limitations and exceptions. 
  1. Click Save.
  2. Return to the Devices & Services page and you should see that the configuration status of the device you made changes to is now "Not synced."
  3. Select the device and in the Not Synced pane at the right, click Preview and Deploy... 
  4. On the Pending Changes screen, review the changes:
  • Red rows indicate that something was deleted, green rows indicate something was added, and blue rows indicate that something was modified in the AWS VPC. The Pending Changes screen also shows when the last deployment was made from CDO to the AWS VPC and who made it. The Pending Changes sceen does not show when out-of-band changes were performed.
  • Changes are grouped by type. In this example there would be three changes, two of which were to create objects and one was to create an access rule. Clicking the change type jumps you to that section of the pending changes record. 
  • The Deployed Version column shows the device's configuration prior to the change. The Pending Version column shows the change you are about to deploy to the AWS VPC. In this example, because we created everything, the Deployed Version field would be empty and the Pending Version column would have the description of the change you are about to make. 
  1. If you are satisfied with the pending version, click Deploy Now. After the changes are deployed successfully, you can view the change log to confirm what just happened.

Caution: If the deployment fails, CDO attempts to return the state of the AWS VPC to what it was before you made the deployment attempt. This is done on a "best effort" basis. Because AWS doesn't maintain a "state," this rollback attempt could fail. In that case, you will have to log in to the AWS management console and manually return the AWS VPC to its previous configuration and then "read" the AWS VPC device configuration back to CDO. 

Delete a Security Group Rule

  1. Open the Devices & Services page.
  2. Select the AWS VPC whose access control policy you want to edit. 
  3. In the Management pane at the right, select policy_shield_icon.png Policy.
  4. To delete a security group rule you no longer need, select the rule and click the remove icon trash.png in the Actions pane.
  5. Return to the Devices & Services page and you should see that the configuration status of the device you made changes to is now "Not synced."
  6. Select the device and in the Not Synced pane at the right, click Preview and Deploy... 
  7. On the Pending Changes screen, review the changes:
  • Red rows indicate that something was deleted, green rows indicate something was added, and blue rows indicate that something was modified in the AWS VPC. The Pending Changes screen also shows when the last deployment was made from CDO to the AWS VPC and who made it. The Pending Changes sceen does not show when out-of-band changes were performed.
  • Changes are grouped by type. In this example there would be three changes, two of which were to create objects and one was to create an access rule. Clicking the change type jumps you to that section of the pending changes record. 
  • The Deployed Version column shows the device's configuration prior to the change. The Pending Version column shows the change you are about to deploy to the AWS VPC. In this example, because we created everything, the Deployed Version field would be empty and the Pending Version column would have the description of the change you are about to make. 
  1. If you are satisfied with the pending version, click Deploy Now. After the changes are deployed successfully, you can view the change log to confirm what just happened.

Caution: If the deployment fails, CDO attempts to return the state of the AWS VPC to what it was before you made the deployment attempt. This is done on a "best effort" basis. Because AWS doesn't maintain a "state," this rollback attempt could fail. In that case, you will have to log in to the AWS management console and manually return the AWS VPC to its previous configuration and then "read" the AWS VPC device configuration back to CDO. 

Related Articles

  • Was this article helpful?