Skip to main content



Cisco Defense Orchestrator

FTD Templates

About FTD Templates

CDO allows you to create a Firepower Threat Defense (FTD) template of an onboarded FTD device's configuration. When you are creating the template, select the parts (objects, policies, settings, interfaces, and NAT) that you want to include in your FTD template. You can then modify that template and use it to configure other FTD devices you manage. FTD templates are a way to promote policy consistency between your FTD devices.

When creating the FTD template, you can opt to either create a complete or custom template:

  • A complete template includes all parts of the FTD configuration and applies everything on other FTD devices. 
  • A custom template includes only one or more parts of the FTD configuration that you select and applies only that part and its associated entities on other FTD devices.

Important: The FTD template will not include certificate, Radius, Active Directory, and RA VPN Objects.

How You Could Use FTD Templates

Here are some ways that you could use FTD templates:

  • Configure one FTD by applying another FTD's configuration template to it. The template you apply may represent a "best practice" configuration that you want to use on all your FTD devices.
  • Use the template as a method to make the device configuration changes and simulate them in a lab environment to test its functionality before applying those changes to a live FTD device.
  • Parameterize the attributes of the interfaces and sub-interfaces when creating a template. You can change the parameterized values of interfaces and subinterfaces at the time of applying the template. 

What You Will See in the Change Log

When you apply a template to a device, you overwrite the entire configuration of that device. The CDO change log records every change that gets made as a result. So, change log entries will be very long after applying a template to a device.

FTD Templates and Snort 3

Templates derived from a device with Snort 3 enabled can only be applied to devices that also have Snort 3 enabled. Due to the variability in rules supported and processed by Snort 2 and Snort 3, applying template configured for Snort 2 cannot fully support and protect a device running Snort 3. See Switching from Snort 2 to Snort 3 for more information.  


Related Topics

  • Was this article helpful?