Skip to main content



Cisco Defense Orchestrator

Frequently Asked Questions (FAQ)

Cisco Defense Orchestrator

  • What is Cisco Defense Orchestrator?

The Cisco Defense Orchestrator (CDO) is a cloud-based multi-device manager that allows network operations staff to establish and maintain consistent security policies across Cisco security devices such as the Adaptive Security Appliance (ASA) and Cisco Firepower Next-Generation Firewalls (NGFW). 

CDO also manages other devices such as Cisco IOS devices, AWS virtual private clouds, and devices that can be reached by SSH. Because CDO can manage all these types of devices, your network operations staff can see them all in one portal and maintain them from one place. 


  • Is CDO Secure?
    • CDO offers end-to-end security for customer data through the following features:
      • Two-Factor Authentication
      • Authentication calls for APIs and database operations
      • Data isolation in flight and at rest
      • Separation of roles

CDO requires multi-factor authentication for users to connect to their cloud portal. Multi-factor authentication is a vital function needed to protect the identity of customers. 

All data, in flight and at rest, is encrypted. Communication from devices on customer premises and CDO is encrypted with SSL, and all customer-tenant data volumes are encrypted.

CDO's multi-tenant architecture isolates tenant data and encrypts traffic between databases and application servers. When users authenticate to gain access to CDO, they receive a token. This token is used to fetch a key from a key-management service, and the key is used to encrypt traffic to the database.

CDO provides value to customers quickly while making sure customer credentials are secured. This is achieved by deploying a "Secure Data Connector" in the cloud or a customer's own network (in roadmap) that controls all inbound and outbound traffic to make sure the credential data doesn't leave the customer premises.

I received the error "Could not validate your OTP" when logging into CDO for the first time

  • Check that your desktop or mobile device clock is synchronized with a world time server. Clocks being out of sync by less or more than a minute can cause incorrect OTPs to be generated.


  • Should I create dedicated CDO accounts on my devices?
    • Yes. It is recommended that new accounts be created for CDO access rather than reuse existing admin accounts.
  • Is my device connected directly to Cisco Defense Orchestrator cloud platform?

    • Yes. The secured connection is performed using the CDO SDC which is used as a proxy between the device and CDO platform. CDO architecture, designed with security first in mind, enables having complete separation between data traversing back and forth to the device.

  • How can I connect a device which does not have a public IP address?

    • You can leverage CDO On-Premises Secure Device Connector which can be deployed within your data center and doesn’t need any outside port to be open. Once the On-premises SDC is deployed you can onboard devices with internal (non-internet routable) IP addresses.

  • Is using the On-Premises Secure Device Connector require any additional cost or license?

    • No.

  • Are there any performance limitation with using either the cloud or on-premises Secure Device Connector?

    • No. both the cloud and on-premises SDCs uses the same code base and one should not have any limitation over the other.

  • What types of Virtual Private Network are currently supported with CDO?

    • For ASA customers, CDO supports IPsec Site-to-Site VPN tunnel management only. Stay tuned for updates to our What’s New page!

  • How can I check the tunnel status? State options

    • CDO performs the tunnel connectivity checks automatically every hour, however ad-hoc VPN tunnel connectivity checks can be performed by choosing a tunnel and requesting to check connectivity. Results may take several seconds to process.

  • Can I search a tunnel based on the device name as well as its IP address of one of its peers?

    • Yes. Search and pivot to a specific VPN tunnel details by using available filters and search capabilities on both name and the peers IP addresses.

Terminologies and Definitions used in Low-Touch Provisioning

  • Claimed - Used in the context of serial number onboarding in CDO. A device is "claimed" if its serial number has been onboarded to a CDO tenant.
  • Parked - Used in the context of serial number onboarding in CDO. A device is "parked" if it has connected to the Cisco Cloud, and a CDO tenant has not claimed its serial number.
  • Initial provisioning - Used in the context of the initial FTD setup. During this phase, the device accepts EULA, creates a new password, configures management IP address, sets FQDN, sets DNS servers, and chooses to manage the device locally with FDM. 
  • Low-touch provisioning - It is the process of shipping an FTD from the factory to a customer site (typically a branch office), an employee at the site connects the FTD to their network, and the device contacts the Cisco Cloud. At that point, the device is onboarded to CDO tenant if its serial number has already been “claimed,” or the FTD is “parked” in the Cisco cloud until a CDO tenant claims it.
  • Serial number onboarding - It is the process of onboarding an FTD using its serial number that has already been configured (installed and setup). 

Policy Optimization

  • How can I identify a case when two or more access lists (within the same access group) are shadowing each other?
    • Cisco Defense Orchestrator Network Policy Management (NPM) is able to identify and alert the user if within a rule set, a rule higher in order, is shadowing a different rule. User can either navigate between all network policies or filter to identify all shadow issues. For more information, see Network Policy Management.

Note: Cisco Defense Orchestrator supports only fully shadowed rules.


  • What is required to connect my devices to the CDO cloud-based Secure Device Connector?
    • ASDM image present and enabled for ASA.
    • Public interface access to,,
    • ASA's HTTPS port must be set to 443 or to a value of 1024 or higher. For example, it cannot be set to port 636.
    • If the ASA under management is also configured to accept AnyConnect VPN Client connections, the ASA HTTPS port must be changed to a value of 1024 or higher.
  • The Secure Device Connector changed IP address, but this was not reflected within CDO. What can I do to reflect the change?
    • In order to obtain and update the new Secure Device Connector (SDC) within CDO, you will need to restart the container using the following commands
      Stop Docker deamon > #service docker  stop
      Change IP address
      Start Docker deamon > #service docker start
      Restart container on the SDC virtual appliance > bash-4.2$ ./cdo/toolkit/ restartSDC <tenant-name>
  • What happens if the IP address used by CDO to manage my Firepower Threat Defense Device (FTD) or Adaptive Security Appliance (ASA) changes?


  • While performing complete deploy of device configuration from CDO to managed device, I get a warning “Cannot deploy changes to device”. What can I do to solve that?
    • If an error occurrs when you deploy a full configuration (changes performed beyond CDO supported commands) to the device, click "Check for changes" to pull the latest available configuration from device. This may solve the problem and you will be able to continue making changes on CDO and deploy them. In case the issue persist, please contact Cisco TAC from the Contact Support page.

  • While resolving out-of-band issue (changes performed outside of CDO; directly to a device), comparing the configuration present in CDO that of the device, CDO presents additional metadata that were not added or modified by me. Why?

    • As CDO expands its functionality, additional information will be collected from the device’s configuration to enrich and maintain all required data for better policy and device management analysis. These are not changes that occurred on managed device but already existing information. Resolving the conflict detected state can be easily solved by checking for changes from the device and reviewing the changes occurred.

  • CDO is rejecting my cerificate. What can I do about it? 


  • What is an Adaptive Security Appliance (ASA)?
    • The Cisco ASA provides advanced stateful firewall and VPN concentrator functionality in one device as well as integrated services with add-on modules. The ASA includes many advanced features, such as multiple security contexts (similar to virtualized firewalls), clustering (combining multiple firewalls into a single firewall), transparent (Layer 2) firewall or routed (Layer 3) firewall operation, advanced inspection engines, IPsec VPN, SSL VPN, and clientless SSL VPN support, and many more features. ASAs can be installed on virtual machines or supported hardware.
  • What is an ASA Model?
    • An ASA model is a copy of the running configuration file of an ASA device that you have onboarded to CDO. You can use an ASA model to analyze the configuration of an ASA device without onboarding the device itself.

  • What is Firepower Threat Defense (FTD)
    • Cisco's next generation firewall software image. It strives to combine the best of Sourcefire next generation firewall services and the ASA platform. It can be installed on a number of different Firepower hardware devices or virtual machines. This is not the same as an ASA FirePOWER module. See ASA Software and Hardware Support for more information.
  • What is Firepower Device Manager (FDM)
    • Firepower Device Manager is Firepower Threat Defense management software delivered with the FTD image. FDM is designed to manage the one FTD it is delivered with. You may also hear FDM referred to as the "local device manager."  
  • What is Firepower?
    • Firepower is a general term that refers to a group of next generation firewall hardware and software. 
  • When is a device Synced?
    • When the configuration on CDO and the configuration stored locally on the device are the same.  
  • When is a device Not Synced? 
    • When the configuration stored in CDO was changed and it is now different that the configuration stored locally on the device.
  • When is a device in a Conflict Detected state? 
    • When the configuration on the device was changed outside of CDO (out-of-band), and is now different than the configuration stored on CDO.
  • What is an out-of-band change?
    • When a change is made to the device outside of CDO. The change is made directly on the device using CLI command or by using the on-device manager such as ASDM or FDM. An out-of-band change causes CDO to report a "Conflict Detected" state for the device. 
  • What does it mean to deploy a change to a device?
  • What ASA commands are currently supported?
  • Are there any scale limitations for device management?
    • CDO's cloud architecture allows it to scale to thousands of devices.
  • Does CDO manage Cisco Integrated Services Routers and Aggregation Services Routers?
    • CDO allows you to create a model device for ISRs and ASRs and import its configuration. You can then create templates based on the imported configurations and export the configuration as a standardized configuration that can be deployed to new or existing ISR and ASR devices for consistent security.
  • Can CDO manage SMA?
    • No, CDO does not currently manage SMA.

If you cannot find the answers to your questions here, please contact Cisco TAC from the Contact Support page. 

  • Was this article helpful?