Skip to main content



Cisco Defense Orchestrator

Welcome to Cisco Defense Orchestrator

About Cisco Defense Orchestrator

Cisco Defense Orchestrator (CDO) is a cloud-based multi-device manager that facilitates management of security policies in highly distributed environments to achieve consistent policy implementation. 

CDO helps you optimize your security policies by identifying inconsistencies with them and by giving you tools to fix them. CDO gives you ways to share objects and policies, as well as make configuration templates, to promote policy consistency across devices. 

Because CDO coexists with local device managers such as the Adaptive Security Device Manager (ASDM), Firepower Device Manager (FDM), and SSH connections, it keeps track of configuration changes made by CDO and by other managers. It then helps you compare changes so you are confident that you are implementing the changes you want. 

CDO has an intuitive user interface that allows you to manage a wide range of devices in one place. Advanced users will also find their traditional CLI interface with some new enhancements to make management even more efficient for them. 

The CDO Dashboard

The CDO dashboards gives you a quick overview of your tenant.


The Secure Device Connector

CDO communicates with your managed devices using a proxy called Secure Device Connector (SDC). Each tenant has its own dedicated SDC.

The SDC monitors CDO for commands and messages that need to be executed on your managed devices and monitors the managed devices for messages that need to be sent to CDO. SDC executes the commands on behalf of CDO and sends messages to CDO on behalf of the managed devices. 

When you onboard a device to CDO, the device's login credentials are encrypted and stored on the SDC. Only the SDC has access to the device credentials, not CDO. 

Cloud SDC and On-Premise SDC

When your tenant is first created, either the CDO operations team creates an SDC for you on an AWS instance (in the cloud) or you install an SDC somewhere in your enterprise (on-premise). The on-premise SDC may be installed on an appliance or as a virtual machine on a hypervisor.

The differences between the cloud-SDC and the on-premise SDC are in what features they support. At this time, the on-premise supports logging. The cloud-SDC does not.

Important: Consider carefully the SDC you choose to install. It is possible to switch from one type of SDC to another but you will have to remove all your managed devices to do it. 

Getting Started

Initialize your CDO Account

Contact us at We ask you to fill out this questionnaire about your network environment, what kind of Secure Device Connector (SDC) is right for you, and what are your primary use cases. We create a tenant in our cloud infrastructure for you and help you create a SDC which enables your devices to communicate with CDO. After that, onboard your devices to CDO and see them all in the Devices & Services page. 

If you have any questions about the account initialization process or how to complete our questionnaire, email

Onboard Devices

Before you onboard a device, make sure that you have successfully completed the installation wizard and licensed the device. Then use CDO's onboarding wizard to onboard your device. CDO can easily manage large deployments.


Manage your Devices with CDO

Learn how CDO can manage these devices: 

For a complete list of devices that CDO supports and manages, see Software and Hardware Supported by CDO.

  • Was this article helpful?