Follow Cisco Defense Orchestrator on YouTube.
January 14, 2021
These are the features and improvements added to CDO this week.
Exporting CLI Command Results
You can export the results of CLI commands issued to a standalone device, or several devices, to a comma separated value (.csv) file so you can filter and sort the information in it however you like. You can export the CLI results of a single device, or many devices at once. See Export CLI Command Results for more information.
Configuring Cloud Services for your FTD Devices
Connecting to the Cisco Success Network and configuring which events are sent to the Cisco cloud are features that can be configured on FTD devices running software version 6.6 or higher.
Cisco Success Network
By enabling Cisco Success Network, you are providing usage information and statistics to Cisco to improve the FTD and to make you aware of unused or additional features that will help you maximize the value of Cisco products in your network. When you enable the Cisco Success Network, your device establishes a secure connection to the Cisco Cloud and maintains this secure connection at all times. See Connecting to the Cisco Success Network for more information.
Send Events Directly to Cisco Cloud
You can now specify which types of events you send from your FTD directly to the Cisco cloud. Once stored in the Cisco cloud, you can use cloud applications, such as Cisco Threat Response, to analyze the events and to evaluate threats that the device might have encountered. See Sending Events to the Cisco Cloud for more information.
Enabling web analytics provides anonymous product usage information to Cisco based on page hits. The information includes pages viewed, the time spent on a page, browser versions, product version, device hostname, and so forth. This information can help Cisco determine feature usage patterns and improve the product. All usage data is anonymous and no sensitive data is transmitted. See Enabling or Disabling Web Analytics for more information. You can use CDO to configure this feature on all versions of FTD.
January 7, 2021
FTD HA Pair Onboarding
CDO has enhanced the process of onboarding an FTD HA pair. Once you onboard one of the HA peers with either the registration token method or the login credentials method, CDO automatically detects that the corresponding peer is not onboarded yet and prompts you to take action. The improvement minimizes the effort required to onboard both devices, shortens how long it takes to onboard the peer device, and reuses any registration keys or smart license tokens you may have used to onboard the first device. See Onboard an FTD HA Pair with a Registration Key or Onboard an FTD HA Pair using Username, Password, and IP Address respectively for more information.
You can onboard either the active or the standby device, and once synced, CDO will always detect that the device is part of an HA pair.
Note: We strongly recommend onboarding your FTD devices with the registration token method.
December 17, 2020
CDO Public API
CDO has published its public API and provided you with documentation, examples, and a playground to try things out. The goal of our public API is to provide you with a simple and effective way to perform a lot of what you would normally be able to do in the CDO UI, but in code.
To use this API, you will need to know GraphQL. It is very easy to learn, and their official guide (https://graphql.org/learn/) provides a thorough, light read. We chose GraphQL because it is flexible, strongly typed, and auto-documenting.
To find the full schema documentation, simply go to the GraphQL Playground, and click on the docs tab on the right hand side of the page.
You can launch the CDO Public API by selecting it from the user menu.
December 10, 2020
Export FTD Configuration
You can now export the complete configuration of an FTD device as a CDO-readable JSON file. You can import this file as an FTD model (FTD template) on any CDO tenant that you manage. For more information, see Export FTD Configuration.
Adding Comments to FTD Rules
You can now add comments to rules in FTD policies and rulesets. Rule comments are only visible in CDO; they are not written to the FTD nor are they visible in FDM. See Adding Comments to Rules in FTD Policies and Rulesets for more information.
November 13, 2020
Low Touch Provisioning and Serial Number Onboarding
Low touch provisioning is a feature that allows a new factory-shipped or re-imaged Firepower 1000 or 2100 series device, running FTD software version 6.7 or later, to be plugged in to your network, onboarded to CDO automatically, and then configured remotely. This eliminates many of the manual tasks involved with onboarding the device to CDO. The low touch provisioning process minimizes the need to log in to a physical device. It's intended for remote offices or other locations where your employees are less experienced working with networking devices.
Firepower 1000 and 2100 series devices with factory-installed FTD 6.7 images are expected to be orderable from Cisco at the end of calendar year 2020 or the beginning of calendar year 2021.
It is also possible to onboard a configured Firepower Threat Defense (FTD) version 6.7+ device to FTD 6.7, to CDO using the device's serial number.
See these articles for more information:
Assigning Firepower Threat Defense Interfaces to Security Zones
You can now assign an FTD interface to a security zone to further classify and manage traffic. See Assign a Firepower Interface to a Security Zone for more information.
November 6, 2020
CDO Support for Firepower Threat Defense, Version 6.6.1 and 6.7
CDO now supports Firepower Threat Defense (FTD), versions 6.6.1 and 6.7. You can onboard a new FTD device running FTD 6.6.1 or 6.7, or use CDO to upgrade to those versions. CDO continues to support existing FTD features and these new FTD 6.7 features:
See Managing FTD with Cisco Defense Orchestrator for more information about the FTD features CDO currently supports.
CDO TLS Server Identity Discovery and TLS 1.3 in Version 6.7
You can now perform URL filtering and application control on traffic encrypted with TLS 1.3, by using information from the server certificate. You do not have decrypt the traffic for this feature to work. For traffic encrypted with TLS 1.3 to match access rules that use application or URL filtering, the system must decrypt the TLS 1.3 certificate. We recommend that you enable TLS Server Identity Discovery in the managing UI, whether it is Firepower Device Manager (FDM) or Firepower Management Center (FMC), to ensure encrypted connections are matched to the right access control rule. See TLS Server Identity Discovery in Firepower Threat Defense for more information.
October 15, 2020
New User Roles
CDO now provides two additional user roles that divide the responsibilities of editing policies and deploying policies. The new Edit-Only role allows users to make configuration changes to devices, but they are not allowed to deploy those changes. The new Deploy-Only role allows users to deploy pending configuration changes, but they are not allowed to make configuration changes. For the full list of capabilities and limitations of these new roles, see User Roles.
October 2, 2020
FTD API Support
CDO now provides the API tool interface to execute the Representational State Transfer (REST) Application Programming Interface (API) requests for performing advanced actions on an FTD device. Additionally, this interface provides the following features:
- Records a history of already executed API commands.
- Provides system-defined API macros that can be reused.
- Allows creating user-defined API macros using the standard API macros, from a command you have already executed, or another user-defined macro.
For more information about the FTD API tool, see Using FTD API Tool.
September 25, 2020
Multi-Tenant Portal Support
CDO now introduces a Multi-Tenant Portal that provides a consolidated view of devices from tenants across various regions. This view helps you glean information from your tenants in a single-window. You can have the CDO support team create one or more portals based on your requirements.
- Provides the Device Details view that provides the following information:
- Shows device location, software version, onboarding method, and many more details for each device.
- Allows you to manage the device on the CDO tenant page that owns that device.
- Provides a link to sign in to the CDO tenant in a different region and manage that device.
- Exports the portal's information to a comma-separated value (.csv) file to analyze or send it to someone who doesn't have access.
- Allows seamless addition of a new tenant using its API token.
- Allows switching between the portals without signing out from CDO.
For more information, see Manage Multi-Tenant Portal.
Secure Event Connector Support for Cloud-based Secure Device Connectors
Cisco Security Analytics and Logging (SaaS) customers can now install Secure Event Connectors when their Secure Device Connector is installed in the Cisco cloud. They no longer need to switch to an on-premises Secure Device Connector to configure Cisco Security Analytics and Logging.
See these topics for more information
September 17, 2020
Support for Multiple Secure Event Connectors
The Secure Event Connector (SEC) forwards events from ASAs and FTDs to the Cisco cloud so that you can view them in the Event Logging page and investigate them with Stealthwatch Cloud, depending on your Cisco Security Analytics and Logging licensing. Having more than one SEC allows you to install them in different locations and distribute the work of sending events to the Cisco cloud.
See these articles to learn how to install additional SECs on your tenant:
- Installing Multiple SECs, Using CDO Images, on Tenants with On-Premises SDCs
- Install Multiple SECs Using Your VM Image
Learn more about Cisco Security Analytics and Logging.
August 20, 2020
Firepower Management Center Support
CDO can now onboard an Firepower Management Center (FMC) running Version 6.4 or later and all of its managed devices. FMC support is limited to onboarding an FMC, viewing the devices it manages, and cross-launching to the FMC UI.
To review how CDO manages an FMC appliance, see Managing FMC with Cisco Defense Orchestrator.
To onboard an FMC, see Onboard an FMC.
To review supported FMC hardware and software versions, see Software and Hardware Support by CDO.
Customizable Event Filters
Cisco Security Analytics and Logging (SaaS) customers can create and save customized event filters on the Event Logging page for repeated use. See Customizable Event Filters for more information.
Improved Search Capabilities in the Event Logging Page
Cisco Security Analytics and Logging (SaaS) customers will now benefit from these improvements to the search capability on the Event Logging page:
- Click an element attribute to add it to the search field.
- Drag and drop columns on the Event Logging page to view your event information the way you want to.
- New AND NOT and OR NOT search operators in the Event Logging page provide more granular event search capability.
See Searching for and Filtering Events in the Event Logging Page for more information.
August 13, 2020
Custom Conflict Detected Polling Interval
You can now configure custom polling intervals by device, regardless of the device type or any previously configured polling intervals. This includes detection for device state or any detected out of band changes. See Schedule Polling for Device Changes for more information.
Custom FTD Templates
You can now create a custom FTD template by selecting one or more parts (Access Rules, NAT Rules, Settings, Interfaces, and Objects) of an onboarded FTD device's configuration. Applying a custom template to other FTDs will retain, update, or remove the existing configuration based on the included parts. However, CDO still allows you to select all parts to create a complete template and apply it to other FTDs. See FTD Templates for more information.
July 30, 2020
CDO introduces “Object Overrides” that allow you to provide an alternate value for a shared network object, which the system uses for the devices that you specify. It enables you to create a smaller set of shared policies for use across devices without giving up the ability to alter policies when needed for individual devices. Object override makes it possible to create an object that can be overridden on some or all devices that use it in a shared policy or ruleset.
To override an object, see Object Overrides.
Improved Network Group Wizard
The Network Group editing wizard has been improved to create new network objects instantly and modify the existing ones. It also allows you to add device-specific additional values to devices on which the shared network group is defined.
For more information about the improvements made to Network Group Wizard, see Create or Edit a Firepower Network Object or Network Group and Create or Edit ASA Network Objects and Network Groups.
July 9, 2020
Customize the RA VPN and Events Views
You can now customize the tables generated for Remote Access Virtual Private Network (RA VPN), as well as both live and historical event views. Organize and save the tables in the manner that best suits your needs and what is crucial to your portfolio. To customize the RA VPN view, see Monitor ASA and FTD Remote Access VPN. To customize the Events view, see Viewing Live and Historical Events in CDO.
July 2, 2020
You can now incorporate CDO into SecureX, which provides a summarization of devices, policy, and applied objects per tenant to strengthen your visibility and automation across your security portfolio. See SecureX for more about how to incorporate CDO and SecureX.
Cisco Security Analytics and Logging Event Downloads
After filtering ASA and FTD events on the Event Logging page, you can now download your results in a compressed .CSV file.
- The events you add to a downloadable .CSV file are defined by a time range.
- A single .CSV file can accommodate up to approximately 50 GB of compressed information.
- Generation of downloadable files can be done in parallel.
- Once created, the .CSV files are stored in Cisco cloud and downloaded directly from there. These files do not consume any CDO/SWC server resources.
- Completed downloadable .CSV files are stored for 7 days and then deleted.
See Downloading Events for more information.
June 18, 2020
Firepower Threat Defense Executive Summary Report
You can now generate a custom Executive Summary Report on any or all of your onboarded Firepower Threat Defense (FTD) devices. The report displays a collection of operational statistics such as encrypted traffic, intercepted threats, detected web categories, and more. Read FTD Executive Summary Report for more information about what the report offers and how you can use it to improve your network infrastructure. To create and manage your reports, see Managing Reports.
Cisco Security Analytics and Logging Improvements
ASA Syslog and NSEL Events Support
Cisco Security Analytics and Logging has been greatly expanded to support logging events from ASAs!
- ASA logging: Security Analytics and Logging (SAL) now supports logging from any Cisco ASA Firewall, regardless of how it is managed. Users can choose to send ASA logs in syslog format, NetFlow Security Event Logs (NSEL) format, or both. Customers that want to enable logging analytics will be required to enable NSEL logs to provide the necessary telemetry for the higher-tier SAL licenses.
In addition to existing FTD logging, this makes CDO the first product in Cisco’s Security portfolio to truly aggregate and unify logging for Cisco’s entire firewall fleet.
See Cisco Security Analytics and Logging for ASA Devices and Implementing Cisco Security Analytics and Logging for ASA Devices for more information.
- Longer-term Storage and Download: Users can now opt-in to store logs for 1, 2, or 3 years when initially ordering SAL, or as an add-on later. Note that the default retention period of firewall logging remains 90 days. See Security Analytics and Logging Event Storage.
- Traffic Analysis: Both FTD connection-level logs and ASA (NSEL) logs can be run through SAL’s traffic analysis, and observations and alerts can be reviewed by cross-launching to Stealthwatch Cloud using SecureX Sign-On. ASA customers only logging syslog must switch to NSEL logs to enable traffic analytics. Customers acquiring Logging Analytics and Detection and Total Network Analytics and Detection licenses can provision and use a Stealthwatch Cloud portal for analysis at no extra charge. Stealthwatch Cloud detections include observations and alerts specifically enabled using firewall logging data, in addition to the other detections available to SAL users as part of Stealthwatch Cloud’s core capability. Existing Logging and Troubleshooting license holders can test the detection capabilities of higher licenses with no commitment for 30 days.
- Free Trials: You can start a no-commitment 30-day SAL trial for all licenses by filling out this form. This low-touch trial requires only a minimal set of on-prem connectors for exporting data to the cloud. You can use this trial to evaluate SAL capabilities, and estimate the data volume required to support production environments, as a precursor to purchasing the appropriate daily volume for SAL licenses. To this end, the SAL trial will not throttle data for most user volumes. In addition, an estimator tool helps you estimate SAL daily volume.
Improved Event Monitoring for Security Analytics and Logging
- The Event Logging page in CDO now provides filtering of ASA events by type. You can see all your syslog events or NSEL events separately or together.
- Many ASA syslog events are parsed, providing greater detail about the event. That detail can be used to analyze the event in SWC.
- You can customize your view of the Event Logging page by showing only the columns of information you want to see and by hiding the rest.
- See Filtering Events in the Event Logging Page for more information.
June 4, 2020
Monitor and Terminate Remote Access VPN Sessions
You can now use CDO to monitor live AnyConnect Remote Access VPN sessions across all Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) VPN head-ends in your tenant. It gathers information on the total number of active VPN sessions, currently connected users and sessions, the volume of data received and transferred.
You can view the performance of each RA VPN head-end in your tenant, filter sessions by head-ends, and select the session properties that you want to view in the VPN monitoring table. Also, you can export the RA VPN sessions of one or more devices to a comma-separated value (.csv) file. See Export RA VPN Sessions to a CSV File for more information.
You can terminate all the active RA VPN sessions of a single user on an ASA, and terminate all active RA VPN sessions of all users on an ASA. See Disconnect Active RA VPN Sessions on ASA and Disconnect Active RA VPN Sessions on FTD for more information.
Open the Remote Access VPN Monitoring screen from the navigation bar by clicking VPN > Remote Access VPN Monitoring. See Monitoring ASA and FTD Remote Access VPN Sessions for more information.
AWS Virtual Private Cloud Management - Free Trial
What's New Tile
The CDO landing page now has a What's New tile to showcase the latest features and when CDO implemented those features. If there is a feature that interests you, click the title of the feature to read the documentation about that specific feature.
May 20, 2020
New API Only User
CDO now allows a Super Admin to create an “API Only User” that can be used to generate an API token for authenticating to CDO when making CDO REST API calls. This user account and the corresponding API token continues to function even after the original Super Admin departs your organization.
See Create API Only Users for more information.
May 7, 2020
Backup Firepower Threat Defense Devices
You can now use CDO to back up a Firepower Threat Defense's (FTD's) system configuration. With CDO you can:
- Backup devices on demand.
- Schedule recurring backups on a cadence from every day to every month, at the time you choose.
- Download backups and use Firepower Device Manager (FDM) to restore them.
See Backing Up FTDs for more information.
April 16, 2020
CDO Support for Devices Running Firepower Threat Defense 6.6.0
CDO now manages FTD 6.6.0 devices. These are the new aspects of support CDO provides:
- Onboarding a device running Firepower Threat Defense (FTD) 6.6.0.
- Upgrading FTD 6.4.x+ devices to FTD 6.6.0 devices. Devices can be individual FTDs or FTDs configured in a high-availability pair. These caveats apply to upgrade support:
- Upgrades for Firepower 4100 and Firepower 9300 devices is not currently supported.
- Customers can upgrade to FTD 6.6.0 using the drop-down in the upgrade page in CDO.
- CDO continuously develops support for FTD features and releases new feature support as it is ready.
For more information about the FTD features CDO supports, review Managing Firepower Threat Defense with Cisco Defense Orchestrator.
See Firepower Threat Defense Support Specifics for a complete list of supported device types.
April 9, 2020
April 2, 2020
Improved License Management for Firepower Threat Defense Devices
Viewing FTD device license information, enabling and disabling licenses, and refreshing licenses is now all managed from a single button in the Device Actions pane on the Devices & Services page.
March 26, 2020
FTD Security Database Updates
CDO allows you to immediately update and, simultaneously, schedule future updates for security databases when you onboard you FTD device. This feature updates the SRU, security intelligence (SI), vulnerability (VDB), and geolocation databases. Note that you can only schedule future updates as part of the onboarding process. See Update FTD Security Databases for more information.
Support for Port Ranges in FTD Service Objects
CDO now supports creating service objects (also referred to as port objects in FTD) that contain a range of port numbers. See Create a Firepower Service Object for more information.
March 24, 2020
Cisco Secure Sign-on Domain Migration
On Tuesday March 24, 2020, at 5pm Pacific Daylight Savings Time, the official domain for Cisco Security Single Sign-on solution was moved from https://security.cisco.com to https://sign-on.security.cisco.com.
We recommend that you update any saved links and update any password managers, so they are referencing the new URL.
This move will limit your access to CDO for a short period of time, but doesn’t limit your ability to perform updates using your local device managers or SSH connections.
If you experience any issues please contact Cisco TAC, who can provide you with technical support.
March 12, 2020
CDO introduces Rulesets for Firepower Threat Defense devices. A ruleset is a collection of access control rules that can be shared by multiple FTD devices. Any change made to the rules of a ruleset affects the other FTD devices that use the ruleset. An FTD policy can have both device-specific (local) and shared (rulesets) rules. You can also create rulesets from existing rules in an FTD device.
This feature is currently available for devices running Firepower Threat Defense 6.5 and later releases.
See FTD Rulesets for more information.
March 5, 2020
Copy or Move rules within an FTD Policy or to Another FTD Policy
It’s now possible to copy or move rules from the policy on one FTD to the policy on another FTD. We have also made it easier to move rules within an FTD policy so you can fine-tune the order in which rules evaluate network traffic.
AnyConnect Software Package Upload to FTD Version 6.5+
You can now use CDO's Remote Access VPN wizard to upload AnyConnect packages from a remote server to a Firepower Threat Defense (FTD) device running FTD 6.5 or later. Ensure that the remote server supports HTTP or HTTPS protocol.
See Upload AnyConnect Software Packages to an FTD Device Running FTD Version 6.5 or Later for more information.
March 3, 2020
Terminology Update in CDO's Interface
In order to manage a device, Cisco Defense Orchestrator (CDO) must have a copy of the device's configuration stored in its own database. When CDO "reads" a configuration, it makes a copy of the configuration stored on the device and saves it to CDO's database. We have renamed some interface options to better describe what you are doing when you perform a read action. This is the new terminology:
- Check for Changes. If a device's configuration status is Synced, the Check for Changes link is available. Clicking Check for Changes directs CDO to compare its copy of the device's configuration with the device's copy of the device's configuration. If there is a difference CDO immediately overwrites its copy of the device's configuration with the copy stored on the device.
- Discard Changes. If a device's configuration is Not Synced, clicking Discard Changes deletes any changes CDO made to its copy of the device configuration and also overwrites it with a copy of the configuration found on the device.
- Accept Without Review. This action overwrites CDO's copy of a device's configuration with the copy of the configuration stored on the device. CDO does not prompt you to confirm the action.
See Reading, Discarding, Checking for, and Deploying Configuration Changes for more information.
February 6, 2020
January 22, 2020
Dynamic Peer Support for Site-to-Site Connections
You can now configure a site-to-site VPN tunnel between two peers when one of the peer's VPN interface has a dynamic IP address. This dynamic peer can be a managed FTD device or an Extranet device.
See Configure Site-to-Site VPN Connections with Dynamically-Addressed Peers for more information.
January 16, 2020
Improved Deployment Experience
CDO has improved its deployment workflow. An additional deployment icon is now visible throughout CDO. You no longer have to return to the Devices & Services page to deploy your configuration changes.
When the deployment icon includes an orange dot it signals that there is at least one configuration change made to at least one of the devices you manage with CDO, that is ready to be deployed.
See Review and Deploy Configuration Changes for All Devices for more information.
Cancelling Bulk Actions
You can now cancel any active bulk action you have taken on multiple devices. For example, assume you have tried to reconnect four managed devices and three of the devices have successfully reconnected but the fourth device has neither succeeded nor failed to reconnect. You can now go to the Jobs page, find the ongoing bulk action and click Cancel to stop the action.
CDO Support for Devices Running Firepower Threat Defense 6.5.0
CDO now manages FTD 6.5.0 devices. These are the aspects of support CDO provides:
- Onboading a device running Firepower Threat Defense (FTD) 6.5.0.
- Support for additional Firepower series devices such as the Firepower 4100 and Firepower 9300.
- Support for a virtual FTD instance on Microsoft Azure.
- See Firepower Threat Defense Support Specifics for a complete list of supported device types.
- Upgrading FTD 6.4.x devices to FTD 6.5.0 devices. Devices can be individual FTDs or FTDs configured in a high-availability pair. These caveats apply to upgrade support:
- Upgrading an HA pair will not be supported for FTDs running 6.5.0 if the device is using a data interface for management.
- Upgrades on Firepower 4100 and Firepower 9300 devices are not currently supported.
- Customers will be able to upgrade to FTD 6.5.0 using the drop-down in the upgrade page in CDO. The link that is provided to the device for 6.5 image download will be a HTTP. This may mean that the image download time could be slightly longer than if the download were done over HTTPS. In addition, if outbound HTTP traffic from the FTD is blocked, the image download will fail.
- When FTD 6.5.0 is installed on a Firepower 1010 you can configure interfaces to run as a regular firewall interface or as a Layer 2 hardware switch port. At this time, switch mode support on CDO is read-only. To create or modify an interface for switch port mode, use the FDM console. CDO continues to develop its support for switch port mode on Firepower 1010s and will announce its full support in What's New when it is available.
- When you onboard an FTD 6.5.0 device using a registration token, you can send connection events, file and malware events, and intrusion events directly to the Cisco cloud without using a Secure Event Connector. See Implementing Cisco Security Analytics and Logging.
- Continued support for FTD 6.4.x features. CDO is continuously developing support for FTD 6.5 features and will release support as it is ready.
For more information about the FTD features CDO supports, review Managing Firepower Threat Defense with Cisco Defense Orchestrator.
IKEv1 Support for Site to Site VPN Connections
CDO now supports creating site-to-site VPN tunnels using Internet Key Exchange version 1 (IKEv1). It helps you to configure site-to-site VPN on legacy firewalls, which does not support Internet Key Exchange version 2 (IKEv2). Internet Key Exchange (IKE) is a key management protocol that is used for authenticating IPsec peers, negotiate and distribute IPsec encryption keys, and automatically establish IPsec security associations (SAs).
See Site-to-Site Virtual Private Network for more information.
Firepower Threat Defense Template Improvements
CDO now allows you to parameterize some aspects of the FTD template to further customize templates. See Configure Firepower Threat Defense Templates for more information.
Smart License Management
You can now manage Cisco Smart Licenses for Firepower Threat Defense devices within CDO. Smart Licensing is conveniently built into our workflows and easily accessible from the CDO interface. You can now perform these Cisco Smart Licensing tasks within CDO:
- Apply a Smart License while onboarding an FTD device using a registration token
- View the licenses applied to a device
- Register the licenses with Cisco Smart Software Manager
- Enable and Disable different license types for your device
See Onboard a Firepower Threat Defense Device with a Registration Token and Smart-licensing an Onboarded FTD for more information.
Amazon Web Services Support
CDO now manages AWS VPC!
Amazon Web Services (AWS) Virtual Private Cloud (VPC) is a commercial cloud computing service that provides users a virtual private cloud associated to your AWS account; this network closely resembles a traditional network that you'd operate in your own data center, with the benefits of using the scalable infrastructure of AWS.
CDO helps you optimize your AWS VPC by identifying problems with objects and rules and gives you ways to fix them. Use CDO to:
- Manage an AWS VPC environment along with your FTD or ASA devices.
- Simultaneously manage all security group rules associated with the AWS VPC.
- Create and customize security group rules with objects that are compatible across other supported platforms, such as FTD and ASA devices.
- View AWS VPC site-to-site VPN connections.
See Managing AWS with Cisco Defense Orchestrator for more information.
Migrate your ASAs to FTD Devices Using CDO
CDO helps you migrate your Adaptive Security Appliance (ASA) to a Firepower Threat Defense (FTD) device. CDO provides a wizard to help you migrate these elements of the ASA's running configuration to an FTD template:
- Access Control Rules (ACLs)
- Network Address Translation (NAT) rules
- Network objects and network group objects
- Service objects and service group objects
Once these elements of the ASA running configuration have been migrated to an FTD template, you can then apply the FTD template to a new FTD device that is managed by CDO. The FTD device adopts the configurations defined in the template, and so, the FTD is now configured with some aspects of the ASA's running configuration.
See Migrating ASA to Firepower Threat Defense Using Cisco Defense Orchestrator for a full explanation of the process of migrating an ASA to an FTD using CDO.
Cisco Introduces a New Single Sign-On Solution using Cisco Secure Sign-on and Duo Multi-factor Authentication
CDO adopts this new solution and converts customer tenants to the Cisco Secure Sign-on identity provider (IdP) and Duo Security multi-factor authenticator.
With Cisco Secure Sign-On, you will benefit from:
- Strong and resilient identity: Security that meets the highest industry standards, including AICPA SOC 2, CSA-Star, and ISO 27001. It also supports segregated FedRAMP and HIPAA environments for customers.
- Duo Multi-Factor Authentication (MFA): Duo MFA integrated with Cisco Secure Sign-On means adaptive, layered, and simplified authentication. One push notification, one tap, instant access.
- A single sign-in for seamless workflows: Enter a single username and password to access all your applications, anywhere, and on any device, while maintaining context through workflows.
- A customized experience: Arrange your work apps on your Cisco Secure Sign-On dashboard any way you want. Tabs and a search bar help keep you organized.
- If you sign in to CDO using your own single sign-on identity provider, this transition to Cisco Secure Sign-On and Duo does not affect you. You continue to use your own sign-on solution.
- If you are in the middle of a free trial of CDO, this transition does affect to you.
See these resources for more information
Cisco Security Analytics and Logging Including Integration with Stealthwatch Cloud
Cisco Security Analytics and Logging improves network visibility so you can quickly detect threats in real time and remediate incidents with confidence and at scale.
With Cisco Security Analytics and Logging you can capture connection, intrusion, file, malware, and Security Intelligence events from all of your Firepower Threat Defense (FTD) devices and view them in one place in CDO.
The events are stored in the Cisco cloud and viewable from the Event Logging page in CDO where you can filter and review them to gain a clear understanding of what security rules are triggering in your network. The Logging and Troubleshooting package gives you these capabilities.
With the Firewall Analytics and Monitoring package, the system can apply Stealthwatch Cloud dynamic entity modeling to your FTD events, and use behavioral modeling analytics to generate Stealthwatch Cloud observations and alerts. If you obtain a Total Network Analytics and Monitoring package, the system applies dynamic entity modeling to both your FTD events and your network traffic, and generates observations and alerts. You can cross-launch from CDO to a SWC portal provisioned for you, using Cisco Single Sign-On.
Onboarding a Firepower Threat Defense Device with a Registration Token
You can now onboard your FTD device using a registration token rather than using an IP address, username and password. This is especially beneficial if your FTD is assigned an IP address using DHCP. If that IP address changes for some reason, your FTD remains connected to CDO. Additionally, your FTD can have an address on your local area network, and as long as it can access the outside network it can be onboarded to CDO using this method.
This method of onboarding is currently available for FTD 6.4 releases and to customers connecting to defenseorchestrator.cisco.com. It is not yet available for customers connecting to defenseorchestrator.cisco.eu.
See Onboard a Firepower Threat Defense Device with a Registration Token for more information.
Cisco Security Analytics and Logging
Cisco Security Analytics and Logging improves network visibility so you can quickly detect threats in real time and remediate incidents with confidence and at scale. Learn more!
Remote Access VPN Support for Firepower Threat Defense
Remote Access (RA) VPN allows individuals to establish a secure connection to your network using supported laptop, desktop, and mobile devices. CDO provides an intuitive user interface for you to setup RA VPN on the Firepower Threat Defense (FTD) devices you have onboarded.
AnyConnect is the only client that is supported on endpoint devices for RA VPN connectivity.
CDO supports the following aspects of RA VPN functionality on FTD devices:
- Transport Layer Security (TLS) or Datagram Transport Layer Security (DTLS) for privacy, authentication, and data integrity
- SSL client-based remote access
- IPv4 and IPv6 addressing
- Shared RA VPN configuration across multiple FTD devices
See Remote Access Virtual Private Network for more information.
See also, Managing Firepower Threat Defense with Cisco Defense Orchestrator for all the other ways CDO can manage your FTD devices.
Firepower Threat Defense High Availability Image Upgrade Support
You can now upgrade FTD HA pairs in CDO. When you upgrade a failover pair, CDO copies the desired upgrade image to both devices for you. CDO temporarily moves the primary device to active mode if it is not already, then upgrades the secondary device. Once the secondary device successfully upgrades, the primary device upgrades. The failover pair upgrades the devices one at a time to minimize network disruption.
To upgrade your failover pairs, see Upgrade a Firepower Threat Defense High Availability Pair for more information.
Site-to-Site VPN for Firepower Threat Defense Devices
Site-to-Site VPN for Firepower Threat Defense devices is now generally available!
CDO allows you to establish secure connections between two sites in different geographic locations. These peers can have any mix of inside and outside IPv4 and IPv6 addresses. Site-to-site tunnels are built using the Internet Protocol Security (IPsec) protocol suite and Internet Key Exchange version 2 (IKEv2). After the VPN connection is established, the hosts behind the local gateway can connect to the hosts behind the remote gateway through the secure VPN tunnel. You can create site-to-site IPsec connections for the following scenarios for devices that are onboarded to CDO:
- Between two managed devices
- Between the managed device and other Cisco peers
- Between the managed device and third-party peers
Firepower Threat Defense High Availability Support
CDO makes high availability (HA) support for Firepower Threat Defense firewalls generally available! You can now onboard an existing HA pair or create an HA pair in CDO. HA configurations make it possible to maintain a secure network in scenarios where a device might be unavailable, such as during an upgrade period or an unexpected device failure; in failover mode, the standby device is already configured to become active, meaning that even if one of the HA devices becomes unavailable, the other device continues to handle traffic.
Most of the features supported for standalone FTD devices also support devices configured for HA. See Firepower Threat Defense High Availability for more information.
Coming soon... support for FTD HA upgrades. At the moment, if you need to upgrade your HA pair, you must execute the upgrade through the active device's FDM console.
Time Range Objects for ASA Devices
You can now customize the rules in your network policies with time range objects; these objects let you execute one-time or recurring rules and customize how your network handles traffic. See Time Range Objects for more information.
Firepower Threat Defense Support
CDO makes support for Firepower Threat Defense firewalls generally available!
CDO is designed for firewall administrators who want a simplified management interface and cloud-access to their Firepower Threat Defense devices. Firepower Device Manager (FDM) administrators will notice many similarities between the FDM interface and the CDO interface. We built CDO with the idea of keeping things as consistent as possible between managers.
CDO can now manage Firepower Threat Defense (FTD) devices running FTD version 6.4.0 and later when it is installed on the ASA 5508-x, ASA 5515-x, ASA 5516-x, ASA 5525-x, ASA 5545-x, ASA 5555-x, the FTD 2100 series devices, the FTD 1000 series devices, or virtual FTD devices.
Use CDO to manage these aspects of your physical or virtual Firepower Threat Defense (FTD) device:
- Device management
- Device upgrade
- Interface Management
- Security Policies
- Promote policy and configuration consistency
- Change tracking
- Monitoring your network
All CDO FTD PIDs are orderable in CCW, including for the Firepower 1000 series and Virtual FTD. The PIDs are platform specific, but common for ASA and FTD. Please consult our ordering guide in Salesconnect for more details.
For more information about the features we support, review Managing Firepower Threat Defense with Cisco Defense Orchestrator.
Meraki MX Support
CDO now manages Meraki MX Firewall Policies!
Meraki MX is an enterprise security and software-defined wide-area-network (SD-WAN) next-generation firewall appliance designed for distributed deployments. You can now manage layer 3 network rules on Meraki MX devices using Cisco Defense Orchestrator.
CDO helps you optimize your Meraki environment by identifying problems with objects and policies and gives you ways to fix them. This applies to policies that are associated to both devices and templates. Use CDO to:
- Simultaneously manage policies on one or more Meraki devices
- Monitor and manage Meraki policies or templates alongside your FTD and ASA devices in an all-encompassing environment.
- Use a Meraki template to manage multiple networks.
- Customize access rules with objects that are compatible across other supported platforms, such as FTD and ASA devices.
See Managing Meraki MX with Cisco Defense Orchestrator for more information.
Updated GUI Navigation
Navigating CDO's UI just got easier.
The policy menu in the navigation bar now guides you to policies grouped by device or function. We only expose the menu paths you need to reach the policies that currently exist on your tenant.
All of FTD's monitoring capabilities are grouped in the Events & Monitoring area of the navigation bar. The Monitoring menu shows you Network Reports and Threats.