Follow Cisco Defense Orchestrator on YouTube.
July 18, 2019
July 11, 2019
Firepower Threat Defense Support
CDO makes support for Firepower Threat Defense firewalls generally available!
CDO is designed for firewall administrators who want a simplified management interface and cloud-access to their Firepower Threat Defense devices. Firepower Device Manager (FDM) administrators will notice many similarities between the FDM interface and the CDO interface. We built CDO with the idea of keeping things as consistent as possible between managers.
CDO can now manage Firepower Threat Defense (FTD) devices running FTD version 6.4.0 and later when it is installed on the ASA 5508-x, ASA 5515-x, ASA 5516-x, ASA 5525-x, ASA 5545-x, ASA 5555-x, the FTD 2100 series devices, the FTD 1000 series devices, or virtual FTD devices.
Use CDO to manage these aspects of your physical or virtual Firepower Threat Defense (FTD) device:
- Device management
- Device upgrade
- Interface Management
- Security Policies
- Promote policy and configuration consistency
- Change tracking
- Monitoring your network
All CDO FTD PIDs are orderable in CCW, including for the Firepower 1000 series and Virtual FTD. The PIDs are platform specific, but common for ASA and FTD. Please consult our ordering guide in Salesconnect for more details.
For more information about the features we support, review Managing Firepower Threat Defense with Cisco Defense Orchestrator.
Meraki MX Support
CDO now manages Meraki MX Firewall Policies!
Meraki MX is an enterprise security and software-defined wide-area-network (SD-WAN) next-generation firewall appliance designed for distributed deployments. You can now manage layer 3 network rules on Meraki MX devices using Cisco Defense Orchestrator.
CDO helps you optimize your Meraki environment by identifying problems with objects and policies and gives you ways to fix them. This applies to policies that are associated to both devices and templates. Use CDO to:
- Simultaneously manage policies on one or more Meraki devices
- Monitor and manage Meraki policies or templates alongside your FTD and ASA devices in an all-encompassing environment.
- Use a Meraki template to manage multiple networks.
- Customize access rules with objects that are compatible across other supported platforms, such as FTD and ASA devices.
- Reuse ASA and FTD objects in Meraki policies.
See Managing Meraki MX with Cisco Defense Orchestrator for more information.
Updated GUI Navigation
Navigating CDO's UI just got easier.
The policy menu in the navigation bar now guides you to policies grouped by device or function. We only expose the menu paths you need to reach the policies that currently exist on your tenant.
All of FTD's monitoring capabilities are grouped in the Events & Monitoring area of the navigation bar. The Monitoring menu shows you Network Reports and Threats.
Device Connectivity Troubleshooting
This tool allows you to test or troubleshoot connectivity issues between the Secure Device Connector (SDC) and any of your devices. You may want to test this connectivity if your device fails to on-board or if you want to determine, before on-boarding, if CDO can reach your device. See Troubleshoot Device Connectivity with Secure Device Connector for more information.
You can Help us Improve the CDO User Experience
We want to know about your CDO user experience and we now have an easy way for you to tell us. We've added a Provide Feedback button to our Help menu so you can give us your feedback without leaving the CDO portal. Tell us what you like and what we can improve on.
When you leave us your feedback, tell us your role in your company. Are you in the network operations center, the security operation center, or are you in the I-do-it-all-IT-center? Tell us what task you're trying to complete. Are you trying to edit a security policy or find something in the change log?
Here's how to leave us your feedback:
- Log in to CDO.
- Next to your tenant and account name, click the help button and select Provide Feedback.
- Enter your feedback and click Send Email. This generates an email to firstname.lastname@example.org in your local mail server that you must manually send.
A member of our support staff will respond as soon as possible.
Resolution to Container Privilege Escalation Vulnerability Affecting Secure Device Connector: cisco-sa-20190215-runc
The Cisco Product Security Incident Response Team (PSIRT) published the security advisory cisco-sa-20190215-runc which describes a high-severity vulnerability in Docker. Read the entire PSIRT team advisory for a full explanation of the vulnerability.
This vulnerability impacts all CDO customers:
- Customers using CDO's cloud-deployed Secure Device Connector (SDC) do not need to do anything as the remediation steps have already been performed by the CDO Operations Team.
- Customers using an SDC deployed on-premise need to upgrade their SDC host to use the latest Docker version.
See Container Privilege Escalation Vulnerability Affecting Secure Device Connector: cisco-sa-20190215-runc for instructions on how to update a CDO-standard SDC host and a custom SDC host.
Add Labels when Bulk Onboarding ASA Devices
You can now specify custom device labels when bulk onboarding your ASA devices. See Onboard ASAs in Bulk for more information.
Cisco IOS Device Support
Cisco Defense Orchestrator (CDO) allows you to manage Cisco IOS devices. These are the features we support for those devices:
- Onboarding Cisco IOS devices
- View the device configuration
- Read policy and configuration changes from device
- Detect out-of-band changes
- Command line interface support
- Individual CLI commands and groups of commands can be turned into editable and reusable "macros"
- Detect and manage SSH fingerprint changes
- View changes to IOS devices in the Change Log
Schedule Automatic Deployments
After making configuration changes for one or more devices using CDO, you can now schedule the deployment of those changes, to those devices, at a date and time that is convenient for you. For example you can schedule the deployments to occur during your maintenance window or during a time of low network traffic.
See, Enable the Option to Schedule Automatic Deployments, and Schedule Automatic Deployments for more information.
Terminology Change: CDO "Deploys" Changes to the Devices it Manages
We updated the terminology we use to describe transferring changes you made on CDO's local copy of a device's configuration to the device itself. We previously used the word "write" to describe that transfer, now we use the word "deploy" to describe that transfer.
As you manage and make changes to a device's configuration with CDO, CDO saves the changes you make to its own copy of the configuration file. Those changes are considered "staged" on CDO until they are "deployed" to the device. Staged configuration changes have no affect on the network traffic running through the device. Only after CDO "deploys" the changes to the device do they have an affect on the traffic running through the device. When CDO deploys changes to the device's configuration, it only overwrites those elements of the configuration that were changed. It does not overwrite the entire configuration file stored on the device.