Follow Cisco Defense Orchestrator on YouTube.
September 17, 2019
Onboarding a Firepower Threat Defense Device with a Registration Token
You can now onboard your FTD device using a registration token rather than using an IP address, username and password. This is especially beneficial if your FTD is assigned an IP address using DHCP. If that IP address changes for some reason, your FTD remains connected to CDO. Additionally, your FTD can have an address on your local area network, and as long as it can access the outside network it can be onboarded to CDO using this method.
This method of onboarding is currently available for FTD 6.4 releases and to customers connecting to defenseorchestrator.cisco.com. It is not yet available for customers connecting to defenseorchestrator.cisco.eu.
See Onboard a Firepower Threat Defense Device with a Registration Token for more information.
Cisco Security Analytics and Logging
Cisco Security Analytics and Logging improves network visibility so you can quickly detect threats in real time and remediate incidents with confidence and at scale. Learn more!
Remote Access VPN Support for Firepower Threat Defense
Remote Access (RA) VPN allows individuals to establish a secure connection to your network using supported laptop, desktop, and mobile devices. CDO provides an intuitive user interface for you to setup RA VPN on the Firepower Threat Defense (FTD) devices you have onboarded.
AnyConnect is the only client that is supported on endpoint devices for RA VPN connectivity.
CDO supports the following aspects of RA VPN functionality on FTD devices:
- Transport Layer Security (TLS) or Datagram Transport Layer Security (DTLS) for privacy, authentication, and data integrity
- SSL client-based remote access
- IPv4 and IPv6 addressing
- Shared RA VPN configuration across multiple FTD devices
See Remote Access Virtual Private Network for more information.
See also, Managing Firepower Threat Defense with Cisco Defense Orchestrator for all the other ways CDO can manage your FTD devices.
Firepower Threat Defense High Availability Image Upgrade Support
You can now upgrade FTD HA pairs in CDO. When you upgrade a failover pair, CDO copies the desired upgrade image to both devices for you. CDO temporarily moves the primary device to active mode if it is not already, then upgrades the secondary device. Once the secondary device successfully upgrades, the primary device upgrades. The failover pair upgrades the devices one at a time to minimize network disruption.
To upgrade your failover pairs, see Upgrade a Firepower Threat Defense High Availability Pair for more information.
Site-to-Site VPN for Firepower Threat Defense Devices
Site-to-Site VPN for Firepower Threat Defense devices is now generally available!
CDO allows you to establish secure connections between two sites in different geographic locations. These peers can have any mix of inside and outside IPv4 and IPv6 addresses. Site-to-site tunnels are built using the Internet Protocol Security (IPsec) protocol suite and Internet Key Exchange version 2 (IKEv2). After the VPN connection is established, the hosts behind the local gateway can connect to the hosts behind the remote gateway through the secure VPN tunnel. You can create site-to-site IPsec connections for the following scenarios for devices that are onboarded to CDO:
- Between two managed devices
- Between the managed device and other Cisco peers
- Between the managed device and third-party peers
Firepower Threat Defense High Availability Support
CDO makes high availability (HA) support for Firepower Threat Defense firewalls generally available! You can now onboard an existing HA pair or create an HA pair in CDO. HA configurations make it possible to maintain a secure network in scenarios where a device might be unavailable, such as during an upgrade period or an unexpected device failure; in failover mode, the standby device is already configured to become active, meaning that even if one of the HA devices becomes unavailable, the other device continues to handle traffic.
Most of the features supported for standalone FTD devices also support devices configured for HA. See Firepower Threat Defense High Availability for more information.
Coming soon... support for FTD HA upgrades. At the moment, if you need to upgrade your HA pair, you must execute the upgrade through the active device's FDM console.
Time Range Objects for ASA Devices
You can now customize the rules in your network policies with time range objects; these objects let you execute one-time or recurring rules and customize how your network handles traffic. See Time Range Objects for more information.
Firepower Threat Defense Support
CDO makes support for Firepower Threat Defense firewalls generally available!
CDO is designed for firewall administrators who want a simplified management interface and cloud-access to their Firepower Threat Defense devices. Firepower Device Manager (FDM) administrators will notice many similarities between the FDM interface and the CDO interface. We built CDO with the idea of keeping things as consistent as possible between managers.
CDO can now manage Firepower Threat Defense (FTD) devices running FTD version 6.4.0 and later when it is installed on the ASA 5508-x, ASA 5515-x, ASA 5516-x, ASA 5525-x, ASA 5545-x, ASA 5555-x, the FTD 2100 series devices, the FTD 1000 series devices, or virtual FTD devices.
Use CDO to manage these aspects of your physical or virtual Firepower Threat Defense (FTD) device:
- Device management
- Device upgrade
- Interface Management
- Security Policies
- Promote policy and configuration consistency
- Change tracking
- Monitoring your network
All CDO FTD PIDs are orderable in CCW, including for the Firepower 1000 series and Virtual FTD. The PIDs are platform specific, but common for ASA and FTD. Please consult our ordering guide in Salesconnect for more details.
For more information about the features we support, review Managing Firepower Threat Defense with Cisco Defense Orchestrator.
Meraki MX Support
CDO now manages Meraki MX Firewall Policies!
Meraki MX is an enterprise security and software-defined wide-area-network (SD-WAN) next-generation firewall appliance designed for distributed deployments. You can now manage layer 3 network rules on Meraki MX devices using Cisco Defense Orchestrator.
CDO helps you optimize your Meraki environment by identifying problems with objects and policies and gives you ways to fix them. This applies to policies that are associated to both devices and templates. Use CDO to:
- Simultaneously manage policies on one or more Meraki devices
- Monitor and manage Meraki policies or templates alongside your FTD and ASA devices in an all-encompassing environment.
- Use a Meraki template to manage multiple networks.
- Customize access rules with objects that are compatible across other supported platforms, such as FTD and ASA devices.
- Reuse ASA and FTD objects in Meraki policies.
See Managing Meraki MX with Cisco Defense Orchestrator for more information.
Updated GUI Navigation
Navigating CDO's UI just got easier.
The policy menu in the navigation bar now guides you to policies grouped by device or function. We only expose the menu paths you need to reach the policies that currently exist on your tenant.
All of FTD's monitoring capabilities are grouped in the Events & Monitoring area of the navigation bar. The Monitoring menu shows you Network Reports and Threats.
Device Connectivity Troubleshooting
This tool allows you to test or troubleshoot connectivity issues between the Secure Device Connector (SDC) and any of your devices. You may want to test this connectivity if your device fails to on-board or if you want to determine, before on-boarding, if CDO can reach your device. See Troubleshoot Device Connectivity with Secure Device Connector for more information.
You can Help us Improve the CDO User Experience
We want to know about your CDO user experience and we now have an easy way for you to tell us. We've added a Provide Feedback button to our Help menu so you can give us your feedback without leaving the CDO portal. Tell us what you like and what we can improve on.
When you leave us your feedback, tell us your role in your company. Are you in the network operations center, the security operation center, or are you in the I-do-it-all-IT-center? Tell us what task you're trying to complete. Are you trying to edit a security policy or find something in the change log?
Here's how to leave us your feedback:
- Log in to CDO.
- Next to your tenant and account name, click the help button and select Provide Feedback.
- Enter your feedback and click Send Email. This generates an email to email@example.com in your local mail server that you must manually send.
A member of our support staff will respond as soon as possible.
Resolution to Container Privilege Escalation Vulnerability Affecting Secure Device Connector: cisco-sa-20190215-runc
The Cisco Product Security Incident Response Team (PSIRT) published the security advisory cisco-sa-20190215-runc which describes a high-severity vulnerability in Docker. Read the entire PSIRT team advisory for a full explanation of the vulnerability.
This vulnerability impacts all CDO customers:
- Customers using CDO's cloud-deployed Secure Device Connector (SDC) do not need to do anything as the remediation steps have already been performed by the CDO Operations Team.
- Customers using an SDC deployed on-premise need to upgrade their SDC host to use the latest Docker version.
See Container Privilege Escalation Vulnerability Affecting Secure Device Connector: cisco-sa-20190215-runc for instructions on how to update a CDO-standard SDC host and a custom SDC host.
Add Labels when Bulk Onboarding ASA Devices
You can now specify custom device labels when bulk onboarding your ASA devices. See Onboard ASAs in Bulk for more information.
Cisco IOS Device Support
Cisco Defense Orchestrator (CDO) allows you to manage Cisco IOS devices. These are the features we support for those devices:
- Onboarding Cisco IOS devices
- View the device configuration
- Read policy and configuration changes from device
- Detect out-of-band changes
- Command line interface support
- Individual CLI commands and groups of commands can be turned into editable and reusable "macros"
- Detect and manage SSH fingerprint changes
- View changes to IOS devices in the Change Log
Schedule Automatic Deployments
After making configuration changes for one or more devices using CDO, you can now schedule the deployment of those changes, to those devices, at a date and time that is convenient for you. For example you can schedule the deployments to occur during your maintenance window or during a time of low network traffic.
See, Enable the Option to Schedule Automatic Deployments, and Schedule Automatic Deployments for more information.
Terminology Change: CDO "Deploys" Changes to the Devices it Manages
We updated the terminology we use to describe transferring changes you made on CDO's local copy of a device's configuration to the device itself. We previously used the word "write" to describe that transfer, now we use the word "deploy" to describe that transfer.
As you manage and make changes to a device's configuration with CDO, CDO saves the changes you make to its own copy of the configuration file. Those changes are considered "staged" on CDO until they are "deployed" to the device. Staged configuration changes have no affect on the network traffic running through the device. Only after CDO "deploys" the changes to the device do they have an affect on the traffic running through the device. When CDO deploys changes to the device's configuration, it only overwrites those elements of the configuration that were changed. It does not overwrite the entire configuration file stored on the device.