Skip to main content



Cisco Defense Orchestrator

Managing ASA with Cisco Defense Orchestrator

Cisco Defense Orchestrator (CDO) is a cloud-based, multi-device manager that provides a simple, consistent, and highly secure way of managing security policies on all your ASA devices. 

CDO helps you optimize your ASA environment by identifying problems with objects and policies and gives you ways to fix them. Use CDO to:

  • Upgrade your ASA and ASDM images on multiple devices.
  • Monitor all your ASAs.
  • Troubleshoot policies.
  • Monitor VPN connections.

Get Started

Initialize Account

Contact us at We ask you to fill out this questionnaire about your network environment, what kind of Secure Device Connector (SDC) is right for you, and what your primary ASA use cases are. The SDC enables your ASAs to communicate with CDO. Depending on what features you want to implement, we can create a cloud-SDC for you or you can install an on-premises SDC in your own environment. After that, onboard your ASAs to CDO and see them all in the Devices & Services page. 

If you have any questions about the account initialization process or how to complete our questionnaire, email

Onboard Devices

CDO easily manages large ASA deployments. How many ASAs can you onboard? Hundreds and hundreds. Using bulk onboarding, you can onboard all your ASAs at once. If you deploy a new ASA, you can onboard that device on its own.


CDO GUI and CLI Interfaces

CDO is a web-based management product that provides you with both a graphic user interface (GUI) and a command line interface (CLI) to manage your devices one at a time or many at once.

ASA CLI users will appreciate the extra capabilities of our CLI tool. Here are some of the reasons to use CDO's CLI tool rather than connecting to the device with an SSH session: 

  • CDO knows what context is needed for a command. You do not need to elevate or lower your permission level to execute a command, nor do you need to enter the specific command context to execute a command.
  • CDO retains command history, so you can easily re-run a command by picking it from a list. 
  • CLI actions are logged in the change log, so you can read what command was sent and what action was taken. 
  • Commands can be run in bulk mode, allowing you to deploy objects or policies to multiple devices simultaneously.


Optimize Your Policies

Now that you have all your ASAs onboarded, start using CDO to identify and correct problems with network objects, optimize your existing policies, review your VPN connections, and upgrade your ASAs to the newest releases.

Resolve Network Object Issues

Start to optimize the security policies on your ASAs by resolving issues with network policy objects.  


  1. Unused objects badge_unused.png. CDO identifies network policy objects that exist in a device configuration but are not referenced by another object, an access-list, or a NAT rule. Find these unused objects and delete them. 
  2. Duplicate objects badge_duplicate.png. Duplicate objects are two or more objects on the same device with different names but the same values. These objects are usually created accidentally, serve similar purposes, and are used by different policies. Look for opportunities to standardize names while recognizing that some duplicates may exist for legitimate reasons.
  3. Inconsistent objects inconsistent_badge.png. Inconsistent objects are objects on two or more devices with the same name but different values. Sometimes users create objects in different configurations with same name and content but over time the values of these objects diverge which creates the inconsistency. Consider standardizing the values in these objects or renaming one to identify it as a different object.

Fix Shadow Rules

Now that you have resolved your network object issues, review network policies for shadow rules and fix them. A shadow rule is marked by a half-moon badge shadow_badge.png on the network policies page. It is a rule in a policy that will never trigger because a rule with higher priority in the policy acts on all the packets before they reach the shadowed rule. If there is a shadowed rule that will never be hit, remove it, or edit the policy to bring that rule "into the light."

Upgrade ASA and ASDM

Next, upgrade to the newest version of ASA and ASDM. Customers have reported time-savings of 75%-90% when upgrading their ASAs using CDO.


CDO provides a wizard that allows you to upgrade the ASA and ASDM images installed on an individual ASA or on multiple ASAs in single-context or multi-context mode.

We make the process easy by performing all the necessary upgrade steps behind the scenes. The wizard guides you through the process of choosing compatible ASA Software and ASDM images, installing them, and rebooting the device to complete the upgrade. We secure the upgrade process by validating that the images you chose on CDO are the ones copied to, and installed on, your ASA.

CDO periodically reviews its catalog of ASA binaries and adds the newest ASA and ASDM images. Please note that CDO only supports generally available (GA) images and will not add custom images to its catalog. If you do not see a specific GA image in the list, please contact Cisco TAC from the Contact Support page. We will process the request using the established support ticket SLAs and upload the missing GA image.

Start with ASA and ASDM Upgrade Prerequisites and then move ahead to Bulk ASA and ASDM Upgrade to learn more about upgrading. 

Manage Your Environment

Many of CDO's other features can help you with day-to-day activities like monitoring, troubleshooting, and responding to user requests.

Change Log

The CDO change log continuously captures network policy change events as they are performed in CDO. The change log displays information like changes deployed from CDO to your device, changes imported from your device to CDO, what a single change added and deleted from the device configuration, when it happened and who did it.

You can also create and apply a custom label, that uses your company's tracking number, to the changes you make. In the change log, you can filter the list of changes by that custom label, a date range, by a specific user, or by change type to easily find what you're looking for.


ASA Monitoring 

Do your ASAs have issues? Maybe they're just a little out of sync or they need some conflict resolution. Sometimes, sadly, your ASAs are unreachable and you need to reconnect. CDO identifies all kinds of problems your ASAs are having.  

ASAs connected with CDO are Online. If there is a problem with connectivity, CDO may report an ASA as UnreachableUnregistered, or show an error. You can see all these device states on the Devices & Services page. Use the Devices & Services filter to identify devices in different states of connectivity. 

ASAs that are synced have the same configuration stored on CDO as they have in the running configuration of the ASA. If a change was made on CDO but not deployed to the device, the configurations are Not synced. If a change was made to an ASA directly and that change is not reflected in CDO's configuration, CDO shows that there was a Conflict Detected with that device. Use the Configuration Status filter and the Conflict Detection filter. Then, resolve the configuration conflicts with those devices.

CDO calls problems that need your attention, "issues." Look in the filter bar in the Network Policies page, the Objects page, and the VPN page for the "issues" filters. You used these filters when you were optimizing your ASA deployment after you onboarded your ASAs. Use the "issues" filters to continue to identify problems that need your attention.  

Troubleshoot Policies

Use ASA Packet Tracer to test the path of a synthetic packet through a policy and determine if a rule is inadvertently blocking or allowing access.


Search the CDO documentation for troubleshooting topics. We've tagged many topics as troubleshooting topics to help you find them easily. If you don't see the one you need, let us know by contacting Cisco TAC from the Contact Support page. 

Review VPN Issues

CDO reports VPN issues that you have on the ASA and ASAv devices in your network. You can look at your environment two ways, as a table showing a listing of VPN peers or a map showing your VPN connections in a hub and spoke topology. Use the filter sidebar to search of VPN tunnels that need your attention.


Here are some common VPN issues that CDO detects which you may need to resolve:

  • Idle connectivity status.  
  • Missing peer IP address. 
  • Peer is unmanaged by CDO.
  • IKEv1 or IKEv2 keys are invalid, missing, or mismatched.
  • Incomplete or misconfigured access lists defined for a given tunnel.

See Identify VPN Issues for more information.  

Evaluate Policy Hit Rates

Are your policies evaluating network traffic? CDO gathers hit rate data on your policies every hour. The longer your devices are managed by CDO the more meaningful the hit rate data on a particular policy will be. Filter network policies by device and hit count to learn if a policy is effective. If it is not, consider rewriting it or deleting it.


Putting it All Together

Now that you have read about many of CDO's features and capabilities, here is further documentation describing tasks you can perform with CDO:

Get Help!

You can contact support, ask a question, or read our product documentation by clicking on our support menu in the CDO GUI. 


  • Was this article helpful?