Onboarding Firepower Threat Defense Devices
Before onboard an FTD device to CDO, read Onboard Firepower Threat Defense Devices. It lists the general device requirements and onboarding prerequisites needed to onboard a device.
Then, see Onboard a Firepower Threat Defense Device Using Username, Password, and IP Address to onboard your FTD.
Using Cisco Defense Orchestrator to Manage Firepower Threat Defense Devices
CDO is designed for firewall managers who want a simplified management interface and cloud-access to their devices. Firepower Device Manager (FDM) administrators will notice many similarities between the FDM interface and the CDO interface. We built CDO with the idea of keeping things as consistent as possible between managers.
Use CDO to manage these aspects of your physical or virtual Firepower Threat Defense (FTD) device:
Use CDO to upgrade software, configure high availability, configure device settings and network resources for your FTDs.
- Onboarding an FTD Device. Firepower Threat Defense (FTD) devices can be managed by CDO if they are locally managed by FDM. If the FTD is managed by a Firepower Management Center (FMC), you need to remove it from the FMC before you manage it with CDO. To onboard an FTD to CDO, see, Onboarding a Firepower Threat Defense Device using a username, password, and IP address.
- System Settings. Once you have licensed your FTD and onboarded it, you can manage your FTD system settings entirely from CDO. You will be able to configure management access protocols, logging settings, DHCP and DNS server interaction, the device's hostname, the time server it uses, and URL filtering preferences.
CDO's upgrade wizard allows you to seamlessly upgrade your FTD devices with an FTD image stored by CDO or one that you maintain in a local repository. You can upgrade your devices individually or in bulk at a time you choose.
You can use Cisco Defense Orchestrator (CDO) to configure and edit data interfaces or the management/diagnostic interface on a Firepower Threat Defense (FTD) device.
Routing is the act of moving information across a network from a source to a destination. Routing involves two basic activities: determining optimal routing paths and transporting packets through a network. Use CDO to configure these aspects of routing:
- Configuring Static Routes and Default Routes. Using Cisco Defense Orchestrator (CDO), you can define a default route, and other static routes, for your Firepower Threat Defense (FTD) devices.
- Bridge Group Support. A bridge group is a virtual interface that groups one or more interfaces. The main reason to group interfaces is to create a group of switched interfaces. Using CDO you can configure and edit bridge groups on your Firepower Threat Defense device.
- NAT (Network Address Translation). NAT rules help route your traffic from your inside (private) network to the Internet. NAT rules also play a security role by keeping internal IP addresses hidden from the world outside your network. You can create and edit NAT rules for your Firepower Threat Defense using CDO. See Network Address Translation for more information.
Security policies examine network traffic with the ultimate goal of either allowing network traffic to reach or prevent network traffic from reaching its intended destination. Use CDO to manage all the components of Firepower Threat Defense's security policies:
- SSL Decryption Policy. Some protocols, such as HTTPS, use Secure Sockets Layer (SSL) or its follow-on version, Transport Layer Security (TLS), to encrypt traffic for secure transmissions. Because the system cannot inspect encrypted connections, you must apply SSL decryption policy to decrypt them if you want to apply access rules that consider higher-layer traffic characteristics to make access decisions. See Firepower Threat Defense SSL Decryption Policy for more information.
- Identity Policy. Use identity policies to collect user identity information from connections. You can then view usage based on user identity in the dashboards, and configure access control based on user or user group.
- Security Intelligence Policy. The Security Intelligence policy gives you an early opportunity to drop unwanted traffic based on source/destination IP address or destination URL. The system drops the traffic on the blocked list before evaluating it with the access control policy, thus reducing the amount of system resources used.
- Access Control Policy. The access control policy controls access to network resources by evaluating network traffic against access control rules. FTD compares the criteria of the access control rules, in the order they appear in the access control policy, to the network traffic. When all the traffic conditions in an access control rule are matched, FTD takes the action defined by the rule. You can configure all aspects of access control policy using CDO.
- Intrusion Policy. Cisco delivers several intrusion policies with the Firepower system. These policies are designed by the Cisco Talos Security Intelligence and Research Group, who set the intrusion and preprocessor rule states and advanced settings. Intrusion policies are aspects of access control rules. See Intrusion Policy Settings in a Firepower Threat Defense Access Control Rule for more information.
- Threat Events. A threat event is a report of traffic that has been dropped, or that has generated an alert, after matching one of Cisco Talos's intrusion policies. In most cases, there's no need to tune IPS rules. If necessary, you have the option to override how an event is handled by changing the matching rule action in CDO.
- NAT (Network Address Translation). NAT rules help route your traffic from your inside (private) network to the Internet. NAT rules also play a security role by keeping internal IP addresses hidden from the world outside your network. You can create and edit NAT rules for your Firepower Threat Defense using CDO.
Promote Policy and Configuration Consistency
An object is a container of information that you can use in one or more security policies. Objects make it easy to maintain policy consistency because you can modify an object and that change affects all the other policies that use that object. Without objects, you would need to modify all the policies, individually, that require the same change.
Use CDO to create and manage these object types:
Resolve Object Issues
CDO calls an object used on multiple devices a "shared object" and identifies them in the Objects page with this badge . Sometimes a shared object develops some "issue" and is no longer perfectly shared across multiple policies or devices. CDO makes it easy to Resolve Duplicate Object Issues, Resolve Unused Object Issues, and Resolve Inconsistent Object Issues to manage your devices as well as your repository of objects.
A Firepower Threat Defense (FTD) template is a complete copy of an onboarded FTD device's configuration. You can then modify that template and use it to configure other FTD devices you manage. FTD templates promote policy consistency between devices. See Firepower Threat Defense Templates for more information.
The change log continuously captures configuration changes as they are made in CDO. This single view includes changes across all supported devices and services. These are some of the features of the change log:
- Side-by-side comparison of changes made to device configuration
- Plain-English labels for all change log entries.
- Records on-boarding and removal of devices.
- Detection of policy change conflicts occurring outside of CDO.
- Answers who, what, and when during an incident investigation or troubleshooting.
- The full change log, or only a portion, can be downloaded as a CSV file.
Change Request Management
Change request management allows you to associate a change request and its business justification, opened in a third-party ticketing system, with an event in the Change Log. Use change request management to create a change request in CDO, identify it with a unique name, enter a description of the change, and associate the change request with change log events. You can later search the Change Log for the change request name.
Monitoring Your Network
Defense Orchestrator provides several reports that you can use to analyze the impact of your security policies on the traffic going through your Firepower Threat Defense (FTD) device. See Managing Reports for more information.
Soon CDO will provide support for these features:
- ASA to FTD Migration
- Remote Access VPN
- Site to Site VPN
- High Availability