Using Cisco Defense Orchestrator to Manage FTD Devices
CDO provides a simplified management interface and cloud-access to your FTD devices. Firepower Device Manager (FDM) administrators will notice many similarities between the FDM interface and the CDO interface. We built CDO with the idea of keeping things as consistent as possible between managers.
Use CDO to manage these aspects of your physical or virtual FTD device:
FTD Software and Firepower Hardware Support
CDO supports Firepower Version 6.4 and later versions, which can be installed on a number of different Firepower hardware devices or virtual machines. See Firepower Threat Defense Support Specifics for more information.
Managing Smart Licenses
You can use Cisco Smart Licenses to license the FTD devices during onboarding or after onboarding the devices to CDO. Smart Licensing is conveniently built into our workflows and easily accessible from the CDO interface. For more information, see Applying or Updating a Smart License.
If the device you want to onboard is running FTD software version 6.4 or 6.5, and is already smart-licensed, the device is likely to be registered with Cisco Smart Software Manager. You must unregister the device from Cisco Smart Software Manager before you onboard it to CDO with a registration Key. When you unregister, the base license and all optional licenses associated with the device, are freed in your virtual account.
If the device you want to onboard is running FTD software version 6.6 and later and is already registered with the Cisco cloud, you must unregister the device from Cisco Cloud Services before you onboard it to CDO with a registration key.
FTDv Tiered Licenses in Version 7.0
Version 7.0 supports performance-tiered Smart Licensing for virtual FTD (FTDv) devices based on throughput requirements and RA VPN session limits. When the FTDv is licensed with one of the available performance licenses, two things occur: session limits for RA VPNs are determined by the installed FTDv platform entitlement tier, and enforced via a rate limiter.
CDO does not fully support tiered smart licensing at this time; see the following limitations:
- You cannot modify the tiered license through CDO. You must make the changes in the FDM UI.
- If you register an FTDv to CDO for cloud services, the tiered license selection automatically resets to Variable, which is the default tier.
- If you onboard an FTDv running 7.0 and select a license that is not a default license during the onboarding process, the tiered license selection automatically resets to Variable, which is the default tier.
We strongly recommend selecting a tier for your FTDv license after onboarding your device to avoid the issues listed above. See Managing Smart Licenses for more information.
CDO User Interfaces
CDO GUI and CLI Interfaces
CDO is a web-based management product that provides you with both a graphic user interface (GUI) and a command line interface (CLI) to manage your devices one at a time or many at once.
With the CLI interface, you can send commands to your FTD devices directly from CDO. Use CLI macros to save and run commonly used commands. See FTD Command Line Interface Documentation and Using the CDO Command Line Interface for more information.
FTD API Support
CDO provides the API tool interface that can perform advanced actions on an FTD device using the device’s REST API. Additionally, this interface provides the following features:
- Records a history of already executed API commands.
- Provides system-defined API macros that can be reused.
- Allows creating user-defined API macros using the standard API macros, from a command you have already executed, or another user-defined macro.
For more information about the FTD API tool, see Using FTD API Tool.
Onboarding FTD Devices
Before you onboard an FTD, review the general device requirements and onboarding prerequisites.
The best practice is to onboard FTD devices with a registration token. See Onboard an FTD Running Software Version 6.6+ Using a Registration Key for more information.
You can use these additional methods to onboard an FTD to CDO as well:
Use CDO to upgrade software, configure high availability, configure device settings and network resources for your FTDs.
- System Settings. Once you have licensed your FTD and onboarded it, you can manage your FTD system settings entirely from CDO. You will be able to configure management access protocols, logging settings, DHCP and DNS server interaction, the device's hostname, the time server it uses, and URL filtering preferences.
- Security Database Updates. Keep your device up to date and compliant with current security database updates with a recurring task to check and update your device when necessary.
- High Availability. Manage HA configuration and operations with the FTD High Availability Page.
Upgrade your devices whenever you need to with the following methods:
Note: You can schedule these upgrades to occur when it is convenient, such as during a maintenance window.
ASA to FTD Migration
CDO helps you migrate your Adaptive Security Appliance (ASA) to an FTD device. CDO provides a wizard to help you migrate these elements of the ASA's running configuration to an FTD template:
- Access Control Rules (ACLs)
- Network Address Translation (NAT) rules
- Network objects and network group objects
- Service objects and service group objects
See Migrating an ASA Configuration to an FTD Template for more information.
You can use CDO to configure and edit data interfaces or the management/diagnostic interface on an FTD device.
Routing is the act of moving information across a network from a source to a destination. Routing involves two basic activities: determining optimal routing paths and transporting packets through a network. Use CDO to configure these aspects of routing:
- Configuring Static Routes and Default Routes. Using CDO, you can define a default route, and other static routes, for your FTD devices. ah
- Bridge Group Support. A bridge group is a virtual interface that groups one or more interfaces. The main reason to group interfaces is to create a group of switched interfaces. Using CDO you can configure and edit bridge groups on your FTD device.
- NAT (Network Address Translation). NAT rules help route your traffic from your inside (private) network to the Internet. NAT rules also play a security role by keeping internal IP addresses hidden from the world outside your network. You can create and edit NAT rules for your FTD using CDO. See Network Address Translation for more information.
Security policies examine network traffic with the ultimate goal of either allowing network traffic to reach or prevent network traffic from reaching its intended destination. Use CDO to manage all the components of FTD's security policies:
- Copy and paste rules. Make sharing rules across policies easy by copying and pasting rules from policy to another. See Copy FTD Access Control Rules for more information.
- SSL Decryption Policy. Some protocols, such as HTTPS, use Secure Sockets Layer (SSL) or its follow-on version, Transport Layer Security (TLS), to encrypt traffic for secure transmissions. Because the system cannot inspect encrypted connections, you must apply SSL decryption policy to decrypt them if you want to apply access rules that consider higher-layer traffic characteristics to make access decisions. See Firepower Threat Defense SSL Decryption Policy for more information.
- Identity Policy. Use identity policies to collect user identity information from connections. You can then view usage based on user identity in the dashboards, and configure access control based on user or user group.
- Security Intelligence Policy. The Security Intelligence policy gives you an early opportunity to drop unwanted traffic based on source/destination IP address or destination URL. The system drops the traffic on the blocked list before evaluating it with the access control policy, thus reducing the amount of system resources used.
- Access Control Policy. The access control policy controls access to network resources by evaluating network traffic against access control rules. FTD compares the criteria of the access control rules, in the order they appear in the access control policy, to the network traffic. When all the traffic conditions in an access control rule are matched, FTD takes the action defined by the rule. You can configure all aspects of access control policy using CDO.
- TLS 1.3 Security Identity Discovery. This feature, supported in 6.7 and later, allows you to perform URL filtering and application control on traffic encrypted with TLS 1.3. See TLS Server Identity Discovery in Firepower Threat Defense for more information.
- Reputation Enforcement on DNS Traffic—Enable this option to apply your URL filtering category and reputation rules to DNS lookup requests. See Configuring Access Policy Settings for more information.
- Threat Events. A threat event is a report of traffic that has been dropped, or that has generated an alert, after matching one of Cisco Talos's intrusion policies. In most cases, there's no need to tune IPS rules. If necessary, you have the option to override how an event is handled by changing the matching rule action in CDO. CDO supports IPS rule tuning on all versions of FTD 6.4 and FTD 6.6.1. CDO does not support IPS rule tuning on any version of FTD 6.5, any version of FTD 6.6 other than 6.6.1, or any version of FTD 6.7.
- NAT (Network Address Translation). NAT rules help route your traffic from your inside (private) network to the Internet. NAT rules also play a security role by keeping internal IP addresses hidden from the world outside your network. You can create and edit NAT rules for your FTD using CDO.
- Intrusion Policy. Cisco delivers several intrusion policies with the Firepower system. These policies are designed by the Cisco Talos Security Intelligence and Research Group, who set the intrusion and preprocessor rule states and advanced settings. Intrusion policies are aspects of access control rules. See Intrusion Policy Settings in an FTD Access Control Rule for more information.
Snort 3 and Version 7.0 Intrusion Policies
Snort is the main inspection engine for the FTD device. Devices running Version 6.7 and later now have the ability to upgrade from Snort 2 to Snort 3. Upgrading to Snort 3 allows you to create your own intrusion policies and customize them for your purposes. The system comes with pre-defined policies that are based on the same-named Cisco Talos Intelligence Group (Talos)-defined policies. From CDO, you can switch the engine to Snort 3 as part of the FTD system upgrade to FTD 6.7. If your device is already running version 6.7 ore later, you can upgrade just the intrusion prevention engine to Snort 3.
You can also revert from Snort 3 to Snort 2 using CDO.
Promote Policy and Configuration Consistency
An object is a container of information that you can use in one or more security policies. Objects make it easy to maintain policy consistency because you can modify an object and that change affects all the other policies that use that object. Without objects, you would need to modify all the policies, individually, that require the same change.
Use CDO to create and manage these object types:
Resolve Object Issues
CDO calls an object used on multiple devices a "shared object" and identifies them in the Objects page with this badge . Sometimes a shared object develops some "issue" and is no longer perfectly shared across multiple policies or devices. CDO makes it easy to Resolve Duplicate Object Issues, Resolve Unused Object Issues, and Resolve Inconsistent Object Issues to manage your devices as well as your repository of objects.
An FTD template is a complete copy of an onboarded FTD device's configuration. You can then modify that template and use it to configure other FTD devices you manage. FTD templates promote policy consistency between devices. See FTD Templates for more information.
CDO makes it easy to configure and manage a high availability pair of FTDs. You can onboard an existing HA pair or create an HA pair in CDO. HA configurations make it possible to maintain a secure network in scenarios where a device might be unavailable, such as during an upgrade period or an unexpected device failure; in failover mode, the standby device is already configured to become active, meaning that even if one of the HA devices becomes unavailable, the other device continues to handle traffic.
You can upgrade HA FTD pairs in CDO! See Upgrade a FTD High Availability Pair for more information.
Configuring Virtual Private Networks
A virtual private network (VPN) consists of multiple remote peers transmitting private data securely to one another over an unsecured network, thusly connecting network to network. CDO uses tunnels to encapsulate data packets within normal IP packets for forwarding over IP-based networks, using encryption to ensure privacy and authentication to ensure data integrity. See Site-to-Site VPN for more information.
For additional information about Virtual Private Networks, refer to the Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager.
Remote Access VPN
Remote Access (RA) VPN allows individuals to establish a secure connection to your network using supported laptop, desktop, and mobile devices. CDO provides an intuitive user interface for you to setup RA VPN on FTD devices. AnyConnect is the only client that is supported on endpoint devices for RA VPN connectivity to FTD.
Cisco Defense Orchestrator (CDO) supports the following aspects of RA VPN functionality on FTD devices:
- Transport Layer Security (TLS) or Datagram Transport Layer Security (DTLS) for privacy, authentication, and data integrity
- SSL client-based remote access
- IPv4 and IPv6 addressing
- Shared RA VPN configuration across multiple FTD devices
See RA VPN for more information. For additional information about Virtual Private Networks, refer to the Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager.
Monitoring Your Network
CDO provides reports summarizing the impact of your security policies and methods of viewing notable events triggered by those security policies. CDO also logs the changes you make to your devices and provides you with a way to label those changes so you can associate the work you do in CDO with a help ticket or other operational request.
Executive Summary Report
Executive summary reports display a collection of operational statistics such as encrypted traffic, intercepted threats, detected web categories, and more. Data in the reports is generated when network traffic triggers an access rule or policy on an FTD device. We recommend enabling malware, threat, and IPS licenses, as well as enabling file logging for access rules, to allow a device to generate the events that are reflected in the reports.
Read FTD Executive Summary Report for more information about what the report offers and how you can use it to improve your network infrastructure. To create and manage your reports, see Managing Reports.
Cisco Security Analytics and Logging
Cisco Security Analytics and Logging allows you to capture connection, intrusion, file, malware, and Security Intelligence events from all of your FTD devices and view them in one place in Cisco Defense Orchestrator (CDO).
The events are stored in the Cisco cloud and viewable from the Event Logging page in CDO where you can filter and review them to gain a clear understanding of what security rules are triggering in your network. The Logging and Troubleshooting package gives you these capabilities.
With the Firewall Analytics and Monitoring package, the system can apply Stealthwatch Cloud dynamic entity modeling to your FTD events, and use behavioral modeling analytics to generate Stealthwatch Cloud observations and alerts. If you obtain a Total Network Analytics and Monitoring package, the system applies dynamic entity modeling to both your FTD events and your network traffic, and generates observations and alerts. You can cross-launch from CDO to a SWC portal provisioned for you, using Cisco Single Sign-On. See Cisco Security Analytics and Logging for more information.
The change log continuously captures configuration changes as they are made in CDO. This single view includes changes across all supported devices and services. These are some of the features of the change log:
- Side-by-side comparison of changes made to device configuration
- Plain-English labels for all change log entries.
- Records on-boarding and removal of devices.
- Detection of policy change conflicts occurring outside of CDO.
- Answers who, what, and when during an incident investigation or troubleshooting.
- The full change log, or only a portion, can be downloaded as a CSV file.
Change Request Management
Change request management allows you to associate a change request and its business justification, opened in a third-party ticketing system, with an event in the Change Log. Use change request management to create a change request in CDO, identify it with a unique name, enter a description of the change, and associate the change request with change log events. You can later search the Change Log for the change request name.