What's New for Cisco Defense Orchestrator

Support for Time-based ASA Network Policies

Time-based ASA Network policies allow access to networks and resources based on time of day. The time of day is defined by a time range object. Time range objects have a start time and an end time and can also be defined as a recurring event. See Define a Time Range for a Policy for more information. 

New Device Details Panel Layout

We reorganized our device details panel to make device information and commonly used command buttons easier to find.

Support for ASA Global Access Policies

Now you can create a global access policy for your ASAs using CDO. A global access policy is a network policy applied to all the interfaces on an ASA. It is applied to inbound network traffic.With CDO, you can also copy a global access policy from one ASA to another to maintain consistency across devices. See Configure an ASA Global Access Policy for more information.

Network Address Translation Rule Wizard for ASA Devices

There is a new Network Address Translation (NAT) rule wizard to help you create NAT rules on your ASA devices for these use cases:

• Enable Internet Access for Internal Users
• Expose an Internal Server to the Internet

See Network Address Translation Rule Wizard, for more information. 

New troubleshooting documentation

If Cisco Defense Orchestrator (CDO) and your ASA do not connect after an ASA reboot, it may be because the ASA has fallen back to using an OpenSSL cipher suite that is not supported by CDO's Secure Device Connector. The "ASA Fails to Reconnect to CDO After Reboot" troubleshooting topic tests for that case, provides a list of supported cipher suites, and remediation steps.

CDO Support Update for FirePOWER Services Module

Starting May 16, 2018, CDO will only support FirePOWER services version 6.2.3.x. 

The ASA FirePOWER module runs as a separate application from the ASA and supplies next-generation firewall services, including Next-Generation Intrusion Prevention System (NGIPS), Application Visibility and Control (AVC), URL filtering, and Advanced Malware Protection (AMP). You can use the module in single or multiple context mode, and in routed or transparent mode. CDO identifies the ASA FirePOWER module as a FirePOWER type device.

• Support from Cisco Technical Assistance Center (TAC) and bug fixes will only be available for FirePOWER services 6.2.3, and it is highly recommended that you upgrade to this version as soon as possible.

• CDO will disallow onboarding modules running any version of FirePOWER services earlier than 6.2.3.x.

Alternatives: If upgrading to FirePOWER services 6.2.3 is not an option, we recommend that you evaluate the Adaptive Security Device Manager (ASDM) on the ASA or the multi-device manager, Firepower Management Center (FMC), for policy management of FirePOWER services.

Note: The ASA FirePOWER module is not the same as the Firepower Threat Defense next generation firewall. CDO does not yet support the Firepower Threat Defense next generation firewall.

Access Control Entry (ACE) Limit Calculation

CDO displays the number of access control entries (ACEs) in individual rules, network policies, and the total number running on an ASA. Though there is no hard-coded limit to the number of ACEs that an ASA can process, an ASA's performance will degrade when the number of access control entries becomes too large. See Access Control Entries (ACEs) for more information.

Unsuported Device

CDO does support the ASA Service Module (ASASM) at this time.

Read-only Users

We have created a read-only user role. Read-only users can view everything in CDO but they cannot create, update, configure, or delete anything on any page. Neither can they onboard devices. 

Read-only users see a blue banner that reads, "Read Only User. You cannot make configuration pages." on every page  and they are identified by their role in the User Management table. See CDO User Roles for more information about this user role. 

Update Connection Credentials 

When you onboard a device, you specify a username and password for that device. Cisco Defense Orchestrator connects to the device using those credentials and acts as that user when sending commands to the device. If users or passwords change on the device, you can update the device credentials to reflect those changes. See Update Connection Credentials for more information.

Improved Network Policy Filtering

You can now filter network policies by hit count without first knowing which ASA the policy runs on. This allows you to find network policies with zero hit counts anywhere in your deployment. See Filtering Use Cases for more information.

Export Network Policy Rules

You can export the contents of each Access-Group or Crypto-Map to a .csv file.  This .csv displays each Access Control List (ACL) and the data that CDO has for each ACL.See Export Network Policy Rules for more information.

New CDO Portal

We redesigned the portal to quickly communicate what you need to know, what you need to do, and where you go to do it.

Custom URL Upgrade

You can now upgrade your ASA device with ASA software and ASDM images you maintain in your own image repository. If your ASA does not have outbound access to the internet or you want an image that is not yet in CDO's image repository, this is the best way to upgrade your ASA. You can retrieve the images from your repository using any of these protocols: FTP, TFTP, HTTP, HTTPS, SCP, and SMB.

See Custom URL Upgrade for an explanation of this new feature.

Device Notes

Now you can save notes about a specific ASA in a single, plain-text, file without leaving CDO. See Device Notes for more information. 

See All the Accounts Associated with your Tenant

You will now be able to see all the users associated with your tenant on the User Management screen. This includes any Cisco support engineer temporarily associated with your account to resolve a support ticket.

To view the users associated with your tenant:

1. From the user menu, select Settings.

2. Click User Management.

Manage Cisco Access to Your Tenant

Cisco support will associate its users with your tenant to resolve support tickets or proactively fix issues that affect more than one customer. However, if you prefer, you can prevent Cisco support from accessing your account by changing your account settings. See General Settings for more information.  

Manage ASAs Using CLI Macros

CDO provides a list of complete CLI-based commands and command templates that are ready for you to customize and run on your ASAs. These CLI macros can be run on a single ASA or ASAs in bulk. Do you have a regular monitoring or maintenance task you perform? You can create and store your own CLI-based commands on CDO and reuse them when you need them. 

Here's an example of using a CLI macro to configure a DNS server on your ASAs:

1. Select the devices you need to configure.
2. Select the Configure DNS macro.

3. Fill in the parameter fields with your information:

4. Send it to all of your ASAs.

Compare ASA Configurations

You can now easily compare two ASA configurations. Select two ASAs in the Devices & Services page and click the compare button. CDO provides a side-by-side comparison of the devices' configurations. See Compare ASA Configurations for more information.

Use CDO to Mitigate the Risks of Recent Cisco ASA Security Advisory

On January 29, 2018, the Cisco Product Security Incident Response Team (PSIRT) published the security advisory cisco-sa-20180129-asa1 describing an ASA and Firepower security vulnerability. Read our article, Using CDO to Respond to Cisco ASA Advisory cisco-sa-20180129-asa1 to learn how to find the ASAs in your enterprise that are affected by the advisory and upgrade them to a patched version of ASA.

CDO Allows Long CLI Sequences

If you enter a long list of commands in the command box of the CLI, CDO attempts to break up your command into multiple commands so that they can be run against the ASA API at once. If CDO is unable to determine a proper separation in your command, it will prompt you for a hint. For example:

Error: CDO attempted to execute a portion of this command with a length that exceeded 600 characters. You can give a hint to CDO at where a proper command separation point is by breaking up your list of commands with an additional empty line between them.

See for ASA Command Line Interface for more information.

Enhancements to Help You Manage Shadow Rule Issues

• The ASA network policy issues filter indicate if there are any shadowed rules in a policy.

• A new badge  next to a rule in an ASA network policy indicates that it is shadowing another rule in the policy.
• For a shadowed rule, the network policy details pane identifies which rule in the policy is shadowing it. 

• New documentation on Resolving Shadow Rule Issues.

CDO Calculates Access Control Entries in your ASA Network Policies

Cisco Defense Orchestrator (CDO) calculates the number of access control entries (ACEs) derived from all the rules in an ASA network policy and displays that total at the top of the network policy details pane. If any of the rules in the network policy are shadowed, it lists that number as well.

CDO also displays the number of ACEs derived from a single rule in a network policy and displays that information in the network policy details pane. Here is an example of that listing:

ASAs have recommended limits on the number of ACEs created on a device. (See Access Control on the Adaptive Security Appliance, FAQ for more information.) Following those recommendations allows the ASA to process network traffic at an optimal speed. Deleting unused rules or shadowed rules helps keep your ACE count down.

Numbered Lines in Network Policies

CDO numbers rules in network policies for easy reading. Lines are renumbered as you add and delete rules or reorder them in a policy.

Enhanced ASA Network Policy Management

You can now perform these tasks with your ASA network policies!

• Copy and paste policies between ASA devices. Copy a policy from one ASA to another and assign it to a specific interface. 
• Cut and paste rules within policies. Change the prioritization of rules within a policy by cutting and pasting them in the rule table.
• Copy and paste rules between policies. Promote policy consistency by copying a rule from one policy to another. These policies can be on the same device or on different devices.   

These enhancements compliment existing functions like creating ASA network policies, activating or deactivating rules in a policy, and logging activity generated by rules in a policy.

See Edit an ASA Network Policy for more information and navigate through the ASA network policy documentation using the topic arrows at the bottom of a page:

Bulk Command Line Interface

Cisco Defense Orchestrator (CDO) promotes consistent configurations across your devices by giving administrators the ability to send one command to multiple devices simultaneously. CDO groups responses to a bulk CLI command by response type and by device type so you can identify which ASAs returned a certain response and which devices were sent a particular command. CDO maintains a historical list of your commands so you can rerun them or modify them. See Bulk Command Line Interface for more information.

Create ASA Network Policies

Now you can create a network policy for an ASA. You can add rules to the policy, change the order of rules within a policy, activate or deactivate rules within the policy, as well as copy that policy from one ASA to another! See Create an ASA Network Policy to get started!

Bulk Operations 

Certain CDO configuration tasks can be performed on multiple devices at the same time; they can be done "in bulk." This feature saves you time and promotes consistency among your devices. These are the operations you can perform in bulk and some additional features we've added to compliment them.

Bulk ASA and ASDM Upgrades

You can now use CDO's upgrade wizard to upgrade the ASA and ASDM images on multiple ASAs simultaneously. We make the process easy by performing all the necessary upgrade steps behind the scenes. The wizard guides you through the process of choosing compatible ASA and ASDM software images, installing them, and rebooting the device to complete the upgrade. We secure the upgrade process by validating that the images you choose on CDO are the ones copied to, and installed on, your ASA. See Bulk ASA and ASDM Upgrade for more information. 

Bulk Read Configurations

If a configuration change is made to a device outside of CDO, the device's configuration stored on CDO and the device's local configuration are no longer the same. In this case, CDO displays a "Conflict detected" message to alert the administrator. The administrator performs a "Read policy" action, which overwrites the configuration on CDO with the configuration stored on the device. The two configurations are now the same, they are "Synced." The bulk read configuration function allows administrators to perform this action on multiple devices at the same time.

Another use for bulk reading configurations is to prevent changes staged on CDO from being written to your devices. By reading the configurations from the device to CDO, you overwrite all staged changes on CDO. This could also be a good way to revert changes you made to your devices' configurations on CDO if you need to. See Bulk Read Configurations for more information.

Bulk Reconnecting Devices

CDO allows an administrator to attempt to reconnect more than one managed device to CDO simultaneously. When a device CDO manages is marked "unreachable," CDO can no longer detect out of band configuration changes or mange the device. Attempting to reconnect the devices is a simple first step in restoring CDO's management of the device. See Bulk Reconnecting Devicesfor more information.

Bulk Enabling and Disabling of Conflict Detection

You can enable or disable conflict detection for multiple devices simultaneously. Enabling conflict detection will alert you to instances where changes have been made to a device outside of CDO. See Enabling Conflict Detection for more information.

Jobs Notifications

The notifications tab is located at the bottom right corner of CDO. It displays an active count of ongoing actions in a job. 

Jobs Page

The Jobs page displays information about the status, success, and failure of a bulk operation. Color-coded rows in the jobs table indicate individual actions that have succeeded or failed. See Jobs Page for more information. 

Reinitiate a Task for a Failed Action

CDO remembers the bulk operation, identifies individual actions that failed, and saves you time by re-running the task on only the failed actions. When reviewing the jobs page, if you find one or more actions in a bulk operation that failed, you can re-run the bulk operation after you have made whatever corrections are necessary. CDO will re-run the job on only the failed actions. See Reinitiating a Bulk Operation that Resulted in a Failed Action for more information. 

NAT Documentation

We have documented procedures for these use cases:

• Enable a Server on the Inside Network to Reach the Internet Using a Public IP address
• Make a server on the inside network available to users on a specific port of a public IP address
• Translate a range of private IP addresses to a range of public IP addresses

CLI Logging

Whenever you use CDO to execute a CLI command on an ASA, the command and the results of the command are now logged in the device's changelog. In the example below, the entry for CLI Execution row shows what commands were sent and the Changed ASA Config row shows what was changed in the configuration file as a result of the commands.

Bulk Onboarding of ASAs

You can now onboard multiple ASAs to CDO in a single batch. See Bulk Onboarding ASAs for more information.

Shared Network Policies

Cisco Defense Orchestrator (CDO) finds identical network policies used by multiple ASAs and identifies them on the network policy page. If you have a shared network policy, you can change it once and distribute the change to the other devices that share the policy. This keeps network policies consistent across devices. See Shared Network Policies for more information.

Filter Change Logs by Time and Date

You can now filter events in the change log by time and date. Navigate Monitoring > Change Log and find this time and date calendar in the filter bar:

Packet Tracer

Packet tracer helps you troubleshoot access and policy issues. Packet tracer sends a synthetic packet into the network and evaluates how the saved routing configuration, NAT rules, and policy configurations interact with that packet. For example, if a rule is dropping packets, packet tracer identifies that rule for you and gives you a link to it, so you can evaluate it and edit it. Packet tracer can be used on a live, online, physical or virtual Adaptive Security Appliance (ASA). Read ASA Packet Tracer for more information.

New Screencast!

  New screencast demonstrating how you can use CDO to upgrade a single ASA or two ASAs configured as an active/standby failover pair.

Updated Documentation

• Resolving Configuration Conflicts - A troubleshooting topic that describes what to do when you have a device that is "Not Synced" or reports "Conflict Detected." 
• Configuration Changes Made to ASAs in Active-Active Failover Mode - Provides important information about making configuration changes to ASA's configured in Failover mode as an Active-Active pair.
• Replacing the Certificate on the ASA FirePOWER module 6.2.2 and Firepower Threat Defense 6.2.2.
• Resolving Certificate Issues - A troubleshooting topic that explores why CDO may reject a certificate and what to do about it.
• Updates to our Frequently Asked Questions page.

CDO Service Status Page

CDO maintains a customer-facing service status page at https://status.defenseorchestrator.com/. The page shows if the CDO service is up and any service interruptions it may have had. You can view up-time information with daily, weekly, or monthly graphs. 

On the status page, you can click Subscribe to Updates to receive a notification if the CDO service goes down.

CDO Support Page

Customers can now get support through the CDO interface:

• Paying customers should open support cases directly with Cisco's Technical Assistance Center (TAC) by clicking Support Case Manager on the new Contact Support page. 
• All demo, internal, and trial customers can send email to cdo.support@cisco.com by entering their question in the details request form on the Contact Support page. A member of our support staff will respond as soon as possible.

See CDO Support for more information on these new services. 

External Links for Devices

You can now create a hyperlink to an external resource and associate it with a device you manage with CDO. You could use this feature to create a convenient link to a search engine, documentation resource, a corporate wiki, or any other URL you choose. You can associate as many external links with a device as you want. You can also associate the same link with multiple devices at the same time. See External Links for Devices for more information about this feature.

New Object Functions

• Resolving Duplicate, Inconsistent, and Unused Objects: When resolving object issues, you will have better visibility into network and services objects. You see a consolidated view of all the objects in the group, making it easier to compare object to object. You also have command buttons to resolve object issues by merging, renaming, or ignoring them.  
• New object filtering: More precise search capabilities to find the objects you are looking for.

Upgrades to ASAs configured as an Active/Standby Failover Pair

CDO has extended the functionality of the upgrade wizard to include upgrading ASAs configured as an active/standby failover pair. You use the same wizard functionality as you did for upgrading individual ASAs but now you can upgrade an active/standby failover pair.  See Upgrading ASA and ASDM Images in an Active-Standby Pair for more information about this feature.

Upgrades to Individual ASAs in Single Context or Multi-Context Mode

CDO now provides a wizard that allows you to upgrade the ASA and ASDM images installed on an individual ASA in single or context or multi-context mode. We make the process easy by performing all the necessary upgrade steps behind the scenes. The wizard guides you through the process of choosing compatible ASA Software and ASDM images, installing them, and rebooting the device to complete the upgrade. We secure the upgrade process by validating that the images you chose on CDO are the ones copied to, and installed on, your ASA.

Click in the details pane of the Devices & Services page to start your upgrade. See Upgrading ASA and ASDM Images for more information.

Export Devices & Services List

You can now export your Devices & Services list to a comma-separated value (.csv) file. From there, you can open the file in a spreadsheet application such as Microsoft Excel to sort and filter the items in your list.

See "Exporting Devices and Services List" for more information about this feature.

ASA Configuration Restore

You can now return an ASA to one of its previously saved configurations. This is a convenient way to remove a configuration change that had unexpected or undesired results. Choose the ASA configuration you want to restore, CDO shows you a comparison of that configuration and the last configuration saved to memory, and if you are satisfied that you are restoring the desired configuration you can restore it.

See "Restoring ASA Configurations" for more information on this feature. 

Change Request Management. 

You can now associate a change request and its business justification, opened in a separate ticketing system, with an event in the Change Log. Change request management allows you to create a change request in CDO, identify it with a unique name, enter a description of the change, and associate the change request with change log events. You can later search the Change Log for the change request name. 

For more information, read Change Request Management.

NAT Policy Management

Cisco Defense Orchestrator now supports reading, editing, searching, and creating NAT policies via an easy to use navigation wizard and advanced interface-based diagram, to show a full list of NAT policies (and their order) defined on an ASA device.

Obsolete Names (Objects) conversion

Your device's configuration contains legacy (obsolete) names ? Cisco Defense Orchestrator now enables, during objects issues resolution, to investigate across objects, object groups and now names to provide consistency across all objects used in policy and to assist with the conversion of names into object.

Fully Shadowed Rules Support

You can now filter and identify superfluous network policies that will never handle traffic intended, as all traffic is handled by a rule(s) up in rule set order. Upon making a change to network policies, CDO will alert in case rule edited or added is shadowed by a different rule.

On-Prem Secure Device Connector

Cisco Defense Orchestrator enables direct communication between CDO and supported devices and services. This communication is enabled by CDO Secure Device Connector (SDC) acting as proxy between remote location and CDO cloud services. This service is available now in two deployment models as follows:

On-Prem Secure Device Connector – On-prem Secure Device Connector is a pre-configured virtual appliance dedicated to the requested account.

Cloud Secure Device Connector – All cloud Secure Device Connectors are provisioned automatically and managed by Cisco Defense Orchestrator team.

Change Log

Continuous capture of both application (layer7) and network (layer3) policy changes performed via Cisco Defense Orchestrator within a single view across on-boarded devices and services (ASA, FirePOWER, Umbrella - OpenDNS). New Change Log lists at-a-glance view of most recent changes, while further revisions can be sorted and filters by device, change status, user and more. New Change Log functionality enables organizations to:

• Before and after inline incremental view (diff) of a network and application policy change (new, edited, and deleted rule; on-boarded or deleted devices and services, and more)
• Detection of policy change conflicts (occurring outside of Cisco Defense Orchestrator) and overwriting to/from a device or service
• Be able to answer Who, What, and When during an incident investigation or troubleshooting
• Export to a common format or 3rd party monitoring systems

Note: Devices and services currently managed by Cisco Defense Orchestrator will initiate change log event collection only after first write or read. For more information, please navigate here.

Hit Rates. Cisco Defense Orchestrator now enable network operations users to evaluate policy rules outcome, on top of secure and scalable orchestration of policies, providing simple visualization for more accurate policy analysis and immediate actionable pivot to root cause, all in a single pane from the cloud. New Hit Rates functionality enable organizations to:

• Eliminate obsolete and never matched policy rules increasing security posture
• Optimize Firewall performance by instantly identifying bottlenecks as well as correct and efficient prioritization is enforced (most triggered policy rule prioritized higher)
• Maintain Hit Rates history information even upon device or policy rule reset for configured data retention (1 year)
• Strengthen validation on suspected shadow and unused rules based on actionable information. Removing doubt about update or delete of those
• Visualize policy rules usage in context to entire policy, leveraging pre-defined time intervals (day, week, month, year) and scale of actual hits (zero, >100, >100k, etc.), to evaluate impact on packets traversing the network

Multiple Objects Support

Cisco Defense Orchestrator object management now enables inline editing of object and object group value(s) as well as referencing multiple objects in a single access list parameter; automatically assigning to a user-defined object group (without the need for dm_inline_* object creation).

Approve or Reject Out-of-Band Policy Modifications

Enhanced policy orchestration enforcement by not only identifying a remote change performed or what the change was (on a device or service), but the ability to approve or reject identified out-of-band changes in real-time.

Delegated Admin Support

Delegated Admin Support. Cisco Defense Orchestrator enable managing more than a single account (tenant) per user for easier and faster pivot between assigned accounts, while maintaining account security and complete data separation between accounts (tenants).

Import & Export of Pre-Defined Templates

Enable Import Pre-defined Templates. Leverage pre-defined device configuration templates, either available in your organization or from a third-party, to enable the scalable orchestration of onboarding all devices and services in your organization.

Devices and Services Connection Status Management

Device Connection Status Evaluation. New "Reconnect" button added to enable continuous monitoring of devices and services availability state, and alert for any change or actions need to be taken automatically or on-demand (e.g. update device credentials, renew device certificate).

Enhanced Template Management

Manage Template Enhancements. When creating new or updating an existing device template configuration file, a Cisco Defense Orchestrator user can now easily search across a device configuration file and assign multiple values to new or existing parameters, for use across account’s devices. For further information on creating and managing template, navigate here.