Skip to main content

 

 

Cisco Defense Orchestrator

Feature Highlights of 2017

This articles highlights some of the features added to Cisco Defense Orchestrator in 2017.

 

December 2017

December 14, 2017

Bulk Command Line Interface

Cisco Defense Orchestrator (CDO) promotes consistent configurations across your devices by giving administrators the ability to send one command to multiple devices simultaneously. CDO groups responses to a bulk CLI command by response type and by device type so you can identify which ASAs returned a certain response and which devices were sent a particular command. CDO maintains a historical list of your commands so you can rerun them or modify them. See Bulk Command Line Interface for more information.

bulk_cli_tour_75.png

Create ASA Network Policies

Now you can create a network policy for an ASA. You can add rules to the policy, change the order of rules within a policy, activate or deactivate rules within the policy, as well as copy that policy from one ASA to another! See Create an ASA Network Policy to get started!

create_policy.png

November 2017

November 9, 2017

Bulk Operations 

Certain CDO configuration tasks can be performed on multiple devices at the same time; they can be done "in bulk." This feature saves you time and promotes consistency among your devices. These are the operations you can perform in bulk and some additional features we've added to compliment them.

Bulk ASA and ASDM Upgrades

You can now use CDO's upgrade wizard to upgrade the ASA and ASDM images on multiple ASAs simultaneously. We make the process easy by performing all the necessary upgrade steps behind the scenes. The wizard guides you through the process of choosing compatible ASA and ASDM software images, installing them, and rebooting the device to complete the upgrade. We secure the upgrade process by validating that the images you choose on CDO are the ones copied to, and installed on, your ASA. See Bulk ASA and ASDM Upgrade for more information. 

Bulk Read Configurations

If a configuration change is made to a device outside of CDO, the device's configuration stored on CDO and the device's local configuration are no longer the same. In this case, CDO displays a "Conflict detected" message to alert the administrator. The administrator performs a "Read policy" action, which overwrites the configuration on CDO with the configuration stored on the device. The two configurations are now the same, they are "Synced." The bulk read configuration function allows administrators to perform this action on multiple devices at the same time.

Another use for bulk reading configurations is to prevent changes staged on CDO from being written to your devices. By reading the configurations from the device to CDO, you overwrite all staged changes on CDO. This could also be a good way to revert changes you made to your devices' configurations on CDO if you need to. See Bulk Read Configurations for more information.

Bulk Reconnecting Devices

CDO allows an administrator to attempt to reconnect more than one managed device to CDO simultaneously. When a device CDO manages is marked "unreachable," CDO can no longer detect out of band configuration changes or mange the device. Attempting to reconnect the devices is a simple first step in restoring CDO's management of the device. See Bulk Reconnecting Devicesfor more information.

Bulk Enabling and Disabling of Conflict Detection

You can enable or disable conflict detection for multiple devices simultaneously. Enabling conflict detection will alert you to instances where changes have been made to a device outside of CDO. See Enabling Conflict Detection for more information.

Jobs Notifications

The notifications tab is located at the bottom right corner of CDO. It displays an active count of ongoing actions in a job. 

notification_tab_all.png

Jobs Page

The Jobs page displays information about the status, success, and failure of a bulk operation. Color-coded rows in the jobs table indicate individual actions that have succeeded or failed. See Jobs Page for more information. 

Reinitiate a Task for a Failed Action

CDO remembers the bulk operation, identifies individual actions that failed, and saves you time by re-running the task on only the failed actions. When reviewing the jobs page, if you find one or more actions in a bulk operation that failed, you can re-run the bulk operation after you have made whatever corrections are necessary. CDO will re-run the job on only the failed actions. See Reinitiating a Bulk Operation that Resulted in a Failed Action for more information. 

CLI Logging

Whenever you use CDO to execute a CLI command on an ASA, the command and the results of the command are now logged in the device's changelog. In the example below, the entry for CLI Execution row shows what commands were sent and the Changed ASA Config row shows what was changed in the configuration file as a result of the commands.

cli_changelog_entry.png

 

October 2017

October 19, 2017

Bulk Onboarding of ASAs

You can now onboard multiple ASAs to CDO in a single batch. See Bulk Onboarding ASAs for more information.

Shared Network Policies

Cisco Defense Orchestrator (CDO) finds identical network policies used by multiple ASAs and identifies them on the network policy page. If you have a shared network policy, you can change it once and distribute the change to the other devices that share the policy. This keeps network policies consistent across devices. See Shared Network Policies for more information.

Filter Change Logs by Time and Date

You can now filter events in the change log by time and date. Navigate Monitoring > Change Log and find this time and date calendar in the filter bar:

change_log_time_range.png

October 12, 2017

Packet Tracer

Packet tracer helps you troubleshoot access and policy issues. Packet tracer sends a synthetic packet into the network and evaluates how the saved routing configuration, NAT rules, and policy configurations interact with that packet. For example, if a rule is dropping packets, packet tracer identifies that rule for you and gives you a link to it, so you can evaluate it and edit it. Packet tracer can be used on a live, online, physical or virtual Adaptive Security Appliance (ASA). Read ASA Packet Tracer for more information.

pt_troubleshoot_pointer.png

October 5, 2017

New Screencast!

youtube.png  New screencast demonstrating how you can use CDO to upgrade a single ASA or two ASAs configured as an active/standby failover pair.

 

September 2017

September 28, 2017

Updated Documentation

September 14, 2017

CDO Service Status Page

CDO maintains a customer-facing service status page at https://status.defenseorchestrator.com/. The page shows if the CDO service is up and any service interruptions it may have had. You can view up-time information with daily, weekly, or monthly graphs. 

On the status page, you can click Subscribe to Updates to receive a notification if the CDO service goes down.

CDO Support Page

Customers can now get support through the CDO interface:

  • Paying customers should open support cases directly with Cisco's Technical Assistance Center (TAC) by clicking Support Case Manager on the new Contact Support page. 
  • All demo, internal, and trial customers can send email to cdo.support@cisco.com by entering their question in the details request form on the Contact Support page. A member of our support staff will respond as soon as possible.

See CDO Support for more information on these new services. 

September 7, 2017

External Links for Devices

You can now create a hyperlink to an external resource and associate it with a device you manage with CDO. You could use this feature to create a convenient link to a search engine, documentation resource, a corporate wiki, or any other URL you choose. You can associate as many external links with a device as you want. You can also associate the same link with multiple devices at the same time. See External Links for Devices for more information about this feature.

August 2017

August 17, 2017

New Object Functions
  • Resolving Duplicate, Inconsistent, and Unused Objects: When resolving object issues, you will have better visibility into network and services objects. You see a consolidated view of all the objects in the group, making it easier to compare object to object. You also have command buttons to resolve object issues by merging, renaming, or ignoring them.  
  • New object filtering: More precise search capabilities to find the objects you are looking for.

August 10, 2017

Upgrades to ASAs configured as an Active/Standby Failover Pair

CDO has extended the functionality of the upgrade wizard to include upgrading ASAs configured as an active/standby failover pair. You use the same wizard functionality as you did for upgrading individual ASAs but now you can upgrade an active/standby failover pair.  See Upgrading ASA and ASDM Images in an Active-Standby Pair for more information about this feature.

August 3, 2017

Upgrades to Individual ASAs in Single Context or Multi-Context Mode

CDO now provides a wizard that allows you to upgrade the ASA and ASDM images installed on an individual ASA in single or context or multi-context mode. We make the process easy by performing all the necessary upgrade steps behind the scenes. The wizard guides you through the process of choosing compatible ASA Software and ASDM images, installing them, and rebooting the device to complete the upgrade. We secure the upgrade process by validating that the images you chose on CDO are the ones copied to, and installed on, your ASA.

Click in the details pane of the Devices & Services page to start your upgrade. See Upgrading ASA and ASDM Images for more information.

June 2017

June 20, 2017

Export Devices & Services List

You can now export your Devices & Services list to a comma-separated value (.csv) file. From there, you can open the file in a spreadsheet application such as Microsoft Excel to sort and filter the items in your list.

export_devices_services_button.png

See "Exporting Devices and Services List" for more information about this feature.

June 13, 2017

ASA Configuration Restore

You can now return an ASA to one of its previously saved configurations. This is a convenient way to remove a configuration change that had unexpected or undesired results. Choose the ASA configuration you want to restore, CDO shows you a comparison of that configuration and the last configuration saved to memory, and if you are satisfied that you are restoring the desired configuration you can restore it.

restore_configuration_button.png

See "Restoring ASA Configurations" for more information on this feature. 

May 2017

May 3, 2017

Change Request Management. 

You can now associate a change request and its business justification, opened in a separate ticketing system, with an event in the Change Log. Change request management allows you to create a change request in CDO, identify it with a unique name, enter a description of the change, and associate the change request with change log events. You can later search the Change Log for the change request name. 

For more information, read Change Request Management.

 

April 2017

Improved search: The "Devices and services" search bar now supports partial matches, making easier to find the device you want.

VPN: Various usability improvements.

February 2017

Cisco Defense Orchestrator New EMEA Site
Application Visibility Control (AVC) Identity Profile Support

January 2017

Read only IPSec VPN Tunnel Management

Cisco Defense Orchestrator now supports parsing and processing of IPsec Site-to-Site VPN ASA device configurations. A network-based VPN tunnel diagram is available and provides a complete view of all tunnels connected to a single peer, its tunnel details including the access policies, key exchange encryption, and its connectivity status. CDO also provides a complete view of all tunnels available in the configuration of an organization’s onboarded ASA devices. CDO’s new VPN management capabilities provides organization and network operations engineers to:

  • Visualize their entire VPN tunnels both on a per device basis as well as across all devices

  • Easily identify tunnel misconfiguration by using the tunnel connectivity state and at a glance view of its access policy and cryptomap encryption

VPNs are secure but must be configured properly to ensure stable and secure communication. CDO can help by enabling users an organizational view of their VPN configurations to facilitate the reduction of bloated and outdated policies.

Network and Service Single Object Support 

In addition to Object Group support available today, Cisco Defense Orchestrator now enables creation of a single object of both network and service type during Access Rule modification, or directly from the Objects page.

  • Was this article helpful?