Skip to main content

 

 

Cisco Defense Orchestrator

Deploy Configuration Changes from CDO to ASA

Why Does CDO Deploy Changes to an ASA?

As you manage and make changes to a device's configuration with Cisco Defense Orchestrator (CDO), CDO saves the changes you make to its own copy of the configuration file. Those changes are considered "staged" on CDO until they are "deployed" to the device. Staged configuration changes have no effect on the network traffic running through the device. Only after CDO "deploys" the changes to the device do they have an effect on the traffic running through the device. 

In most cases, when CDO deploys changes to the device's configuration, it only overwrites those elements of the configuration that were changed. However, in some rare cases, CDO does need to overwrite the entire configuration on the device. When these cases arise, CDO explicitly informs the user and requires a double confirmation.

The ASA has a "running" configuration file, often called the "running-config," and a "startup" configuration file that is often called the "startup-config." The configuration stored in the running-config file is enforced on traffic passing through the ASA. After you make changes to the running-config and you are happy with the behavior those changes produce, you can deploy them to the startup-config. If the ASA is ever rebooted, it uses the startup-config as its configuration starting point. Any changes you make to the running-config that are not saved to the startup-config are lost after an ASA is rebooted. 

When you deploy changes from CDO to an ASA, CDO first updates the running-config file on the ASA and then copies the running-config file to the startup-config file.

Deployments can be initiated for a single device or on more than one device simultaneously. You can schedule individual deployments or recurring deployments for a single device.

When Changes are Deployed Directly to the ASA and not Staged on CDO First

If you use the CLI interface or CLI Macro interface on CDO to make a change to an ASA, those changes are not "staged" on CDO. CDO writes them directly to the ASA's running-config file and then copies the running-config file to the startup-config file. When you make changes that way, your device remains "synced" with CDO.

Deploy Configuration Changes Made Using the CDO GUI

  1. After you make a configuration change using the CDO GUI and save your change, that change is saved in CDO's stored version of the ASA's running-config file.

When CDO updates an ASA's running-config with the one staged on CDO, or when it changes the configuration stored on CDO with the running-config stored on the ASA, it attempts to change only the relevant lines of the configuration file if that aspect of the configuration can be managed by the CDO GUI. If the desired configuration change cannot be made using the CDO GUI, CDO attempts to overwrite the entire running-config file to make the change. 

  1. Return to the device on the Devices & Services page. You should see that the device is now "Not synced."
  2. Deploy the changes using one of these methods:
  • Click the Deploy icon deploy_pending_icon.jpg at the top-right of the screen. This gives you a chance to review the changes you made to the device before you deploy them. Check the device you made changes to, expand the device to review the changes, click Deploy Now to deploy the changes. 

Note: If you see a yellow warning triangle next to your device on the Devices with Pending Changes screen, you cannot deploy a change to it. Hover your mouse over the warning triangle to learn why you can't deploy changes to the device. 

  • In the Not Synced pane, click Preview and Deploy.... 
  1. Review the commands that will change the ASA configuration file.
  2. If you are satisfied with the commands, choose a Configuration Recovery Preference.

Note: If you choose "Let me know and I will restore the configuration manually." click View Manual Synchronization Instructions before continuing. 

  1. Click Apply Changes to Device
  2. Click OK to acknowledge the success message.

Scheduling Automatic Deployments 

You can also configure your tenant to schedule deployments to a single device or all devices with pending changes by scheduling automatic deployments

Deploy Configuration Changes Using CDO's CLI Interface

  1. Open the Devices & Services page.
  2. Select the device whose configuration you want to change.
  3. Click >_Command Line Interface in the Actions pane.
  4. If there are any commands in the command line interface table, click Clear to remove them. 
  5. In the top box of the command line interface table, enter your commands at the command prompt. You can run a single command, several commands in a batch by entering each command on its own line, or entering a section of configuration file as a command. Here are some examples of commands you can enter in the command line interface table:

A single command creating the network object "albany"

object network albany
host 209.165.30.2

Multiple commands sent together:

object network albany
host 209.165.30.2
object network boston
host 209.165.40.2
object network cambridge
host 209.165.50.2

A section of a running-config file entered as a command:

interface GigabitEthernet0/5
 nameif guest
 security-level 0
 no ip address

Note: CDO does not require you to move between EXEC mode, Privileged EXEC mode, and Global Configuration mode. It interprets the command you enter in the proper context.   

  1. After you have entered your commands, click Send.  After CDO has successfully deployed the changes to the ASA's running-config file, you receive the message, Done!
  2. After you send the command you may see the message, "Some commands may have made changes to the running-config" along with two links.
  • Clicking Deploy to Disk saves the changes made by this command, and any other change in the running-config, to the ASA's startup-config. 
  • Clicking Dismiss, dismisses the message.

Deploy Configuration Changes by Editing the Device Configuration

Caution: This procedure is for advanced users who know the syntax of an ASA configuration file. This method makes changes directly to the ASA's running-config file stored on the device and is not a recommended workflow for change management.

  1. Open the Devices & Services page.
  2. Select the device whose configuration you want to change.
  3. Click View Configuration in the Actions pane.
  4. Click Edit
  5. Make your changes to the running-config file stored on CDO and Save them.
  6. Return to the Devices & Services page. In the Not Synced pane, click Preview and Deploy...
  7. In the Device Sync pane review the changes. 
  8. Click Replace Configuration or Apply Changes to Device depending on the kind of change it is. 

Deploying Configuration Changes for a Shared Object on Multiple Devices

Use this procedure when you are making changes to a policy or object shared by two or more devices. You can change a common policy on however many devices use it.

  1. Open and edit the Policies page or the Objects page containing the shared object you want to edit.
  2. Review the shared device list and confirm that you want to make the changes on all the devices mentioned.
  3. Click Confirm.
  4. Click Save.
  5. Click the Deploy icon deploy_pending_icon.jpg and deploy your changes to the affected devices.
  • Was this article helpful?