Skip to main content



Cisco Defense Orchestrator

Deploy Configuration Changes from CDO to ASA

Why Does CDO Deploy Changes to an ASA?

As you manage and make changes to a device's configuration with Cisco Defense Orchestrator (CDO), CDO saves the changes you make to its own copy of the configuration file. Those changes are considered "staged" on CDO until they are "deployed" to the device. Staged configuration changes have no effect on the network traffic running through the device. Only after CDO "deploys" the changes to the device do they have an effect on the traffic running through the device. When CDO deploys changes to the device's configuration, it only overwrites those elements of the configuration that were changed. It does not overwrite the entire configuration file stored on the device. 

The ASA has a "running" configuration file, sometimes called the "running config" and a "startup" configuration file that is sometimes called the "startup config." The configuration stored in the running config file is enforced on traffic passing through the ASA. After you make changes to the running config and you are happy with the behavior those changes produce, you can deploy them to the startup config. If the ASA is ever rebooted, it uses the startup config as its configuration starting point. Any changes you make to the running config that are not saved to the startup config are lost after an ASA is rebooted. 

When you deploy changes from CDO to an ASA, you are writing those changes into the running configuration file. After you are satisfied with the behavior those changes produce, you can deploy those changes to the startup configuration file. 

Deployments can be initiated for a single device or on more than one device simultaneously. You can schedule individual deployments or recurring deployments for a single device.

Some Changes are Deployed Directly to the ASA

If you use the CLI interface or CLI Macro interface on CDO to make a change to an ASA, those changes are not "staged" on CDO. They are deployed directly to the running configuration of the ASA. When you make changes that way, your device remains "synced" with CDO.

About Deploying Configuration Changes

This section assumes you are using CDO's GUI or editing the Device Configuration page, not using CDO's CLI interface or CLI macro interface, to make changes to an ASA configuration file.

Updating an ASA configuration is a two-step process. 

  1. Make changes on CDO using one of these methods:
  • The CDO GUI
  • The device configuration on the Device Configuration page
  1. After you make your changes, return to the Devices & Services page and then Preview and Deploy... the change to the device.

When CDO updates an ASA's running configuration with the one staged on CDO, or when it changes the configuration on CDO with the running configuration stored on the ASA, it attempts to change only the relevant lines of the configuration file if that aspect of the configuration can be managed by the CDO GUI. If the desired configuration change cannot be made using the CDO GUI, CDO attempts to overwrite the entire configuration file to make the change. 

Here are two examples:

  • You can create or change a network object using the CDO GUI. If CDO needs to deploy that change to an ASA's configuration, it would overwrite the relevant lines of the running configuration file on the ASA when the change occurs.
  • You cannot create a new local ASA user using the CDO GUI but you can create one by editing the ASA's configuration on the Device Configuration page. If you add a user on the Device Configuration page, and you deploy that change to the ASA, CDO will try to save that change to the ASA's running configuration file by overwriting the entire running configuration file.

Deploy Configuration Changes Made Using the CDO GUI

  1. After you make a configuration change using the CDO GUI and save your change, that change is saved in CDO's stored version of the ASA's running configuration file.
  2. Return to the device on the Devices & Services page. You should see that the device is now "Not synced."
  3. Deploy the changes using one of these methods:
  • Click the Deploy icon deploy_pending_icon.jpg at the top-right of the screen. This gives you a chance to review the changes you made to the device before you deploy them. Check the device you made changes to, expand the device to review the changes, click Deploy Now to deploy the changes. 

Note: If you see a yellow warning triangle next to your device on the Devices with Pending Changes screen, you cannot deploy a change to it. Hover your mouse over the warning triangle to learn why you can't deploy changes to the device. 

  • In the Not Synced pane, click Preview and Deploy.... 
  1. Review the commands that will change the ASA configuration file.
  2. If you are satisfied with the commands, choose a Configuration Recovery Preference.

Note: If you choose "Let me know and I will restore the configuration manually." click View Manual Synchronization Instructions before continuing. 

  1. Click Apply Changes to Device
  2. Click OK to acknowledge the success message.

Scheduling Automatic Deployments 

You can also configure your tenant to schedule deployments to a single device or all devices with pending changes by scheduling automatic deployments

Deploy Configuration Changes Using CDO's CLI Interface

  1. Open the Devices & Services page.
  2. Select the device whose configuration you want to change.
  3. Click >_Command Line Interface in the Actions pane.
  4. If there are any commands in the command line interface table, click Clear to remove them. 
  5. In the top box of the command line interface table, enter your commands at the command prompt. You can run a single command, several commands in a batch by entering each command on its own line, or entering a section of configuration file as a command. Here are some examples of commands you can enter in the command line interface table:

A single command creating the network object "albany"

object network albany

Multiple commands sent together:

object network albany
object network boston
object network cambridge

A section of a running configuration file entered as a command:

interface GigabitEthernet0/5
 nameif guest
 security-level 0
 no ip address

Note: CDO does not require you to move between EXEC mode, Privileged EXEC mode, and Global Configuration mode. It interprets the command you enter in the proper context.   

  1. After you have entered your commands, click Send.  After CDO has successfully deployed the changes to the ASA's running config file, you receive the message, Done!
  2. After you send the command you may see the message, "Some commands may have made changes to the running config" along with two links.
  • Clicking Deploy to Disk saves the changes made by this command, and any other change in the running config, to the ASA's startup config. 
  • Clicking Dismiss, dismisses the message.

Deploy Configuration Changes by Editing the Device Configuration

Caution: This procedure is for advanced users who are familiar with the syntax of an ASA configuration file. This method makes changes directly to the running configuration file stored on CDO. 

  1. Open the Devices & Services page.
  2. Select the device whose configuration you want to change.
  3. Click View Configuration in the Actions pane.
  4. Click Edit
  5. Make your changes to the running configuration and Save them.
  6. Return to the Devices & Services page. In the Not Synced pane, click Preview and Deploy...
  7. In the Device Sync pane review the changes. 
  8. Click Replace Configuration or Apply Changes to Device depending on the kind of change it is. 

Deploying Configuration Changes for a Shared Object on Multiple Devices

Use this procedure when you are making changes to a policy or object shared by two or more devices. You can change a common policy on however many devices use it.

  1. Open and edit the Policies page or the Objects page containing the shared object you want to edit.
  2. Review the shared device list and confirm that you want to make the changes on all the devices mentioned.
  3. Click Confirm.
  4. Click Save.
  5. Click the Deploy icon deploy_pending_icon.jpg and deploy your changes to the affected devices.
  • Was this article helpful?