Why Does Cisco Defense Orchestrator "Read" an ASA Policy?
In order to manage an ASA, Cisco Defense Orchestrator (CDO) must have it's own stored copy of the ASA's running configuration file. When CDO "reads" a policy from an ASA, it takes a copy of the ASA's running configuration file and saves the copy in its own file system. The CDO user makes changes to CDO's copy of the ASA's configuration until it's time to deploy those changes back to the ASA.
The first time CDO reads and saves a copy of an ASA configuration file is when the ASA is onboarded to CDO. Every other time CDO reads a copy of the ASA running configuration file, it completely overwrites the copy of the configuration file it maintains in its own file system. It does not selectively overwrite differences in the two versions. If you have any configuration changes that have not been saved to the ASAs running configuration file, those changes will be lost when the "read" action occurs.
So that the configuration information on the ASA and the configuration information stored on CDO are the same, you "read" the running configuration file information from the ASA and store it on CDO.
Reading the ASA policy to CDO overwrites the copy of the configuration file stored in CDO's database including any changes that have not been "deployed" to the ASA.
To read changes from the ASA to CDO follow this procedure:
- On the navigation bar, click Devices & Services.
- Select the device whose configuration it is you want to read.
- Click Read Policy in the Sync pane at the right.
- Compare the two configurations presented to you. The configuration labeled "Staged for Sync" is the configuration stored on CDO. The configuration labeled "Found on Device" is the configuration saved on the ASA.
- Click Continue to read the policy on the ASA to Defense Orchestrator.