Skip to main content



Cisco Defense Orchestrator

Read Configuration Changes from Cisco IOS or SSH to CDO

Why Does CDO "Read" a Cisco IOS or SSH Policy?

In order to manage a Cisco IOS or SSH device, Cisco Defense Orchestrator (CDO) must have its own stored copy of the device's running configuration file. When CDO "reads" a policy from the device, it takes a copy of the device's running configuration file and saves the copy in its own database. Your change are saved to CDO's copy of the configuration file until it is time to save them back to the device.

The first time CDO reads and saves a copy of the device's configuration file is when it is onboarded to CDO. Every other time CDO reads a copy of the device's running configuration file, it completely overwrites the copy of the configuration file it maintains in its own database. CDO does not selectively overwrite differences in the two versions. If you have any configuration changes that have not been saved to the device's running configuration file, those changes will be lost when the "read" action occurs. 


So that the configuration information on the device and the configuration information stored on CDO are the same, you may want CDO to "read" the running configuration file from the device and store it in its own database.

Reading the device's policy to CDO overwrites the copy of the configuration file stored on CDO's local database including any changes that have not been "deployed" to the device.

To read the configuration file from Cisco IOS or an SSH device to CDO, follow this procedure:

  1. On the navigation bar, click Devices & Services.
  2. Select the device whose configuration it is you want to read. 
  3. Click Read Policy in the Sync pane on the right.
  4. If there are no difference between the configuration stored in CDO and the configuration stored on the device, you see the message, "Your device's configuration is up-to-date." and the Configuration Status field for the device in the Devices & Services table shows "Synced." You are done. 
  5. If there has been a change made to the device directly, the configuration status for the device in the Devices & Services table changes to "Conflict Detcted." 
  6. Click Review Conflict in the Conflict Detected pain on the right to resolve the conflict. See Resolve Conflict Detected Status for more information. 

Note: As CDO does not support deploying changes to the devices outside of the command line interface, your only choice will be to select Accept the out-of-band changes when resolving the conflict. 

  1. Click Continue to read the policy from the device to CDO or click Cancel.