Skip to main content

 

 

Cisco Defense Orchestrator

Out-of-Band Changes on Devices

Out-of-band changes refer to changes made directly on the device without using CDO. These changes may be made using the device's command-line interface over an SSH connection or by using a local manager like the Adaptive Security Device Manager (ASDM) for the ASA or the Firepower Threat Defense Manager (FDM) for the FTD. An out-of-band change causes a conflict between the device's configuration stored on CDO and the configuration stored on the device itself.

Detecting Out-of-Band Changes on Devices

If Conflict Detection is enabled for an ASA, or an FTD, or a Cisco IOS device, CDO polls the device every 10 minutes searching for any new changes made directly to the device's configuration outside of CDO. 

If CDO finds that there are changes to the device's configuration that are not stored on CDO, it changes the Configuration Status of that device to the "Conflict Detected" state.

When Defense Orchestrator detects a conflict, one of two conditions is likely:

  • There have been configuration changes made to the device directly that have not been saved to CDO’s database. 
  • In the case of an FTD, there may be “pending” configuration changes on the FTD that have not been deployed.

See Resolve Configuration Conflicts for more information about how to resolve configuration conflicts.