Skip to main content

 

 

Cisco Defense Orchestrator

Write Configuration Changes from Defense Orchestrator to an ASA

Why Does Defense Orchestrator Write Changes to an ASA?

The edits you make to an ASA's configuration using the Defense Orchestrator's GUI or Device Configuration page are saved to a copy of the device's configuration stored on Defense Orchestrator. Those changes don't take effect on the ASA until you "write" them to the device. Until the changes you make on Defense Orchestrator are written to the ASA, they are referred to as "staged" changes on Defense Orchestrator. 

For example, a policy change you make to an ASA security policy using Defense Orchestrator isn't enforced immediately by the ASA until you "write" the changes from Defense Orchestrator to the device and the device's running configuration gets updated.

Some Changes are Written Directly to the ASA

If you use the CLI interface or CLI Macro interface on Defense Orchestrator to make a change to an ASA, those changes are not "staged" on Defense Orchestrator. They are written directly to the running configuration of the ASA. When you make changes that way, your device remains "synced" and you do not have to "write" the changes to the device.

About Writing Configuration Changes

This section assumes you are using Defense Orchestrator's GUI or editing the Device Configuration page, not using Defense Orchestrator's CLI interface or CLI macro interface, to make changes to an ASA configuration file.

Updating an ASA configuration is a two-step process. 

  1. Make changes on CDO using one of these methods:
  • The Defense Orchestrator GUI
  • The device configuration on the Device Configuration page
  1. After you make your changes, return to the Devices & Services page and then Preview and Write... the change to the device.

When Defense Orchestrator updates an ASA's running configuration with the one staged on Defense Orchestrator, or when it changes the configuration on Defense Orchestrator with the running configuration stored on the ASA, it attempts to change only the relevant lines of the configuration file if that aspect of the configuration can be managed by the Defense Orchestrator GUI. If the desired configuration change cannot be made using the Defense Orchestrator GUI, Defense Orchestrator attempts to overwrite the entire configuration file to make the change. 

Here are two examples:

  • You can create or change a network object using the Defense Orchestrator GUI. If Defense Orchestrator needs to write that change to an ASA's configuration, it would overwrite the relevant lines of the running configuration file on the ASA when the change occurs.
  • You cannot create a new local ASA user using the Defense Orchestrator GUI but you can create one by editing the ASA's configuration on the Device Configuration page. If you add a user on the Device Configuration page, and you write that change to the ASA, Defense Orchestrator will try to save that change to the ASA's running configuration file by overwriting the entire running configuration file.

Write Configuration Changes Made Using the Defense Orchestrator GUI

  1. After you make a configuration change using the Defense Orchestrator GUI and save your change, that change is saved in Defense Orchestrator's stored version of the ASA's running configuration file.
  2. Return to the device on the Devices & Services page. You should see that the device is now "Not synced."
  3. In the Not Synced pane, click Preview and Write.... 
  4. Review the commands the commands that will change the ASA configuration file.
  5. If you are satisfied with the commands, choose a Configuration Recovery Preference.

Note: If you choose "Let me know and I will restore the configuration manually." click View Manual Synchronization Instructions before continuing. 

  1. Click Apply Changes to Device
  2. Click OK to acknowledge the success message.

Write Configuration Changes Using Defense Orchestrator's CLI Interface

  1. Open the Devices & Services page.
  2. Select the device whose configuration you want to change.
  3. Click >_Command Line Interface in the Actions pane.
  4. If there are any commands in the command line interface table, click Clear to remove them. 
  5. In the top box of the command line interface table, enter your commands at the command prompt. You can run a single command, several commands in a batch by entering each command on its own line, or entering a section of configuration file as a command. Here are some examples of commands you can enter in the command line interface table:

A single command creating the network object "albany"

object network albany
host 209.165.30.2

Multiple commands sent together:

object network albany
host 209.165.30.2
object network boston
host 209.165.40.2
obect network cambridge
host 209.165.50.2

A section of a running configuration file entered as a command:

interface GigabitEthernet0/5
 nameif guest
 security-level 0
 no ip address

Note: Defense Orchestrator does not require you to move between EXEC mode, Privileged EXEC mode, and Global Configuration mode. It interprets the command you enter in the proper context.   

  1. After you have entered your commands, click Send.  After Defense Orchestrator has successfully written the changes to the ASA's running config file, you receive the message, Done!
  2. To save the changes to the ASA startup configuration file, enter write memory in the command and send the command.

Write Configuration Changes by Editing the Device Configuration

Caution: This procedure is for advanced users who are familiar with the syntax of an ASA config file. This method makes changes directly to the running configuration file stored on Defense Orchestrator. 

  1. Open the Devices & Services page.
  2. Select the device whose configuration you want to change.
  3. Click View Configuration in the Actions pane.
  4. Click Edit
  5. Make your changes to the running configuration and Save them.
  6. Return to the Devices & Services page. In the Not Synced pane, click Preview and Write...
  7. In the Device Sync pane review the changes. 
  8. Click Replace Configuration or Apply Changes to Device depending on the kind of change it is. 

Writing Configuration Changes for a Shared Object on Multiple Devices

Use this procedure when you are making changes to a policy or object shared by two or more devices. You can change a common policy on however many devices use it.

  1. Open and edit the Policies page or the Objects page containing the shared object you want to edit.
  2. Review the shared device list and confirm that you want to make the changes on all the devices mentioned.
  3. Click Confirm.
  4. Click Save.
  5. Open the Devices & Services page and write the changes to the affected devices.

Tip: If you are confident this was the only change made to both devices you can bulk write the changes to the devices.

  • Was this article helpful?