Skip to main content



Cisco Defense Orchestrator

Read Configuration Changes from an ASA to Defense Orchestrator

Why Does Defense Orchestrator "Read" an ASA Policy?

In order to manage an ASA, Defense Orchestrator must have it's own stored copy of the ASA's running configuration file. When Defense Orchestrator "reads" a policy from an ASA, it takes a copy of the ASA's running configuration file and saves the copy in its own file system. The Defense Orchestrator user makes changes to the Defense Orchestrator's copy of the configuration file until it is time to save the change back to the ASA.

The first time Defense Orchestrator reads and saves a copy of an ASA configuration file is when the ASA is onboarded to Defense Orchestrator. Every other time Defense Orchestrator reads a copy of the ASA running configuration file, it completely overwrites the copy of the configuration file it maintains in its own file system. It does not selectively overwrite differences in the two versions. If you have any configuration changes that have not been saved to the ASAs running configuration file, those changes will be lost when the "read" action occurs. 

Read Changes From the Device

Every 10 minutes, Defense Orchestrator searches for changes made directly to the ASA without using Defense Orchestrator. The changes may have been made using ASDM or through the command line interface to the ASA. Defense Orchestrator refers to these changes as "out of band" changes. When this happens, the ASA will be in the "Conflict Detected" state.

So that the configuration information on the ASA and the configuration information Defense Orchestrator are the same, you may want Defense Orchestrator to "read" the running configuration file information from the ASA and store it on Defense Orchestrator.

Reading the ASA policy to Defense Orchestrator overwrites the copy of the configuration file stored on Defense Orchestrator's local file system including any changes that have not been "written" to the ASA.

To read changes from the ASA to Defense Orchestrator follow this procedure:

  1. On the navigation bar, click Devices & Services.
  2. Select the device whose configuration it is you want to read. 
  3. Click Read Policy in the Sync pane at the right.
  4. Compare the two configurations presented to you. The configuration labeled "Staged for Sync" is the configuration stored on Defense Orchestrator. The configuration labeled "Found on Device" is the configuration saved on the ASA.
  5. Click Continue to read the policy on the ASA to Defense Orchestrator or click Cancel.
  • Was this article helpful?