Skip to main content

 

 

Cisco Defense Orchestrator

Write Configuration Changes from Defense Orchestrator to an ASA

Why Does Defense Orchestrator Write Changes to an ASA?

As you manage and make changes to a device's configuration with CDO, CDO saves the changes you make to its own copy of the configuration file. Those changes are considered "staged" on CDO until they are "written" to the device. Staged configuration changes have no affect on the network traffic running through the device. Only after CDO "writes" the changes to the device do they have an affect on the traffic running through the device. When CDO writes changes to the device's configuration, it only overwrites those elements of the configuration that were changed. It does not not overwrite the entire configuration file stored on the device. 

The ASA has a "running" configuration file, sometimes called the "running config" and a "startup" configuration file sometimes called the "startup config." The configuration stored in the running config file is enforced on traffic running through the ASA. After you make changes to the running config and you are happy with the behavior those changes produce, you can write them to the startup config. If the ASA is ever rebooted, it uses the startup config as its configuration starting point. Any changes you make to the running config that are not saved to the startup config are lost after an ASA is rebooted. 

When you write changes from CDO to an ASA, you are writing those changes into the running configuration file. After you are satisfied with the behavior those changes produce, you can write those changes to the startup configuration file. 

Some Changes are Written Directly to the ASA

If you use the CLI interface or CLI Macro interface on Defense Orchestrator to make a change to an ASA, those changes are not "staged" on CDO. They are written directly to the running configuration of the ASA. When you make changes that way, your device remains "synced" with CDO.

About Writing Configuration Changes

This section assumes you are using Defense Orchestrator's GUI or editing the Device Configuration page, not using Defense Orchestrator's CLI interface or CLI macro interface, to make changes to an ASA configuration file.

Updating an ASA configuration is a two-step process. 

  1. Make changes on CDO using one of these methods:
  • The Defense Orchestrator GUI
  • The device configuration on the Device Configuration page
  1. After you make your changes, return to the Devices & Services page and then Preview and Write... the change to the device.

When Defense Orchestrator updates an ASA's running configuration with the one staged on Defense Orchestrator, or when it changes the configuration on Defense Orchestrator with the running configuration stored on the ASA, it attempts to change only the relevant lines of the configuration file if that aspect of the configuration can be managed by the Defense Orchestrator GUI. If the desired configuration change cannot be made using the Defense Orchestrator GUI, Defense Orchestrator attempts to overwrite the entire configuration file to make the change. 

Here are two examples:

  • You can create or change a network object using the Defense Orchestrator GUI. If Defense Orchestrator needs to write that change to an ASA's configuration, it would overwrite the relevant lines of the running configuration file on the ASA when the change occurs.
  • You cannot create a new local ASA user using the Defense Orchestrator GUI but you can create one by editing the ASA's configuration on the Device Configuration page. If you add a user on the Device Configuration page, and you write that change to the ASA, Defense Orchestrator will try to save that change to the ASA's running configuration file by overwriting the entire running configuration file.

Write Configuration Changes Made Using the Defense Orchestrator GUI

  1. After you make a configuration change using the Defense Orchestrator GUI and save your change, that change is saved in Defense Orchestrator's stored version of the ASA's running configuration file.
  2. Return to the device on the Devices & Services page. You should see that the device is now "Not synced."
  3. In the Not Synced pane, click Preview and Write.... 
  4. Review the commands the commands that will change the ASA configuration file.
  5. If you are satisfied with the commands, choose a Configuration Recovery Preference.

Note: If you choose "Let me know and I will restore the configuration manually." click View Manual Synchronization Instructions before continuing. 

  1. Click Apply Changes to Device
  2. Click OK to acknowledge the success message.

Write Configuration Changes Using Defense Orchestrator's CLI Interface

  1. Open the Devices & Services page.
  2. Select the device whose configuration you want to change.
  3. Click >_Command Line Interface in the Actions pane.
  4. If there are any commands in the command line interface table, click Clear to remove them. 
  5. In the top box of the command line interface table, enter your commands at the command prompt. You can run a single command, several commands in a batch by entering each command on its own line, or entering a section of configuration file as a command. Here are some examples of commands you can enter in the command line interface table:

A single command creating the network object "albany"

object network albany
host 209.165.30.2

Multiple commands sent together:

object network albany
host 209.165.30.2
object network boston
host 209.165.40.2
obect network cambridge
host 209.165.50.2

A section of a running configuration file entered as a command:

interface GigabitEthernet0/5
 nameif guest
 security-level 0
 no ip address

Note: Defense Orchestrator does not require you to move between EXEC mode, Privileged EXEC mode, and Global Configuration mode. It interprets the command you enter in the proper context.   

  1. After you have entered your commands, click Send.  After Defense Orchestrator has successfully written the changes to the ASA's running config file, you receive the message, Done!
  2. After you send the command you may see the message, "Some commands may have made changes to the running config" along with two links.
  • Clicking Write to Disk saves the changes made by this command, and any other change in the running config, to the ASA's startup config. 
  • Clicking Dismiss, dismisses the message.

Write Configuration Changes by Editing the Device Configuration

Caution: This procedure is for advanced users who are familiar with the syntax of an ASA config file. This method makes changes directly to the running configuration file stored on Defense Orchestrator. 

  1. Open the Devices & Services page.
  2. Select the device whose configuration you want to change.
  3. Click View Configuration in the Actions pane.
  4. Click Edit
  5. Make your changes to the running configuration and Save them.
  6. Return to the Devices & Services page. In the Not Synced pane, click Preview and Write...
  7. In the Device Sync pane review the changes. 
  8. Click Replace Configuration or Apply Changes to Device depending on the kind of change it is. 

Writing Configuration Changes for a Shared Object on Multiple Devices

Use this procedure when you are making changes to a policy or object shared by two or more devices. You can change a common policy on however many devices use it.

  1. Open and edit the Policies page or the Objects page containing the shared object you want to edit.
  2. Review the shared device list and confirm that you want to make the changes on all the devices mentioned.
  3. Click Confirm.
  4. Click Save.
  5. Open the Devices & Services page and write the changes to the affected devices.

Tip: If you are confident this was the only change made to both devices you can bulk write the changes to the devices.