Skip to main content



Cisco Defense Orchestrator

Managing Cisco Secure Firewall Cloud Native With CDO

The Cisco Secure Firewall Cloud Native seamlessly extends Cisco's industry-leading security to a cloud-native form factor (CNFW) using Kubernetes (K8s) orchestration to achieve scalability and manageability. Amazon Elastic Kubernetes Service (Amazon EKS) gives you the flexibility to start, run, and scale Kubernetes applications in the AWS cloud. Amazon EKS helps you provide highly-available and secure clusters and automates key tasks such as patching, node provisioning, and updates.

Cisco Defense Orchestrator (CDO) allows you to onboard and manage the Secure Firewall Cloud Native that has been created. It can be managed like any other virtual ASA device onboarded to CDO.

CDO supports the following features:

  • Onboard Secure Firewall Cloud Native. You can use the URL of the cluster and Kubernetes token to onboard the firewall. 
  • Apply zero-day configuration to a Cisco Secure Firewall Cloud Native. When a Secure Firewall Cloud Native is created, it may not have a zero-day configuration. CDO allows you to onboard an uninitialized firewall and apply an initial configuration to it.
  • Manage firewall configuration. You can view, edit, and restore the configuration file of the firewall.
  • Read configuration changes. You can read the firewall's configuration file changes to CDO's database. 
  • You can create and modify objects and use them in different policies that handle ingress and egress traffic of the firewall. 
  • You can view, configure, and download IPv4 subnet pools on the firewall.
  • You can modify Remote Access VPN Configuration and connection profiles configured on the firewall. Note that you cannot upload new AnyConnect packages and AnyConnect client profiles to the firewall. You are also not allowed to create a new RA VPN configuration.
  • You can view real-time and historical data from active AnyConnect RA VPN sessions on the firewall.
  • Deploy configuration changes. You can deploy the changes you have made to the firewall. 
  • Out-of-band change detection. When you enable Conflict Detection, CDO checks onboarded firewall for changes at a default time interval, which can be configured from the general settings page or overridden for a single device. If there is a change, the firewall's status will change to Conflict Detected, and you will be able to resolve the conflict either by accepting or rejecting the changes.
  • Change Log. The change log captures all the changes you make on the firewall, both using CDO and out-of-band. 

Notes: Some features are not supported on the firewall using CDO: 

  • You cannot create a new Remote Access VPN Configuration.
  • You cannot upgrade ASA and ASDM images. 
  • The ASA File Management wizard is unavailable.
  • CLI functionality is limited to read-only commands such as show ping, traceroute, packet-tracer, failover, and shutdown. This is not a limitation of CDO. To make changes to the firewall, use the CDO UI to manipulate policies and objects. When the CLI interface is invoked, the bulk CLI interface screen appears.
  • Was this article helpful?