Skip to main content



Cisco Defense Orchestrator

Multiple Configuration Concept in Secure Firewall Cloud Native

The firewall can have multiple configurations split into ordered chunks. This provides users a workaround to Kubernetes limitations that restrict a single object's size to 1 MB. When the configuration is applied to the firewall in the cluster, the configurations are combined into a single configuration based on the order specified. CDO handles such split configurations by onboarding the firewall with multiple configurations and deploys configuration greater than 1 MB to the firewall.

Onboard a Secure Firewall Cloud Native with Multiple Configurations

When the firewall with multiple configurations is onboarded to CDO, the configuration parts are combined in the order specified. A user managing the firewall using CDO cannot determine how the configuration is chunked when deployed from CDO. It will be handled internally by CDO. 

Note: To split the configuration into multiple chunks after onboarding the firewall with a single configuration to CDO, you have to use the APIs to read the configuration back into CDO. However, subsequent deployment from CDO may change the organization of chunks. It is important to note that CDO doesn't change the semantics of the configuration. We recommend that you let CDO handle the chunking of the firewall configuration to CDO’s algorithms.

Note the following points while using the firewall's APIs:

  • If multiple configuration chunks have the same value in the order field, neither CDO nor a natively managed firewall provides any guarantee on the relative ordering of the chunks.
  • If a configuration chunk is missing a value in the order field, it will be appended to the end of the configuration file irrespective of whether you use CDO or native management tools. If multiple configuration chunks have no value in order fields, neither CDO nor a natively managed firewall provides any guarantee on the relative ordering of the chunks.

Deploy Configurations Greater than 1 MB to Secure Firewall Cloud Native

When deploying changes to the firewall, CDO automatically determines the size of the configuration chunks. If the size is greater than 1 MB, CDO splits the chunk into multiple smaller chunks, each smaller than 1 MB. CDO handles this internally; however, you can view how the configuration has been split using the APIs.

  • Was this article helpful?