Skip to main content



Cisco Defense Orchestrator

Managing FMC with Cisco Defense Orchestrator

About Firepower Management Centers

Note: FMC support is limited to onboarding, viewing its managed devices, and cross-launching to the FMC UI for FMC devices running Version 6.4 or later. Additional FMC features will be supported soon. For functionality that may not be supported by CDO at this time, you must use the FMC console. See the Firepower Management Center Configuration Guide of the version your system is running.

The Firepower Management Center (FMC) is a centralized management console with graphical user interface that you can use to perform administrative, management, analysis, and reporting tasks. It is a management console that is comparable, but not identical, to ASDM and FDM. For a list of FMC devices and software versions that CDO supports, see Software and Hardware support by CDO.

Note: An FMC can manage older devices, usually a few major versions back. For example, a Version 6.6.0 FMC can manage a Version 6.4.0 device. Be aware that if a managed device is disabled, or unreachable, CDO may display the device in the Device & Services page, but cannot successfully send requests or view device information.

How does CDO Communicate with an FMC

CDO acts as a REST API client to send requests to the FMC, and the FMC then uses its desiganted client to channel the requests to its managed devices. Because the FMC does not allow multiple logins with the same login credentials, we recommend creating a new user on the FMC specifically for CDO communication that has administrator-level permissions. This new user will have to be replicated on CDO, as either a CDO-provided Administrator or a custom user role with system and devices permission. Without an admin login, CDO will not be able to successfully use REST API commands to modify or create policy, rules, or objects. 

Onboard or Remove an FMC

You can onboard or remove an FMC at any time. The FMC and its registered device must be running at least Version 6.4 to be read by CDO. To onboard an FMC and its registered devices, see Onboard an FMC for more information. 
Once an FMC is onboarded, selecting the FMC or an FMC-managed device from the Devices & Services page automatically cross-launches to the selected FMC web UI as a new tab. Removing an FMC from your CDO tenant also removes the devices registered to that FMC. See Remove an FMC from CDO for more information. 

If an FMC experiences an "Invalid Credentials" status after onboarding, you can reconnect the appliance. See Troubleshoot Invalid Credentials for more information.

Note: FMCs running Firepower 6.6 do not support the reconnect feature. We recommend removing the FMC and re-onboarding the appliance.

FMC High Availability Pairs

CDO does not support high availability (HA) functionality for FMC appliances. If a pair of FMC appliances are configured for HA, the pair is listed as individual appliances in the Devices & Services page.

Devices Managed by an FMC

Once you onboard an FMC to CDO, all of the devices registered to that FMC are also read into CDO. From the Devices & Services page, you can see device information such as name, IP address, type of device, software version, and the state. If you click select a device that is currently managed by an FMC, CDO automatically launches the FMC console that manages the devices.

Use the filter icon to further organize the Devices & Services page. From here you can opt to view all the onboarded FMCs or devices managed by an FMC, as well as the other supported device types. 


Searching and filtering the Historical and Live event tables for specific events, works the same way as it does when searching and filtering for other information in CDO. See Searching for and Filtering Events in the Event Logging Page for more information. 

Cisco Security Analytics and Logging 

Cisco Security Analytics and Logging allows you to capture connection, intrusion, file, malware, and Security Intelligence events from all of your Firepower Threat Defense (FTD) devices and view them in one place in Cisco Defense Orchestrator (CDO).

The events are stored in the Cisco cloud and viewable from the Event Logging page in CDO where you can filter and review them to gain a clear understanding of what security rules are triggering in your network. The Logging and Troubleshooting package gives you these capabilities.

With the Firewall Analytics and Monitoring package, the system can apply Stealthwatch Cloud dynamic entity modeling to your FTD events, and use behavioral modeling analytics to generate Stealthwatch Cloud observations and alerts. If you obtain a Total Network Analytics and Monitoring package, the system applies dynamic entity modeling to both your FTD events and your network traffic, and generates observations and alerts. You can cross-launch from CDO to a SWC portal provisioned for you, using Cisco Single Sign-On. See Cisco Security Analytics and Logging for more information. 

Change Tracking Edit section

Change Log 

The change log continuously captures configuration changes as they are made in CDO. This single view includes changes across all supported devices and services. These are some of the features of the change log:

  • Side-by-side comparison of changes made to device configuration
  • Plain-English labels for all change log entries.
  • Records on-boarding and removal of devices.
  • Detection of policy change conflicts occurring outside of CDO.
  • Answers who, what, and when during an incident investigation or troubleshooting.
  • The full change log, or only a portion, can be downloaded as a CSV file.

Change Request Management 

Change request management allows you to associate a change request and its business justification, opened in a third-party ticketing system, with an event in the Change Log. Use change request management to create a change request in CDO, identify it with a unique name, enter a description of the change, and associate the change request with change log events. You can later search the Change Log for the change request name.