CDO Support for DHCP Addressing of FDM-Managed Devices

What happens if the IP address used by my FDM-managed device changes?

Cisco Defense Orchestrator (CDO) has many Adaptive Security Appliance (ASA) and FDM-managed device customers who have onboarded devices using the IP address provided by their service provider using DHCP.

If the IP address of the device for any reason, whether that is a change in the static IP address or a change in the IP address due to DHCP, you can change the IP address that CDO uses to connect to the device and then reconnect the device.

The field, expressed concerns regarding the case of branch deployed FDM-managed devices managed by CDO, a static IP is required on the outside interface of the FDM-managed device, which, in the view of some SE's, precludes using CDO as a management solution when the FDM-managed device has a DHCP address configured for the outside interface.

However, this situation does not impact customers that have VPN tunnels to remote branch firewalls, and we know that a vast majority of customers have Site to Site tunnels from their Branch Offices back to their datacenters. In the case that Site-to -Site VPN is used to connect to the central site from devices, DHCP on the outside interface is not a concern since CDO (and any management platform) can connect to the FW via its inside, statically addressed, interface (if so configured). This is a recommended practice and we have CDO customers with many (+1000) devices using this deployment mode.

Also, the fact that an interface IP address is being issued via DHCP does not preclude the customer from managing the device using that IP. Again, this is not optimal, but the experience of periodically having to potentially change the IP address in CDO has not been seen as a hurdle to customers. This situation is not exclusive to CDO and happens with any manager using the outside interface including ASDM, FDM or SSH.