Cisco Defense Orchestrator (CDO) is Cisco’s cloud-based management solution, which enables centralised management of security devices and policies. CDO provides the ability to share configuration such as network objects and policies across multiple Cisco devices (ASA, FTD, Meraki and IOS switches). CDO communicates with an organisations’ managed devices using a proxy called Secure Device Connector (SDC), this can either be a cloud-based SDC or on premises. The SDC monitors CDO for commands and messages that need to be executed on the managed devices. SDC executes the commands on behalf of CDO and sends messages to CDO on behalf of the managed devices.
- Cisco Cdo - Image Results
- Cisco Codecs
- Cisco Codec Configuration
- Cisco Fpr1120 Threat Defence
- Cisco Cdo
- Cisco Cdo Demo
This post covers the basic onboarding of a Cisco ASAv and Cisco FTDv devices into CDO using a Cloud hosted SDC.
Onboard ASA
ASA Configuration
- NOTE: Connection 7.1(3) and later has support for administration tasks via a REST based API.A new developer support site for Connection was put up with the release of 7.1(3) and can be found at the Developer support forums site which has links to resources including support forums and samples related to CUPI/CUMI/CUNI or any of the REST APIs related to Connection.
- Driving Efficiency and Productivity with Cisco Defense Orchestrator Users of Cisco Defense Orchestrator shared their experiences with the product on IT Central Station noting it makes their teams more productive, particularly when managing policies across Cisco ASA, FTD, and Meraki MX devices.
- In the fall of 2007, Cisco Systems announced an external innovation competition called the I-Prize. Our goal was to find an idea that would spawn a new billion-dollar Cisco business.
Cisco Defense Orchestrator (CDO) is Cisco's cloud-based management solution, which enables centralised management of security devices and policies. CDO provides the ability to share configuration such as network objects and policies across multiple Cisco devices (ASA, FTD, Meraki and IOS switches). CDO communicates with an organisations' managed devices using a proxy called Secure Device. CDO 1.2.1 (Collaboration Data Objects, version 1.2.1) is a package providing access to Outlook-compatible objects through a COM-based API. Using either CDO or MAPI, a program can connect to a MAPI store, and then perform operations against that store. Starting with Exchange 2007, Microsoft will distribute the MAPI client libraries and CDO 1.2.1.
Before attempting to establish a connection from CDO to the ASA, access inbound HTTPS access must be permitted from the CDO servers 35.157.12.126 and 35.157.12.15 to the outside interface.
Define a dedicated MGMT user account for CDO
Define a basic Access List
Define network objects
CDO Configuration
- Login to the CDO Dashboard https://www.defenseorchestrator.eu or https://defenseorchestrator.com
- Navigate to Devices & Services
- Click + select ASA
- Click Use Credentials
- Enter the Device Name and Device Location (IP address or FQDN)
- Enter the credentials (Username and Password)
- Click Connect
![Cdo Cdo](https://www.cisco.com/c/en/us/products/security/defense-orchestrator/index/jcr:content/Grid/category_atl/layout-category-atl/anchor_info_f206.img.jpg/1599779912545.jpg)
- Add labels (optional)
- Click Continue
- Click Finish
Onboard FTD
If you are connecting to the EU hosted FDO cloud service https://www.defenseorchestrator.eu then you must Use Credentials (Username/Password/IP Address) onboarding method. Registering with a token is not currently supported on the EU CDO servers.
- Before you start, ensure that the FTD is not registered in Smart Licensing
- You can only onboard FTD’s managed locally by FDM, FTD’s managed by an FMC cannot be managed by CDO.
FDM Configuration
The FTD can be managed from CDO Cloud SDC using either the dedicated Management interface or the outside data interface. Using the dedicated management interface would be beneficial and best practice as this allows the opportunity to reconfigure the outside interface and routing without fear of losing connectivity. However, in certain customer scenarios a dedicated management interface connected to the internet is not possible. This configuration below covers management via either the dedicated management interface or the outside data interface.
Management Access via OUTSIDE interface
If managing the FTD over the internet to the FTD’s outside interface, inbound HTTPS access must be permitted from the CDO SDC servers 35.157.12.126 and 35.157.12.15 for Europe, Middle East and Africa (EMEA) or 52.34.234.2 and 52.36.70.147 for United States.
- Navigate to Objects > Networks
- Click + to create a new host object
- Define a new object called CDO-SDC-EU-1, type HOST with an IP address of 35.157.12.126
- Define another object called CDO-SDC-EU-2, type HOST with an IP address of 35.157.12.15
- Navigate to Device: DEVICENAME > System Settings > Management Access
- Click Data Interfaces
- Click Create Data Interface
- From the drop-down list select outside interface
- Specify the allowed protocols as HTTPS
- Specify the Allowed Networks as CDO-SDC-EU-1 and CDO-SDC-EU-2
- Click Ok
- Click to deploy the configuration changes to the FTD
- From the CLI enter the command show running-config http to confirm the correct settings have been applied
Management Access via Management Interface
If the data interface is not being used for CDO management, then the management interface must have internet access in order to communicate to the Cloud SDC. If using an on-premise SDC then internet access from the management interface would not be required.
- Navigate to Device: DEVICENAME > System Settings > Management Access
- Click Data Interfaces
By default, HTTPS and SSH is accessible on the management interface from any network. Connectivity from the Cloud SDC should work without any changes. Modify the allowed networks if required.
Policy Configuration
- Navigate to Policies > Access Control
- Define a basic policy
CDO Configuration
- Login to the CDO Dashboard
- Navigate to Devices & Services
- Click + select FTD
- Click Use Credentials
- Enter the Device Name and Device Location (IP address or FQDN)
- Click Go
CDO will connect to the outside interface IP address on port 443. If an ISP router is in front of the FTD and natting, then port forwarding may need to be setup in order to forward TCP/443 to the FTD’s outside IP address.
Once connectivity has been established you will be prompted to enter the username and password.
- Enter the MGMT username and password
As of FTD 6.4 it is not possible to create additional MGMT user accounts to use as a dedicated CDO account.
Cisco Cdo - Image Results
- Click Connect
- Add labels (optional)
- Click Finish
Verification
We will now confirm that the ASA and FTD have successfully onboarded into CDO.
- Login to the CDO Dashboard
- Navigate to Devices & Services
The devices should appear as Synced and Online
- Click the FTD object
You will observe the configuration options specific to this device
- Click Interfaces
Cisco Codecs
You will notice that only the data interfaces are configurable. If the outside interface is used for CDO management, then be aware any changes made to the outside data interface could result in loss of connectivity to CDO.
- Navigate to Configuration >Objects
Observe that the objects defined either in FDM or on the ASA are present in the CDO Dashboard. You can confirm which device(s) the object is used on.
- Click one of the objects, you then have the ability to Edit the object
- Modify the object by changing the subnet mask
- Click Save
Notice the Devices with Pending Changes button changes
- Click the button
- Click the Device with the pending change
Cisco Codec Configuration
Scroll through the configuration and observe the change made, which is helpfully highlighted.
- Click Deploy Now
- Click the Jobs button (left hand side of the screen) to confirm when the change has been applied.
- Login to the CLI of the ASA and run show running-config object
Observe that the subnet mask has been changed from /22 to /23
- Return to the CDO Dashboard
- Navigate to Policies > ASA Policies
Observe the ASA’s Access List called OUTSIDE_IN has been imported.
- Click the ACL
You will notice that for the ICMP entries in the ACL that each rule appears to be configured the same, they do not distinguish between ICMP echo-reply, time-exceeded or unreachable as defined in the actual ACL.
Click on one of the ICMP lines, you will notice that at the bottom of Network Policy section CDO does define the ICMP Type correctly. In the screenshot below, we can confirm ICMP Type is time-exceeded.
- Navigate to Policies > FTD / Meraki / AWS Policies
We can confirm the FTD’s policy has been imported
Clicking the policy will confirm the configuration, which should mirror what was configured using FDM.
Additional rules can be created by clicking the and then deploying to the device.
This post is just an overview of what is possible with CDO, hopefully enough to get you started.
See how Cisco Defense Orchestrator simplifies security policy management across your Cisco firewall platforms with a 30-day trial at no cost to you.
• | Optimize your existing policies and objects for an optimal, more secure configuration! |
• | Perform upgrades quickly and easily from a single location across all your firewall platforms. |
Sign up for a test drive of Cisco Defense Orchestrator today!
Cisco Fpr1120 Threat Defence
(Note: This offer is for existing Cisco firewall customers only. If you are not a Cisco firewall customer, please sign up for a firewall trial here.)
Cisco Cdo
Cisco Partners, please refer to our Security Partner Communities page to learn how you can execute your own Free Trials for your customers.
Cisco Cdo Demo
Why Cisco Security? We’ll show you.
Submit your business contact info below.
Submit your business contact info below.