Welcome to Cisco Defense Orchestrator
What's New for Cisco Defense Orchestrator
March 2024
March 07, 2024
February 2024
February 13, 2024
January 2024
January 25, 2024
December 2023
December 14, 2023
December 07, 2023
November 2023
November 30, 2023
November 14, 2023
November 2, 2023
October 2023
October 26, 2023
October 19, 2023
October 12, 2023
October 05, 2023
September 2023
September 14, 2023
September 7, 2023
August 2023
August 31, 2023
August 17, 2023
August 3, 2023
July 2023
July 20, 2023
July 13, 2023
June 2023
June 29, 2023
June 15, 2023
June 8, 2023
June 5, 2023
June 1, 2023
April 2023
April 27, 2023
March 2023
March 23, 2023
January 2023
January 18, 2023
December 2022
December 15, 2022
December 1, 2022
October 2022
October 27, 2022
October 12, 2022
August 2022
August 4, 2022
June 2022
June 30, 2022
June 9, 2022
May 2022
May 12, 2022
April 2022
April 14, 2022
April 6, 2022
February 2022
February 03, 2022
January 2022
January 20, 2022
January 13, 2022
Basics of Cisco Defense Orchestrator
Create a CDO Tenant
Sign in to CDO
Initial Login to Your New CDO Tenant
Troubleshooting Login Failures
Migrate to Cisco Security Cloud Sign On Identity Provider
Troubleshooting Login Failures after Migration
Launch a CDO Tenant
Manage Super Admins on Your Tenant
About CDO Licenses
Cloud-Delivered Firewall Management Center and Threat Defense Licenses
More Supported Devices and Licenses
Secure Device Connector
Connect Cisco Defense Orchestrator to your Managed Devices
Deploy a Secure Device Connector Using CDO's VM Image
Deploy a Secure Device Connector on your own VM
Deploy Secure Device Connector and Secure Event Connector on Ubuntu Virtual Machine
Deploy a Secure Device Connector to vSphere Using Terraform
Deploy a Secure Device Connector on an AWS VPC Using a Terraform Module
Change the IP Address of a Secure Device Connector
Remove a Secure Device Connector
Rename a Secure Device Connector
Specify a Default Secure Device Connector
Update your Secure Device Connector
Using Multiple SDCs on a Single CDO Tenant
CDO Devices that Use the Same SDC
Software and Hardware Supported by CDO
ASA Support Specifics
Secure Firewall Threat Defense Device Support Specifics
Cloud Device Support Specifics
Switching and Routing Support Specifics
Browsers Supported in CDO
CDO Platform Maintenance Schedule
CDO Tenant Management
General Settings
User Settings
My Tokens
Tenant Settings
Enable Change Request Tracking
Prevent Cisco Support from Viewing your Tenant
Enable the Option to Auto-accept Device Changes
Default Conflict Detection Interval
Enable the Option to Schedule Automatic Deployments
Web Analytics
Configure a Default Recurring Backup Schedule
Tenant ID
Tenant Name
Tenant Notification Settings
Enable Email Subscribers
Add an Email Subscription
Edit Email Subscriptions
Delete an Email Subscription
Enable Service Integrations for CDO Notifications
Incoming Webhooks for Webex Teams
Incoming Webhooks for Slack
Incoming Webhooks for a Custom Integration
Logging Settings
Integrate Your SAML Single Sign-On with Cisco Defense Orchestrator
Renew SSO Certificate
API Tokens
API Token Format and Claims
Token Management
Generate an API Token
Renew an API Token
Revoke an API Token
Relationship Between the Identity Provider Accounts and Cisco Defense Orchestrator User Records
Login Workflow
Implications of this Architecture
Customers Who Use Cisco Security Cloud Sign On
Customers Who Have Their Own Identity Provider
Cisco Managed Service Providers
Related Topics
Manage Multi-Tenant Portal
Add a Tenant to a Multi-Tenant Portal
Delete a Tenant from a Multi-Tenant Portal
Manage-Tenant Portal Settings
Settings
Switch Tenant
The Cisco Success Network
Manage Users in CDO
View the User Records Associated with your Tenant
Active Directory Groups in User Management
Before You Begin
Add an Active Directory Group for User Management
Edit an Active Directory Group for User Management
Delete an Active Directory Group for User Management
Create a New CDO User
Create a Cisco Security Cloud Sign On Account for the New User
About Logging in to CDO
Before you Log In
Create a New Cisco Security Cloud Sign On Account and Configure Duo Multi-factor Authentication
Create a CDO User Record with Your CDO Username
The New User Opens CDO from the Cisco Secure Sign-On Dashboard
User Roles in CDO
Read-only Role
Edit-Only Role
Deploy-Only Role
VPN Sessions Manager Role
Admin Role
Super Admin Role
Change The Record of the User Role
Add a User Account to CDO
Create a User Record
Create API Only Users
Edit a User Record for a User Role
Edit a User Role
Delete a User Record for a User Role
Delete a User Record
CDO Services Page
CDO Device and Service Management
Changing a Device's IP Address in CDO
Changing a Device's Name in CDO
Export a List of Devices and Services
Export Device Configuration
External Links for Devices
Create an External Link from your Device
Create an External Link to ASDM FDM
Create an External Link for Multiple Devices
Edit or Delete External Links
Edit or Delete External Links for Multiple Devices
Bulk Reconnect Devices to CDO
Moving Devices Between Tenants
Update Meraki MX Connection Credentials
Write a Device Note
CDO Inventory Information
CDO Labels and Filtering
Applying Labels to Devices and Objects
Labels and Tags in AWS VPC
Filters
Use CDO Search Functionality
Page Level Search
Global Search
Initiate Full Indexing
Perform a Global Search
CDO Command Line Interface
Using the Command Line Interface
Entering Commands in the Command Line Interface
Work with Command History
Bulk Command Line Interface
Bulk CLI Interface
Send Commands in Bulk
Work with Bulk Command History
Work with Bulk Command Filters
By Response Filter
By Device Filter
Command Line Interface Macros
Create a CLI Macro from a New Command
Create a CLI Macro from CLI History or from an Existing CLI Macro
Run a CLI Macro
Edit a CLI Macro
Delete a CLI Macro
Compare ASA Configurations Using CDO
ASA Bulk CLI Use Cases
Show all users in the running configuration of an ASA and then delete one of the users
Find all SNMP configurations on selected ASAs
ASA Command Line Interface Documentation
Command Line Interface Documentation
Restore an ASA Configuration
Restore a Secure Firewall ASA Configuration
Troubleshooting
Manage ASA and Cisco IOS Device Configuration Files
View a Device's Configuration File
Edit a Complete Device Configuration File
Procedure
Objects
Object Types
Shared Objects
Object Overrides
Unassociated Objects
Compare Objects
Filters
Object Filters
Configure Object Filters
When to Exclude a Device from Filter Criteria
Deleting Objects
Delete a Single Object
Delete a Group of Unused Objects
Create IP Address Pool
Network Objects
Create or Edit ASA Network Objects and Network Groups
Create an ASA Network Object
Create an ASA Network Group
Edit an ASA Network Object
Edit an ASA Network Group
Add Additional Values to a Shared Network Group in CDO
Edit Additional Values in a Shared Network Group in CDO
Deleting Network Objects and Groups in CDO
Create or Edit a Firepower Network Object or Network Groups
Create a Firepower Network Object
Create a Firepower Network Group
Edit a Firepower Network Object
Edit a Firepower Network Group
Add an Object Override
Edit Object Overrides
Add Additional Values to a Shared Network Group
Edit Additional Values in a Shared Network Group
Deleting Network Objects and Groups in CDO
Discover and Manage On-Prem Firewall Management Center Network Objects
Objects Associated with Meraki Devices
Create a Local Meraki Network Object
Create or Edit a Meraki Network Object or Network Group
Create a Meraki Network Object
Create a Meraki Network Group
Edit a Firepower Network Object or Network Group
Deleting Network Objects and Groups in CDO
URL Objects
Create or Edit an FDM-Managed URL Object
Create a Firepower URL Group
Edit a Firepower URL Object or URL Group
Application Filter Objects
Create and Edit a Firepower Application Filter Object
Create a Firepower Application Filter Object
Edit a Firepower Application Filter Object
Geolocation Objects
Create and Edit a Firepower Geolocation Filter Object
Edit a Geolocation Object
DNS Group Objects
Create a DNS Group Object
Edit a DNS Group Object
Delete a DNS Group Object
Add a DNS Group Object as an FDM-Managed DNS Server
Certificate Objects
About Certificates
Certificate Types Used by Feature
Configuring Certificates
Uploading Internal and Internal CA Certificates
Procedure
Uploading Trusted CA Certificates
Procedure
Generating Self-Signed Internal and Internal CA Certificates
Procedure
Trustpoint Objects
Adding an Identity Certificate Object Using PKCS12
Creating a Self-Signed Identity Certificate Object
Adding an Identity Certificate Object for Certificate Signing Request (CSR)
Adding a Trusted CA Certificate Object
Self-Signed and CSR Certificate Generation Based on Certificate Contents
About IPsec Proposals
Managing an IKEv1 IPsec Proposal Object
Create or Edit an IKEv1 IPsec Proposal Object
Managing an IKEv2 IPsec Proposal Object
Create or Edit an IKEv2 IPsec Proposal Object
About Global IKE Policies
Managing IKEv1 Policies
Create or Edit an IKEv1 Policy
Managing IKEv2 Policies
Create or Edit an IKEv2 Policy
RA VPN Objects
Configure Identity Sources for ASA
Determining the Directory Base DN
RADIUS Servers and Groups
Create an ASA Active Directory Realm Object
Edit an ASA Active Directory Realm Object
Create an ASA RADIUS Server Object or Group
Create an ASA RADIUS Server Object
Create an ASA RADIUS Server Group
Edit an ASA Radius Server Object or Group
Create ASA Remote Access VPN Group Policies
ASA Remote Access VPN Group Policy Attributes
Configure Identity Sources for FDM-Managed Device
Determining the Directory Base DN
RADIUS Servers and Groups
Create or Edit an Active Directory Realm Object
Create an FTD Active Directory Realm Object
Edit an FTD Active Directory Realm Object
Create or Edit a RADIUS Server Object or Group
Create a RADIUS Server Object
Create a RADIUS Server Group
Edit a Radius Server Object or Group
Create New RA VPN Group Policies
RA VPN Group Policy Attributes
AWS Security Groups and Cloud Security Group Objects
Sharing Objects Between AWS and other Managed Devices
Security Zone Object
Create or Edit a Firepower Security Zone Object
Create a Security Zone Object
Edit a Security Zone Object
Service Objects
Create and Edit ASA Service Objects
Create an ASA Service Group
Edit an ASA Service Object or Service Group
Create and Edit Firepower Service Objects
Create a Firepower Service Group
Edit a Firepower Service Object or Service Group
Create or Edit a Meraki Service Object
Create a Service Object
Create a Service Group
Edit a Service Object or a Service Group
Security Group Tag Group
Security Group Tags
Create an SGT Group
Edit an SGT Group
Add an SGT Group to an Access Control Rule
Syslog Server Objects
Create and Edit Syslog Server Objects
Edit Syslog Server Objects
Create a Syslog Server Object for Secure Logging Analytics (SaaS)
Procedure
ASA Time Range Objects
Create an ASA Time Range Object
Edit an ASA Time Range Object
Reading, Discarding, Checking for, and Deploying Changes
Read All Device Configurations
Read Configuration Changes from an ASA to CDO
Read Configuration Changes on ASA
Read Configuration Changes from FDM-Managed Device to CDO
Discard Changes Procedure
If Reverting Pending Changes Fails
Review Conflict Procedure
Accept Without Review Procedure
Read Changes from Cisco IOS or SSH to CDO
Preview and Deploy Configuration Changes for All Devices
Deploy Configuration Changes from CDO to ASA
About Deploying Configuration Changes
Deploy Configuration Changes Made Using the CDO GUI
Scheduling Automatic Deployments
Deploy Configuration Changes Using CDO's CLI Interface
Deploy Configuration Changes by Editing the Device Configuration
Deploying Configuration Changes for a Shared Object on Multiple Devices
Deploy Configuration Changes from CDO to FDM-Managed Device
Deploy Changes to a device
Cancelling Changes
Discarding Changes
Bulk Deploy Device Configurations
Preview and Deploy On-Prem Firewall Management Center Configurations
Scheduled Automatic Deployments
Schedule an Automatic Deployment
Edit a Scheduled Deployment
Delete a Scheduled Deployment
Check for Configuration Changes
Discard Changes
Discard On-Prem Firewall Management Center Configuration Changes
Out-of-Band Changes on Devices
Synchronizing Configurations Between Defense Orchestrator and Device
Conflict Detection
Enable Conflict Detection
Enable Conflict Detection for an On-Prem Firewall Management Center
Automatically Accept Out-of-Band Changes from your Device
Configure Auto-Accept Changes
Disabling Auto-Accept Changes for All Devices on the Tenant
Resolve Configuration Conflicts
Resolve "Not Synced" Status
Resolve "Conflict Detected" Status
Schedule Polling for Device Changes
Schedule a Security Database Update
Create a Scheduled Security Database Update
Edit a Scheduled Security Database Update
Monitoring and Reporting
Change Logs
ASA Change Log Specifics
Change Log Entries after Deploying to an ASA
Change Log Entries after Reading Changes from an ASA
Change Log Entries after Deploying to FDM-Managed Device
Change Log Entries after Reading Changes from an FDM-Managed Device
Viewing Change Log Diffs
Exporting the Change Log to a CSV File
Differences Between the Change Log Capacity in CDO and the Size of an Exported Change Log
Change Request Management
Enable Change Request Management
Create a Change Request
Associate a Change Request with a Change Log Event
Search for Change Log Events with Change Requests
Search for a Change Request
Filter Change Requests
Clear the Change Request Toolbar
Clear a Change Request Associated with a Change Log Event
Delete a Change Request
Disable Change Request Management
Use Cases
FDM-Managed Device Executive Summary Report
Generating FDM-Managed Device Executive Summary Reports
Jobs Page
Reinitiating a Bulk Operation that Resulted in a Failed Action
Cancelling Bulk Actions
Workflows Page
Network Address Translation
Order of Processing NAT Rules
Network Address Translation Wizard
Create a NAT Rule by using the NAT Wizard
Common Use Cases for NAT
Enable a Server on the Inside Network to Reach the Internet Using a Public IP address
Enable Users on the Inside Network to Access the Internet Using the Outside Interface's Public IP Address
Make a Server on the Inside Network Available on a Specific Port of a Public IP Address
NAT Incoming FTP Traffic to an FTP Server
NAT Incoming HTTP Traffic to an HTTP Server
NAT Incoming SMTP Traffic to an SMTP Server
Translate a Range of Private IP Addresses to a Range of Public IP Addresses
Translate a Pool of Inside Addresses to a Pool of Outside Addresses
Prevent a Range of IP Addresses from Being Translated When Traversing the Outside Interface
Create a Twice NAT Rule
Onboard Devices and Services
Onboard Secure Firewall Threat Defense Devices
Onboard a Threat Defense Device
Onboard a Threat Defense Device
Managing an FDM-Managed Device from the Inside Interface
Manage an FDM-Managed Device from the Inside Interface
Managing an FDM-Managed Device from the Outside Interface
Manage the FDM-Managed Device's Outside Interface
Onboard an FDM-Managed Device to CDO
Onboard an FDM-Managed Device Using Username, Password, and IP Address
Onboard an FDM-Managed Device Running Software Version 6.4 or 6.5 Using a Registration Key
Unregister a Smart-licensed FDM-Managed Device
Procedure to Onboard an FDM-Managed Device Running Software Version 6.4 or 6.5 Using a Registration Key
Onboard an FDM-Managed Device Running Software Version 6.6+ Using a Registration Key
Unregistering an FDM-Managed Device from Cisco Cloud Services
Procedure to Onboad an FDM-Managed Device Running Software Version 6.6+ Using a Registration Key
Onboard an FDM-Managed Device using the Device's Serial Number
Workflow and Prerequisites to Onboard the FDM-Managed Device Using Low-Touch Provisioning
Onboard a Secure Firewall Threat Defense Device With Low-Touch Provisioning
Onboard a Configured FDM-Managed Device using the Device's Serial Number
Onboard an FDM-Managed High Availability Pair
Onboard an FDM-Managed High Availablity Pair with a Registration Key
Onboard an FDM-Managed HA Pair Running Version 6.4 or Version 6.5
Onboard an FDM-Managed HA Pair Running Version 6.6 or Version 6.7 and later
Onboard an FDM-Managed High Availability Pair
Onboard an FTD Cluster
Onboard a Clustered Secure Firewall Threat Defense Device
Applying or Updating a Smart License
Smart-License an FDM-Managed Device When Onboarding Using a Registration Key
Smart-License an FDM-Managed Device After Onboarding the Device Using a Registration Key or its Credentials
Updating an Existing Smart License of an FDM-Managed Device
Change the Smart License Applied to an FDM-Managed Device Onboarded Using a Registration Key
Change the Smart License Applied to an FDM-Managed Device Onboarded Using its Credentials
CDO Support for DHCP Addressing of FDM-Managed Devices
FDM-Managed Device Licensing Types
Virtual FDM-Managed Device Tiered Licenses
Viewing Smart-Licenses for a Device
Enabling or Disabling Optional Licenses
Impact of Expired or Disabled Optional Licenses
Create and Import an Firewall Device Manager Model
Export FDM-Managed Device Configuration
Import FDM-Managed Device Configuration
Delete a Device from CDO
Importing Device Configuration for Offline Management
Backing Up FDM-Managed Devices
Back up an FDM-Managed Device On-Demand
Procedure
Configure a Recurring Backup Schedule for a Single FDM-Managed Device
Procedure
Download the Device Backup
Edit a Backup
Delete a Backup
Managing Device Backup
Restore a Backup to an FDM-Managed Device
Onboard a Secure Firewall Threat Defense Device to the Cloud-Delivered Firewall Management Center
Onboarding Overview
Prerequisites to Onboard a Device to Cloud-delivered Firewall Management Center
Onboard a Device with a CLI Registration Key
Onboard a Device with Low-Touch Provisioning
Onboard a Device with a Serial Number
Onboard a Secure Firewall Threat Defense Cluster
Deploy a Threat Defense Device with AWS
Deploy a Threat Defense Device with an Azure VNet
Onboard an Azure VNet Environment
Onboard a Threat Defense Virtual Device with Azure VNet
Deploy a Threat Defense Device to Google Cloud Platform
Create VPC Networks for GCP
Deploy a Threat Defense Device on Google Cloud Platform
Troubleshooting
Troubleshoot Onboarding a Device to the Cloud-delivered Firewall Management Center Using the CLI Registration Key
Error: Device Remains in Pending Setup State After Onboarding
Troubleshoot Onboarding a Device to Cloud-delivered Firewall Management Center Using the Serial Number
Device is Offline or Unreachable
Error: Serial Number Already Claimed
Error: Claim Error
Error: Failed to Claim
Error: Provisional Error
Onboard ASA Devices
Onboard ASA Device to CDO
Onboard a High Availability Pair of ASA Devices to CDO
Onboard an ASA in Multi-Context Mode to CDO
Onboard Multiple ASAs to CDO
Pausing and Resuming Bulk Onboarding
Create and Import an ASA Model to CDO
Import ASA Configuration
Delete a Device from CDO
Onboard an On-Prem Firewall Management Center
Onboard an On-Prem Management Center
Onboard an On-Prem Firewall Management Center to CDO with Credentials
About Auto-Onboarding an On-Prem Firewall Management Center to CDO
Auto-Onboard an On-Prem Firewall Management Center with SecureX
Redirect CDO to an On-Prem Firewall Management Center
Remove an On-Prem Firewall Management Center from CDO
Migrate On-Prem Management Center Managed Secure Firewall Threat Defense to Cloud-delivered Firewall Management Center
About Migrating Threat Defense to Cloud-delivered Firewall Management Center
Supported Secure Firewall Management Center and Secure Firewall Threat Defense Software for Migration
Licensing
Supported Features
Unsupported Features
Migration Guidelines and Limitations for VPN Configuration
Managing Threat Defense Events and Analytics
Before You Begin Migration
Migrate Threat Defense to Cloud-delivered Firewall Management Center
View a Threat Defense Migration Job
Commit Migration Changes Manually to Cloud-delivered Firewall Management Center
View Migrated Devices
Generate a Threat Defense Migration Report
Delete a Migration Job
Enable Notification Settings
Troubleshoot Threat Defense Migration to Cloud
Verify Threat Defense Connectivity with Cloud-delivered Firewall Management Center
Onboard an Umbrella Organization
Umbrella License Requirements
Generate an API Key and Secret
Umbrella Organization ID
Onboarding an Umbrella Orgnization
Reconnect an Umbrella Organization to CDO
Cross-launch to the Umbrella dashboard
Delete a Device from CDO
Onboard Cisco Defense Orchestrator Integrations
Onboard an SSH Device
Onboard an SSH Device
Delete a Device from CDO
Onboard a Cisco IOS Device
Onboard a Cisco IOS Device
Create and Import an ASR or ISR Model
Download ASR or ISR Configuration
Import ASR or ISR Configuration
Delete a Device from CDO
Importing Device Configuration for Offline Management
Delete a Device from CDO
Onboard Meraki MX Devices
Onboard Meraki MX to Defense Orchestrator
Generate and Retrieve Meraki API Key
Onboard an MX Device to CDO
Onboard Meraki Templates to Defense Orchestrator
Generate and Retrieve Meraki API Key
Onboard an Meraki Template to CDO
Update Meraki MX Connection Credentials
Delete a Device from CDO
Onboard AWS Devices
Onboard an AWS VPC
Delete a Device from CDO
Onboard Duo Admin Panel
Generate Duo Admin Panel Credentials
Onboard the Duo Admin Panel to CDO
Upgrade Devices and Services
FDM Software Upgrade Paths
Other Upgrade Limitations
4100 and 9300 Series Devices
FDM-Managed Device Upgrade Prerequisites
Upgrade a Single FDM-Managed Device
Upgrade A Single FDM-Managed Device with Images from Cisco Defense Orchestrator's Repository
Upgrade a Single FDM-Managed Device with Images from your own Repository
Monitor the Upgrade Process
Bulk FDM-Managed Devices Upgrade
Upgrade Bulk FDM-Managed Devices with Images from Cisco Defense Orchestrator's Repository
Upgrade Bulk FDM-Managed Devices with Images from your own Repository
Monitor the Bulk Upgrade Process
Upgrade an FDM-Managed High Availability Pair
Upgrade an FDM-Managed HA Pair with Images from Cisco Defense Orchestrator's Repository
Upgrade an FDM-Managed HA Pair with Images from your own Repository
Monitor the Upgrade Process
Upgrade to Snort 3.0
Upgrade the Device and the Intrusion Prevention Engine Simultaneously
Upgrade the Intrusion Prevention Engine
Monitor the Upgrade Process
Revert From Snort 3.0 for FDM-Managed Device
Revert From Snort 3.0
Schedule a Security Database Update
Edit a Scheduled Security Database Update
Prerequisites for ASA and ASDM Upgrade in CDO
Upgrade Bulk ASA and ASDM in CDO
Upgrade Multiple ASAs with Images from your own Repository
Upgrade ASA and ASDM Images on a Single ASA
Upgrade ASA and ASDM Images in a High Availability Pair
Workflow
Upgrade ASA and ASDM Images in a High Availability Pair
Upgrade an ASA or ASDM Using Your Own Image
Managing On-Prem Firewall Management Center with Cisco Defense Orchestrator
Managing On-Prem Firewall Management Center with Cisco Defense Orchestrator
Discover and Manage On-Prem Firewall Management Center Network Objects
Reading, Discarding, Checking for, and Deploying Changes
Read All Device Configurations
Preview and Deploy On-Prem Firewall Management Center Configurations
Preview and Deploy Configuration Changes for All Devices
Deploy Changes to a device
Cancelling Changes
Discarding Changes
Bulk Deploy Device Configurations
Scheduled Automatic Deployments
Schedule an Automatic Deployment
Edit a Scheduled Deployment
Delete a Scheduled Deployment
Check for Configuration Changes
Discard Changes
Discard On-Prem Firewall Management Center Configuration Changes
Out-of-Band Changes on Devices
Synchronizing Configurations Between Defense Orchestrator and Device
Conflict Detection
Enable Conflict Detection
Enable Conflict Detection for an On-Prem Firewall Management Center
Automatically Accept Out-of-Band Changes from your Device
Configure Auto-Accept Changes
Disabling Auto-Accept Changes for All Devices on the Tenant
Resolve Configuration Conflicts
Resolve "Not Synced" Status
Resolve "Conflict Detected" Status
Schedule Polling for Device Changes
Schedule a Security Database Update
Create a Scheduled Security Database Update
Edit a Scheduled Security Database Update
Remove an On-Prem Firewall Management Center from CDO
Managing Cisco Secure Firewall Threat Defense Devices with Cloud-delivered Firewall Management Center
CDO Services Page
Navigate to the Cloud-delivered Firewall Management Center in your CDO Tenant
Enable Cloud-delivered Firewall Management Center on Your CDO Tenant
Troubleshooting for the Secure Firewall Threat Defense using Cloud-delivered Firewall Management Center
Managing FDM Devices with Cisco Defense Orchestrator
Managing FDM-Managed Devices with Cisco Defense Orchestrator
Interfaces
Guidelines and Limitations for Firepower Interface Configuration
Maximum Number of VLAN Members by Device Model
Firepower Data Interfaces
Management/Diagnostic Interface
Interface Settings
Use of Security Zones in Firepower Interface Settings
Assign an FDM-Managed Device Interface to a Security Zone
Assign a Firepower Interface to a Security Zone
Use of Auto-MDI/MDX in Firepower Interface Settings
Use of MAC Addresses in Firepower Interface Settings
Use of MTU Settings in Firepower Interface Settings
IPv6 Addressing for Firepower Interfaces
Configuring Firepower Interfaces
Configure a Physical Firepower Interface
Procedure
Configure IPv4 Addressing for the Physical Interface
Configure IPv6 Addressing for the Physical Interface
Enable the Physical Interface
Configure Firepower VLAN Subinterfaces and 802.1Q Trunking
Procedure
Configure IPv4 Addressing for the Subinterface
Configure IPv6 Addressing for the Subinterface
Enable the Physical Interface
Configure Advanced Firepower Interface Options
Configure a Bridge Group
Configure the Name of the Bridge Group Interface and Select the Bridge Group Members
Configure the IPv4 Address for the BVI
Configure the IPv6 Address for the BVI
Configure Advanced Interface Options
Bridge Group Compatibility in FDM-Managed Configurations
Delete a Bridge Group
Add an EtherChannel Interface for an FDM-Managed Device
Add an EtherChannel Interface
Edit Or Remove an EtherChannel Interface for FDM-Managed Device
Edit an EtherChannel
Remove an EtherChannel Interface
Add a Subinterface to an EtherChannel Interface
Add a Subinterface to an EtherChannel Interface
Edit or Remove a Subinterface from an EtherChannel
Edit a Subinterface
Remove a Subinterface from an EtherChannel
Add Interfaces to a Virtual FDM-Managed Device
Switch Port Mode Interfaces for an FDM-Managed Device
Configure an FDM-Managed Device VLAN
Configure an FDM-Managed Device VLAN for Switch Port Mode
Create a VLAN Interface for Switch Port Mode
Configure an Existing Physical Interface for Switch Port Mode
Viewing and Monitoring Firepower Interfaces
Monitoring Interfaces in the CLI
Synchronizing Interfaces Added to a Firepower Device using FXOS
Routing
About Static Routing and Default Routes
Default Route
Static Routes
The Routing Table and Route Selection
How the Routing Table is Populated
How Forwarding Decisions are Made
Configure Static and Default Routes for FDM-Managed Devices
Procedure
Static Route Example
Monitoring Routing
Static Route Network Diagram
About Virtual Routing and Forwarding
Objects
Objects
Object Types
Shared Objects
Object Overrides
Unassociated Objects
Compare Objects
Filters
Object Filters
Configure Object Filters
When to Exclude a Device from Filter Criteria
Deleting Objects
Delete a Single Object
Delete a Group of Unused Objects
Create IP Address Pool
Network Objects
Create or Edit ASA Network Objects and Network Groups
Create an ASA Network Object
Create an ASA Network Group
Edit an ASA Network Object
Edit an ASA Network Group
Add Additional Values to a Shared Network Group in CDO
Edit Additional Values in a Shared Network Group in CDO
Deleting Network Objects and Groups in CDO
Create or Edit a Firepower Network Object or Network Groups
Create a Firepower Network Object
Create a Firepower Network Group
Edit a Firepower Network Object
Edit a Firepower Network Group
Add an Object Override
Edit Object Overrides
Add Additional Values to a Shared Network Group
Edit Additional Values in a Shared Network Group
Deleting Network Objects and Groups in CDO
Discover and Manage On-Prem Firewall Management Center Network Objects
Objects Associated with Meraki Devices
Create a Local Meraki Network Object
Create or Edit a Meraki Network Object or Network Group
Create a Meraki Network Object
Create a Meraki Network Group
Edit a Firepower Network Object or Network Group
Deleting Network Objects and Groups in CDO
URL Objects
Create or Edit an FDM-Managed URL Object
Create a Firepower URL Group
Edit a Firepower URL Object or URL Group
Application Filter Objects
Create and Edit a Firepower Application Filter Object
Create a Firepower Application Filter Object
Edit a Firepower Application Filter Object
Geolocation Objects
Create and Edit a Firepower Geolocation Filter Object
Edit a Geolocation Object
DNS Group Objects
Create a DNS Group Object
Edit a DNS Group Object
Delete a DNS Group Object
Add a DNS Group Object as an FDM-Managed DNS Server
Certificate Objects
About Certificates
Certificate Types Used by Feature
Configuring Certificates
Uploading Internal and Internal CA Certificates
Procedure
Uploading Trusted CA Certificates
Procedure
Generating Self-Signed Internal and Internal CA Certificates
Procedure
Trustpoint Objects
Adding an Identity Certificate Object Using PKCS12
Creating a Self-Signed Identity Certificate Object
Adding an Identity Certificate Object for Certificate Signing Request (CSR)
Adding a Trusted CA Certificate Object
Self-Signed and CSR Certificate Generation Based on Certificate Contents
About IPsec Proposals
Managing an IKEv1 IPsec Proposal Object
Create or Edit an IKEv1 IPsec Proposal Object
Managing an IKEv2 IPsec Proposal Object
Create or Edit an IKEv2 IPsec Proposal Object
About Global IKE Policies
Managing IKEv1 Policies
Create or Edit an IKEv1 Policy
Managing IKEv2 Policies
Create or Edit an IKEv2 Policy
RA VPN Objects
Configure Identity Sources for ASA
Determining the Directory Base DN
RADIUS Servers and Groups
Create an ASA Active Directory Realm Object
Edit an ASA Active Directory Realm Object
Create an ASA RADIUS Server Object or Group
Create an ASA RADIUS Server Object
Create an ASA RADIUS Server Group
Edit an ASA Radius Server Object or Group
Create ASA Remote Access VPN Group Policies
ASA Remote Access VPN Group Policy Attributes
Configure Identity Sources for FDM-Managed Device
Determining the Directory Base DN
RADIUS Servers and Groups
Create or Edit an Active Directory Realm Object
Create an FTD Active Directory Realm Object
Edit an FTD Active Directory Realm Object
Create or Edit a RADIUS Server Object or Group
Create a RADIUS Server Object
Create a RADIUS Server Group
Edit a Radius Server Object or Group
Create New RA VPN Group Policies
RA VPN Group Policy Attributes
AWS Security Groups and Cloud Security Group Objects
Sharing Objects Between AWS and other Managed Devices
Security Zone Object
Create or Edit a Firepower Security Zone Object
Create a Security Zone Object
Edit a Security Zone Object
Service Objects
Create and Edit ASA Service Objects
Create an ASA Service Group
Edit an ASA Service Object or Service Group
Create and Edit Firepower Service Objects
Create a Firepower Service Group
Edit a Firepower Service Object or Service Group
Create or Edit a Meraki Service Object
Create a Service Object
Create a Service Group
Edit a Service Object or a Service Group
Security Group Tag Group
Security Group Tags
Create an SGT Group
Edit an SGT Group
Add an SGT Group to an Access Control Rule
Syslog Server Objects
Create and Edit Syslog Server Objects
Edit Syslog Server Objects
Create a Syslog Server Object for Secure Logging Analytics (SaaS)
Procedure
ASA Time Range Objects
Create an ASA Time Range Object
Edit an ASA Time Range Object
Manage Security Policies in CDO
FDM Policy Configuration
FDM-Managed Access Control Policy
Read an FDM-Managed Access Control Policy
Configure the FDM Access Control Policy
Create or Edit an FDM-Managed Access Control Policy
Configuring Access Policy Settings
Procedure
About TLS Server Identity Discovery
Copy FDM-Managed Access Control Rules
Copy Rules within the Device
Copy Rules from One FDM-Managed Device Policy to Another FDM-Managed Device Policy
Move FDM-Managed Access Control Rules
Move Rules within the Device
Move a Rule from One FDM-Managed Device Policy to Another FDM-Managed Device Policy
Behavior of Objects when Pasting Rules to Another Device
Source and Destination Criteria in an FDM-Managed Access Control Rule
URL Conditions in an FDM-Managed Access Control Rule
Specifying a Reputation for a URL Category Used in a Rule
Intrusion Policy Settings in an FDM-Managed Access Control Rule
File Policy Settings in an FDM-Managed Access Control Rule
Logging Settings in an FDM-Managed Access Control Rule
Procedure
Application Criteria in an FDM-Managed Access Control Rule
Intrusion, File, and Malware Inspection in FDM-Managed Access Control Policies
Custom IPS Policy in an FDM-Managed Access Control Rule
TLS Server Identity Discovery in Firepower Threat Defense
Enable the TLS Server Identity Discovery
Intrusion Prevention System
Threat Events
Firepower Intrusion Policy Signature Overrides
Manage Signature Overrides
Create A Signature Override
Remove A Signature Override
Custom Firepower Intrusion Prevention System Policy
Configure Firepower Custom IPS Policies
Create a Custom IPS Policy
Edit a Custom IPS Policy
Edit Rule Groups in a Custom IPS Policy
Delete a Custom IPS policy
Security Intelligence Policy
Configure the Firepower Security Intelligence Policy
Configure Firepower Security Intelligence Policy
Making Exceptions to the Firepower Security Intelligence Policy Blocked Lists
Security Intelligence Feeds for Firepower Security Intelligence Policies
FDM-Managed Device Identity Policy
How to Implement an Identity Policy
Procedure
Configure Identity Policies
Procedure
Configure Identity Policy Settings
Procedure
Configure the Identity Policy Default Action
Procedure
Configure Identity Rules
Procedure
SSL Decryption Policy
How to Implement and Maintain the SSL Decryption Policy
Procedure
About SSL Decryption
Why Implement SSL Decryption?
Actions You Can Apply to Encrypted Traffic
Automatically Generated SSL Decryption Rules
Handling Undecryptable Traffic
License Requirements for SSL Decryption Policies
Guidelines for SSL Decryption
Configure SSL Decryption Policies
Procedure
Enable the SSL Decryption Policy
Procedure
Configure the Default SSL Decryption Action
Procedure
Configure SSL Decryption Rules
Procedure
Source/Destination Criteria for SSL Decryption Rules
URL Criteria for SSL Decryption Rules
User Criteria for SSL Decryption Rules
Configure Certificates for Known Key and Re-Sign Decryption
Downloading the CA Certificate for Decrypt Re-Sign Rules
Procedure
Warning
Rulesets
Configure Rulesets for a Device
Create or Edit a Ruleset
Deploy a Ruleset to Multiple FDM-Managed Devices or Templates
Add Devices to a Ruleset from the Ruleset page
Add Rulesets to a Device from the Device Policy page
Rulesets with FDM-Managed Templates
Create Rulesets from Existing Device Rules
Impact of Out-of-Band Changes on Rulesets
Impact of Discarding Staged Ruleset Changes
View Rules and Rulesets
View Rules from Device Policy Page
View Rulesets
Search Rulesets
View Jobs Associated with Rulesets
Change Log Entries after Creating Rulesets
Detach FDM-Managed Devices from a Selected Ruleset
Delete Rules and Rulesets
Delete Rules from a Ruleset
Delete a Ruleset
Remove a Ruleset From a Selected FDM-Managed Device
Delete a Ruleset From a Selected FDM-Managed Device
Disassociate a Ruleset From a Selected FDM-Managed Device
Adding Comments to Rules in Policies and Rulesets
Adding a Comment to a Rule
Editing Comments about Rules in Policies and Rulesets
Editing a comment on a rule in a policy
Editing a comment on a rule in a ruleset
Network Address Translation
Order of Processing NAT Rules
Network Address Translation Wizard
Create a NAT Rule by using the NAT Wizard
Common Use Cases for NAT
Enable a Server on the Inside Network to Reach the Internet Using a Public IP address
Enable Users on the Inside Network to Access the Internet Using the Outside Interface's Public IP Address
Make a Server on the Inside Network Available on a Specific Port of a Public IP Address
NAT Incoming FTP Traffic to an FTP Server
NAT Incoming HTTP Traffic to an HTTP Server
NAT Incoming SMTP Traffic to an SMTP Server
Translate a Range of Private IP Addresses to a Range of Public IP Addresses
Translate a Pool of Inside Addresses to a Pool of Outside Addresses
Prevent a Range of IP Addresses from Being Translated When Traversing the Outside Interface
Create a Twice NAT Rule
Templates
FDM-Managed Device Templates
Configure an FDM Template
Create an FDM Template
Edit an FDM-Managed Device Template
Delete an FDM Template
Apply an FDM Template
Apply Template to an FDM-Managed Device
Review Device and Networking Settings
Deploy Changes to the Device
Migrating an ASA Configuration to an FDM-Managed Device Template
Backing Up FDM-Managed Devices
Back up an FDM-Managed Device On-Demand
Procedure
Configure a Recurring Backup Schedule for a Single FDM-Managed Device
Procedure
Download the Device Backup
Edit a Backup
Delete a Backup
Managing Device Backup
Restore a Backup to an FDM-Managed Device
FDM-Managed High Availability
FDM-Managed High Availability Pair Requirements
Create an FDM-Managed High Availability Pair
Procedure
FDM-Managed Devices in High Availability Page
High Availability Management Page
Edit High Availability Failover Criteria
Break an FDM-Managed High Availability Pairing
Break High Availability
Break Out-of-Band High Availability
Force a Failover on an FDM-Managed High Availability Pair
FDM-Managed High Availability Failover History
Refresh the FDM-Managed High Availability Status
Failover and Stateful Link for FDM-Managed High Availability
FDM-Managed Device Settings
Configure an FDM-Managed Device's System Settings
Configure Management Access
Create Rules for Management Interfaces
Create Rules for Data Interfaces
Configure Logging Settings
Message Severity Levels
Configure DHCP Servers
Configure DNS Server
Management Interface
Hostname
Configure NTP Server
Configure URL Filtering
Cloud Services
Connecting to the Cisco Success Network
Sending Events to the Cisco Cloud
Enabling or Disabling Web Analytics
Create a REST API Macro
Using the API Tool
How to Enter a Secure Firewall Threat Defense REST API Request
About FTD REST API Macros
Create a REST API Macro
Create a REST API Macro from a New Command
Create a REST API Macro from History or from an Existing REST API Macro
Run a REST API Macro
Edit a REST API Macro
Delete a REST API Macro
Update FDM-Managed Device Security Databases
Managing ASA with Cisco Defense Orchestrator
Managing ASA with Cisco Defense Orchestrator
Update ASA Connection Credentials in CDO
Move an ASA from one SDC to Another
ASA Interface Configuration
Configure an ASA Physical Interface
Configure IPv4 Addressing for ASA Physical Interface
Configure IPv6 Addressing for ASA Physical Interface
Configure Advanced ASA Physical Interface Options
Enable the ASA Physical Interface
Add an ASA VLAN Subinterface
Configure ASA VLAN Subinterfaces
Configure IPv4 Addressing for ASA Subinterface
Configure IPv6 Addressing for ASA Subinterface
Configure Advanced ASA Subinterface Options
Enable the Subinterface
Remove ASA Subinterface
About ASA EtherChannel Interfaces
Configure ASA EtherChannel
Edit ASA EtherChannel
Remove ASA EtherChannel Interface
ASA System Settings Policy
Create an ASA Shared System Settings Policy
Configure Basic DNS Settings
Configure HTTP Settings
Set the Date and Time Using an NTP Server
Configure SSH Access
Configure System Logging
Enable Sysopt Settings
Assign a Policy from the Shared System Settings Page
Configure or Modify Device Specific System Settings
Assign a Policy from Device-Specific Settings Page
Auto Assignment of ASA Devices to a Shared System Settings Policy
Filter ASA Shared System Settings Policy
Disassociate Devices from Shared System Settings Policy
Delete Shared Settings Policy
ASA Routing in CDO
About ASA Static Route
Configure ASA Static Route
Edit ASA Static Route
Delete a Static Route
Manage Security Policies in CDO
Manage Legacy ASA Access Policies
Create an ASA Network Policy in Legacy View
Edit an ASA Network Policy
Rename a Policy
Add Rules to a Policy
Move Rules within a Policy
Move Rules Between Policies
Deactivate Rules in a Policy
Log Rule Activity
Define a Time Range for a Policy
Copy an ASA Network Policy
Compare ASA Network Policies
Delete an ASA Network Policy
Search and Filter ASA Network Policies and Rules
Find all network policies that have zero hits
Find all network policies on a device that have zero hits
Find out how often rules in a network policy are being hit
Find out how often a shared network policy is being hit
Filter network policies by hit rate
Shared ASA Network Policies
Shared Network Policy Attributes
Edit Shared Network Policies
Compare Shared Network Policies
ASA Policies (Extended access-list)
Access Control Entries (ACEs)
Configure an ASA Global Access Policy
Create a Global Access Policy
Edit a Global Access Policy
Hit Rates
View Hit Rates of ASA Policies
Export Network Policy Rules
Apply ASA Policy Changes to Device
Deploy to Device by Script
Security Group Tags in ASA Policies
Shadowed Rules
Find Network Policies with Shadowed Rules
Resolve Issues with Shadowed Rules
Network Address Translation
Order of Processing NAT Rules
Network Address Translation Wizard
Create a NAT Rule by using the NAT Wizard
Common Use Cases for NAT
Enable a Server on the Inside Network to Reach the Internet Using a Public IP address
Enable Users on the Inside Network to Access the Internet Using the Outside Interface's Public IP Address
Make a Server on the Inside Network Available on a Specific Port of a Public IP Address
NAT Incoming FTP Traffic to an FTP Server
NAT Incoming HTTP Traffic to an HTTP Server
NAT Incoming SMTP Traffic to an SMTP Server
Translate a Range of Private IP Addresses to a Range of Public IP Addresses
Translate a Pool of Inside Addresses to a Pool of Outside Addresses
Prevent a Range of IP Addresses from Being Translated When Traversing the Outside Interface
Create a Twice NAT Rule
ASA Templates
ASA Template Parameters
Create New Parameters
Create a New ASA, ISR, or ASR Template
Generate ASA Configurations from Templates
Manage ASA Templates
API Tokens
Migrating an ASA Configuration to an FDM-Managed Device Template
About the Cisco Defense Orchestrator Migration Process
Launch the FDM Migration Wizard and Select the Device
Run the Migration
(Optional) Update the Migration Name
(Optional) Preserve the Running Configuration
Parsing the ASA Configuration
Fix the Migration Errors
Apply Migration
Apply Migration Now
Support for FDM-Managed Device with Management Access Interface Migration
Apply Migration Later
View the Migration Actions
Deploy the Configuration
Manage ASA Certificates
Install ASA Certificates
Install an Identity Certificate Using PKCS12
Install a Certificate Using Self-Signed Enrollment
Manage a Certificate Signing Request (CSR)
Generate a CSR Request
Install a Signed Identity Certificate Issued by a Certificate Authority
Install a Trusted CA Certificate in ASA
Export an Identity Certificate
Edit an Installed Certificate
Delete an Existing Certificate from ASA
ASA File Management
Upload File to a Single ASA Device
Upload File to Multiple ASA Devices
Remove Files from ASA
Managing ASA High Availability
Configuration Changes Made to ASAs in Active-Active Failover Mode
Configure DNS on ASA
Procedure
Migrating Firewalls with the Firewall Migration Tool in Cisco Defense Orchestrator
Is This Guide for You?
Getting Started with the Firewall Migration Tool in Cisco Defense Orchestrator
Supported Configurations
Licenses
Initialize a New Migration Instance
Delete a Migration Instance
Using the Demo Mode in the Secure Firewall Migration Tool
Migrate Secure Firewall ASA to Secure Firewall Threat Defense with the Firewall Migration Tool in Cisco Defense Orchestrator
Migrate an FDM-Managed Device to Secure Firewall Threat Defense with the Firewall Migration Tool in Cisco Defense Orchestrator
Migrating Check Point Firewall to Secure Firewall Threat Defense with the Firewall Migration Tool in Cisco Defense Orchestrator
Migrating Fortinet Firewall with the Firewall Migration Tool in Cisco Defense Orchestrator
Migrating Palo Alto Networks Firewall to Secure Firewall Threat Defense with the Firewall Migration Tool in Cisco Defense Orchestrator
Related Documentation
Managing Umbrella with Cisco Defense Orchestrator
Read Umbrella Tunnel Configuration
Cross-launch to the Umbrella Tunnels Page
Configure a SASE Tunnel for Umbrella
Edit a SASE Tunnel
Delete a SASE Tunnel from Umbrella
Managing Meraki with Cisco Defense Orchestrator
Managing Meraki with Cisco Defense Orchestrator
How Does CDO Communicate With Meraki
Manage Security Policies in CDO
Meraki Access Control Policy
Meraki Templates
Managing IOS Devices with Cisco Defense Orchestrator
Managing IOS Devices with CDO
ASA Cisco IOS Device Configurations
View a Device's Configuration File
CDO Command Line Interface
Using the Command Line Interface
Entering Commands in the Command Line Interface
Work with Command History
Bulk Command Line Interface
Bulk CLI Interface
Send Commands in Bulk
Work with Bulk Command History
Work with Bulk Command Filters
By Response Filter
By Device Filter
Command Line Interface Macros
Create a CLI Macro from a New Command
Create a CLI Macro from CLI History or from an Existing CLI Macro
Run a CLI Macro
Edit a CLI Macro
Delete a CLI Macro
Compare ASA Configurations Using CDO
ASA Bulk CLI Use Cases
Show all users in the running configuration of an ASA and then delete one of the users
Find all SNMP configurations on selected ASAs
ASA Command Line Interface Documentation
Command Line Interface Documentation
Restore an ASA Configuration
Restore a Secure Firewall ASA Configuration
Troubleshooting
Manage ASA and Cisco IOS Device Configuration Files
View a Device's Configuration File
Edit a Complete Device Configuration File
Procedure
Reading, Discarding, Checking for, and Deploying Changes
Read All Device Configurations
Read Configuration Changes from an ASA to CDO
Read Configuration Changes on ASA
Read Configuration Changes from FDM-Managed Device to CDO
Discard Changes Procedure
If Reverting Pending Changes Fails
Review Conflict Procedure
Accept Without Review Procedure
Read Changes from Cisco IOS or SSH to CDO
Preview and Deploy Configuration Changes for All Devices
Deploy Configuration Changes from CDO to ASA
About Deploying Configuration Changes
Deploy Configuration Changes Made Using the CDO GUI
Scheduling Automatic Deployments
Deploy Configuration Changes Using CDO's CLI Interface
Deploy Configuration Changes by Editing the Device Configuration
Deploying Configuration Changes for a Shared Object on Multiple Devices
Deploy Configuration Changes from CDO to FDM-Managed Device
Deploy Changes to a device
Cancelling Changes
Discarding Changes
Bulk Deploy Device Configurations
Preview and Deploy On-Prem Firewall Management Center Configurations
Scheduled Automatic Deployments
Schedule an Automatic Deployment
Edit a Scheduled Deployment
Delete a Scheduled Deployment
Check for Configuration Changes
Discard Changes
Discard On-Prem Firewall Management Center Configuration Changes
Out-of-Band Changes on Devices
Synchronizing Configurations Between Defense Orchestrator and Device
Conflict Detection
Enable Conflict Detection
Enable Conflict Detection for an On-Prem Firewall Management Center
Automatically Accept Out-of-Band Changes from your Device
Configure Auto-Accept Changes
Disabling Auto-Accept Changes for All Devices on the Tenant
Resolve Configuration Conflicts
Resolve "Not Synced" Status
Resolve "Conflict Detected" Status
Schedule Polling for Device Changes
Schedule a Security Database Update
Create a Scheduled Security Database Update
Edit a Scheduled Security Database Update
Managing AWS with Cisco Defense Orchestrator
Managing AWS with Cisco Defense Orchestrator
Update AWS VPC Connection Credentials
Monitor AWS VPC Tunnels using AWS Transit Gateway
Search and Filter Site-to-Site VPN Tunnels
View a history of changes made to the AWS VPC tunnels
Manage Security Policies in CDO
AWS VPC Policy
AWS VPCs and Security Groups in CDO
AWS VPC Security Groups Rules
Create a Security Group Rule
Edit a Security Group Rule
Delete a Security Group Rule
Manage Virtual Private Network Management in CDO
Introduction to Site-to-Site Virtual Private Network
Configure Site-to-Site VPN for an FDM-Managed Device
Encryption and Hash Algorithms Used in VPN
Create a Site-To-Site VPN
Create a Site-To-Site VPN using the Simple Configuration
Create a Site-To-Site VPN using the Advanced Configuration
Configure Networking for Protected Traffic Between the Site-To-Site Peers
Edit an Existing CDO Site-To-Site VPN
Delete a CDO Site-To-Site VPN Tunnel
Exempt Site-to-Site VPN Traffic from NAT
ASA Site-to-Site VPN Configuration
Encryption and Hash Algorithms Used in VPN
Create an ASA Site-to-Site VPN Tunnel
Delete a CDO Site-To-Site VPN Tunnel
Exempt Site-to-Site VPN Traffic from NAT
About Global IKE Policies
Managing IKEv1 Policies
Create an IKEv1 Policy
Managing IKEv2 Policies
Create an IKEv2 Policy
About IPsec Proposals
Managing an IKEv1 IPsec Proposal Object
Create an IKEv1 IPsec Proposal Object
Managing an IKEv2 IPsec Proposal Object
Create or Edit an IKEv2 IPsec Proposal Object
Monitor FDM-Managed DeviceASAAWS Site-to-Site Virtual Private Networks
Check Site-to-Site VPN Tunnel Connectivity
Identify VPN Issues
Find VPN Tunnels with Missing Peers
Find VPN Peers with Encryption Key Issues
Find Incomplete or Misconfigured Access Lists Defined for a Tunnel
Find Issues in Tunnel Configuration
Resolve Tunnel Configuration Issues
Search and Filter Site-to-Site VPN Tunnels
Onboard an Unmanaged Site-to-Site VPN Peer
Viewing AWS Site-to-Site VPN Tunnels
View IKE Object Details of Site-To-Site VPN Tunnels
View Last Successful Site-to-Site VPN Tunnel Establishment Date
View Site-to-Site VPN Tunnel Information
Site-to-Site VPN Global View
Site-to-Site VPN Tunnels Pane
Reading, Discarding, Checking for, and Deploying Changes
Read All Device Configurations
Read Configuration Changes from an ASA to CDO
Read Configuration Changes on ASA
Read Configuration Changes from FDM-Managed Device to CDO
Discard Changes Procedure
If Reverting Pending Changes Fails
Review Conflict Procedure
Accept Without Review Procedure
Read Changes from Cisco IOS or SSH to CDO
Preview and Deploy Configuration Changes for All Devices
Deploy Configuration Changes from CDO to ASA
About Deploying Configuration Changes
Deploy Configuration Changes Made Using the CDO GUI
Scheduling Automatic Deployments
Deploy Configuration Changes Using CDO's CLI Interface
Deploy Configuration Changes by Editing the Device Configuration
Deploying Configuration Changes for a Shared Object on Multiple Devices
Deploy Configuration Changes from CDO to FDM-Managed Device
Deploy Changes to a device
Cancelling Changes
Discarding Changes
Bulk Deploy Device Configurations
Preview and Deploy On-Prem Firewall Management Center Configurations
Scheduled Automatic Deployments
Schedule an Automatic Deployment
Edit a Scheduled Deployment
Delete a Scheduled Deployment
Check for Configuration Changes
Discard Changes
Discard On-Prem Firewall Management Center Configuration Changes
Out-of-Band Changes on Devices
Synchronizing Configurations Between Defense Orchestrator and Device
Conflict Detection
Enable Conflict Detection
Enable Conflict Detection for an On-Prem Firewall Management Center
Automatically Accept Out-of-Band Changes from your Device
Configure Auto-Accept Changes
Disabling Auto-Accept Changes for All Devices on the Tenant
Resolve Configuration Conflicts
Resolve "Not Synced" Status
Resolve "Conflict Detected" Status
Schedule Polling for Device Changes
Schedule a Security Database Update
Create a Scheduled Security Database Update
Edit a Scheduled Security Database Update
Managing SSH Devices with Cisco Defense Orchestrator
Managing SSH Devices with Cisco Defense Orchestrator
Integrating CDO with Cisco Security Cloud Sign On
SecureX and CDO
Merge Your CDO and SecureX or Cisco XDR Tenant Accounts
Add CDO to SecureX
Virtual Private Network Management
Manage Virtual Private Network Management in CDO
Introduction to Site-to-Site Virtual Private Network
Configure Site-to-Site VPN for an FDM-Managed Device
Encryption and Hash Algorithms Used in VPN
Create a Site-To-Site VPN
Create a Site-To-Site VPN using the Simple Configuration
Create a Site-To-Site VPN using the Advanced Configuration
Configure Networking for Protected Traffic Between the Site-To-Site Peers
Edit an Existing CDO Site-To-Site VPN
Delete a CDO Site-To-Site VPN Tunnel
Exempt Site-to-Site VPN Traffic from NAT
ASA Site-to-Site VPN Configuration
Encryption and Hash Algorithms Used in VPN
Create an ASA Site-to-Site VPN Tunnel
Delete a CDO Site-To-Site VPN Tunnel
Exempt Site-to-Site VPN Traffic from NAT
About Global IKE Policies
Managing IKEv1 Policies
Create an IKEv1 Policy
Managing IKEv2 Policies
Create an IKEv2 Policy
About IPsec Proposals
Managing an IKEv1 IPsec Proposal Object
Create an IKEv1 IPsec Proposal Object
Managing an IKEv2 IPsec Proposal Object
Create or Edit an IKEv2 IPsec Proposal Object
Monitor FDM-Managed DeviceASAAWS Site-to-Site Virtual Private Networks
Check Site-to-Site VPN Tunnel Connectivity
Identify VPN Issues
Find VPN Tunnels with Missing Peers
Find VPN Peers with Encryption Key Issues
Find Incomplete or Misconfigured Access Lists Defined for a Tunnel
Find Issues in Tunnel Configuration
Resolve Tunnel Configuration Issues
Search and Filter Site-to-Site VPN Tunnels
Onboard an Unmanaged Site-to-Site VPN Peer
Viewing AWS Site-to-Site VPN Tunnels
View IKE Object Details of Site-To-Site VPN Tunnels
View Last Successful Site-to-Site VPN Tunnel Establishment Date
View Site-to-Site VPN Tunnel Information
Site-to-Site VPN Global View
Site-to-Site VPN Tunnels Pane
Remote Access Virtual Private Network
Configure Remote Access Virtual Private Network for ASA
End-to-End Remote Access VPN Configuration Process for ASA
Create ASA Remote Access VPN Configuration
Modify ASA Remote Access VPN Configuration
Configure ASA Remote Access VPN Connection Profile
Configure AAA for a Connection Profile
Manage AnyConnect Software Packages on ASA Devices
Upload an AnyConnect Package from CDO Repository
Upload an AnyConnect Package to ASA from Server
Upload new AnyConnect Packages to ASA
Upload AnyConnect Packages using File Management Wizard
Replace an AnyConnect Package
Delete an AnyConnect Package
Manage and Deploy Pre-existing ASA Remote Access VPN Configuration
Device Settings
Connection Profile
Primary Identity Source
AAA Server Groups
RADIUS Server Group
RADIUS Server
Group Policy
Remote Access VPN Certificate-Based Authentication
Exempt Remote Access VPN Traffic from NAT
Install the AnyConnect Client Software on ASA
Modify ASA Remote Access VPN Configuration
Modify ASA Connection Profile
Upload RA VPN AnyConnect Client Profile
Verify ASA Remote Access VPN Configuration
View ASA Remote Access VPN Configuration Details
Configuring Remote Access VPN for an FDM-Managed Device
Split Tunneling for RA VPN Users (Hair Pinning)
Control User Permissions and Attributes Using RADIUS and Group Policies
Attributes Sent to the RADIUS Server
Two-Factor Authentication
Duo Two-Factor Authentication Using RADIUS
How to Configure Two-Factor Authentication using Duo RADIUS
System Flow for Duo RADIUS Secondary Authentication
Configure Duo RADIUS Secondary Authentication
Create a Duo Account
Configure Device for Duo RADIUS Using CDO
Duo Two-Factor Authentication using LDAP
How to Configure Two-Factor Authentication using Duo LDAP
System Flow for Duo LDAP Secondary Authentication
Configure Duo LDAP Secondary Authentication
Create a Duo Account
Upload a Trusted CA Certificate to an FDM-Managed Device
Configure FTD for Duo LDAP in CDO
End-to-End Remote Access VPN Configuration Process for an FDM-Managed Device
Download AnyConnect Client Software Packages
Upload AnyConnect Software Packages to an FDM-Managed Device Running Version 6.4.0
Upload AnyConnect Software Packages to an FDM-Managed Device Running Version 6.5 or Later
Upload an AnyConnect Package from CDO Repository
Before you Begin
Upload new AnyConnect Packages
Replace an Existing AnyConnect Package
Delete the AnyConnect Package
Create an RA VPN Configuration
Procedure
Modify RA VPN Configuration
Configure an RA VPN Connection Profile
Procedure
Configure AAA for a Connection Profile
Allow Traffic Through the Remote Access VPN
Upgrade AnyConnect Package on an FDM-Managed Device Running Version 6.4.0
Prerequisites
Upload your desired AnyConnect Package to Secure Firewall Threat Defense using Firewall Device Manager
Verify the new package is referenced in the RA VPN connection profile
Upload RA VPN AnyConnect Client Profile
Guidelines and Limitations of Remote Access VPN for FDM-Managed Device
How Users Can Install the AnyConnect Client Software on FDM-Managed Device
Distribute new AnyConnect Client Software version
Upload RA VPN AnyConnect Client Profile
Licensing Requirements for Remote Access VPN
Maximum Concurrent VPN Sessions By Device Model
RADIUS Change of Authorization
Configure Change of Authorization on the FDM-Managed Device
Procedure
Verify Remote Access VPN Configuration of FDM-Managed Device
View Remote Access VPN Configuration Details of FDM-Managed Device
Monitor Remote Access Virtual Private Network Sessions
Monitor Live AnyConnect Remote Access VPN Sessions
View Live Data
Monitor Historical AnyConnect RA VPN Sessions
View Historical Data
Search and Filter RA VPN Sessions
Customize the RA VPN Monitoring View
Export RA VPN Sessions to a CSV File
Disconnect Active RA VPN Sessions of an ASA User
Disconnect all Active RA VPN Sessions of a User
Disconnect Active RA VPN Sessions on FDM-Managed Device
Disconnect Active RA VPN Sessions on FTD
Monitor Multi-Factor Authentication Events
Monitor Multi-Factor Authentication Events
View MFA Events in Dashboard and Tabular Forms
Search and Filter MFA Events
Customize the MFA View
Export MFA Events to a CSV File
Cisco Security Analytics and Logging
About Security Analytics and Logging (SaaS) in Cisco Defense Orchestrator
Event Types in CDO
About Security Analytics and Logging (SAL SaaS) for the ASA
Implementing Secure Logging Analytics (SaaS) for ASA Devices
Send ASA Syslog Events to the Cisco Cloud using a CDO Macro
Creating an ASA Security Analytics and Logging (SaaS) Macro
Send ASA Syslog Events to the Cisco Cloud Using the Command Line Interface
CDO Command Line Interface for ASA
Forward ASA Syslog Events to the Secure Event Connector
Send ASA Syslog Events to the Cisco Cloud Using CLI
Create a Custom Event List
Include the Device ID in Non-EMBLEM Format Syslog Messages
NetFlow Secure Event Logging (NSEL) for ASA Devices
Configuring NSEL for ASA Devices by Using a CDO Macro
Open the Configuring NSEL Macro
Define the Destination of NSEL Messages and the Interval at Which They Are Sent to the SEC
Create a Class-Map that Defines which NSEL Events Will Be Sent to the SEC
Define a Policy-Map for NSEL Events
Disable Redundant Syslog Messages
Review and Send the Macro
Delete NetFlow Secure Event Logging (NSEL) Configuration from an ASA
Open the DELETE-NSEL Macro
Enter the Values in the Macro to Complete the No Commands
Determine the Name of an ASA Global Policy
Troubleshooting NSEL Data Flows
Verify that NSEL Events are Being Sent to the SEC
Use the "capture" Command to Capture NSEL Packets Sent from the ASA to the SEC
Verify that NetFlow Packets are Being Received by the Cisco Cloud
Check for Live NSEL Events
Check for Historical NSEL Events
Parsed ASA Syslog Events
Secure Logging Analytics for FDM-Managed Devices
Implementing Secure Logging Analytics (SaaS) for FDM-Managed Devices
Send FDM Events to Cisco Defense Orchestrator Events Logging
Send FDM-Managed Events Directly to the Cisco Cloud
Implementing SAL (SaaS) for Cloud-Delivered Firewall Management Center-Managed Devices
Requirements, Guideline, and Limitations for the SAL (SaaS) Integration
Send Cloud-delivered Firewall Management Center-Managed Events to SAL (SaaS) Using Syslog
Send Cloud-delivered Firewall Management Center-Managed Event Logs to SAL (SaaS) Using a Direct Connection
Enable or Disable Threat Defense Devices to Send Event logs to SAL (SaaS) Using a Direct Connection
Secure Event Connectors
Installing Secure Event Connectors
Install a Secure Event Connector on an SDC Virtual Machine
Installing an SEC Using a CDO Image
Install a CDO Connector, to Support a Secure Event Connector, Using a CDO VM Image
Install the Secure Event Connector on the CDO Connector VM
Deploy Secure Event Connector on Ubuntu Virtual Machine
Install an SEC Using Your VM Image
Install a CDO Connector to Support an SEC Using Your VM Image
Additional Configuration for SDCs and CDO Connectors Installed on a VM You Created
Install the Secure Event Connector on your CDO Connector Virtual Machine
Install a Secure Event Connector on an AWS VPC Using a Terraform Module
Deprovisioning Cisco Security Analytics and Logging (SaaS)
Remove the Secure Event Connector
Remove an SEC from CDO
Remove SEC files from the SDC
Provision a Cisco Secure Cloud Analytics Portal
Review Sensor Health and CDO Integration Status in Secure Cloud Analytics
Cisco Secure Cloud Analytics Sensor Deployment for Total Network Analytics and Reporting
Viewing Cisco Secure Cloud Analytics Alerts from CDO
Inviting Users to Join Your Secure Cloud Analytics Portal
Cross-Launching from CDO to Secure Cloud Analytics
Cisco Secure Cloud Analytics and Dynamic Entity Modeling
Working with Alerts Based on Firewall Events
Triage open alerts
Snooze alerts for later analysis
Update the alert for further investigation
Review the alert and start your investigation
Examine the entity and users
Remediate issues using Secure Cloud Analytics
Update and close the alert
Modifying Alert Priorities
Viewing Live Events
Play/Pause Live Events
View Historical Events
Customize the Events View
Show and Hide Columns on the Event Logging Page
Customizable Event Filters
Event Attributes in Security Analytics and Logging
EventGroup and EventGroupDefinition Attributes for Some Syslog Messages
EventName Attributes for Syslog Events
Time Attributes in a Syslog Event
Cisco Secure Cloud Analytics and Dynamic Entity Modeling
Working with Alerts Based on Firewall Events
Triage open alerts
Snooze alerts for later analysis
Update the alert for further investigation
Review the alert and start your investigation
Examine the entity and users
Update and close the alert
Modifying Alert Priorities
Searching for and Filtering Events in the Event Logging Page
Filter Live or Historical Events
Filter Only NetFlow Events
Filter for ASA or FDM-Managed Device Syslog Events but not ASA NetFlow Events
Combine Filter Elements
Search Historical Events in the Background
Search for Events in the Events Logging Page
Schedule a Background Search in the Event Viewer
Download a Background Search
Data Storage Plans
Extend Event Storage Duration and Increase Event Storage Capacity
View Security Analytics and Logging Data Plan Usage
Finding Your Device's TCP, UDP, and NSEL Port Used for Secure Logging Analytics (SaaS)
Troubleshooting Network Problems Using Security and Analytics Logging Events
FTD Dashboard
About the FTD Dashboard
View the FTD Dashboard
The FTD Dashboard Widgets
The Top Intrusion Rules Widget
The Top Intrusion Attackers Widget
The Top Intrusion Targets Widget
The Top Malware Signatures Widget
The Top Malware Senders Widget
The Top Malware Receivers Widget
The Malware Events by Disposition Widget
The Network Activity Widget
The Event Activity Widget
The Access Control Actions Widget
The Top Access Control Policies Widget
The Top Access Control Rules Widget
The Top Devices Widget
The Top Users Widget
The Unhealthy Devices Widget
The Top Loaded Devices Widget
Modify Time Settings for the FTD Dashboard
Cisco Secure Dynamic Attributes Connector
About the Cisco Secure Dynamic Attributes Connector
How It Works
History for the Cisco Secure Dynamic Attributes Connector
About the Dashboard
Dashboard of an Unconfigured System
Dashboard of a Configured System
Add, Edit, or Delete Connectors
Add, Edit, or Delete Dynamic Attributes Filters
Add, Edit, or Delete Adapters
Create a Connector
Amazon Web Services Connector—About User Permissions and Imported Data
Create an AWS User with Minimal Permissions for the Cisco Secure Dynamic Attributes Connector
Create an AWS Connector
Azure Connector—About User Permissions and Imported Data
Create an Azure User with Minimal Permissions for the Cisco Secure Dynamic Attributes Connector
Create an Azure Connector
Create an Azure Service Tags Connector
Create a GitHub Connector
Google Cloud Connector—About User Permissions and Imported Data
Create a Google Cloud User with Minimal Permissions for the Cisco Secure Dynamic Attributes Connector
Create a Google Cloud Connector
Create an Office 365 Connector
Create a Webex Connector
Create a Zoom Connector
Create an Adapter
How to Create an On-Prem Firewall Management Center Adapter
How to Create a Cloud-delivered Firewall Management Center Adapter
Create Dynamic Attributes Filters
Dynamic Attribute Filter Examples
Use Dynamic Objects in Access Control Policies
About Dynamic Objects in Access Control Rules
Create Access Control Rules Using Dynamic Attributes Filters
Troubleshoot the Dynamic Attributes Connector
Troubleshoot Error Messages
Get Your Tenant ID
Troubleshoot Using the Command Line
Troubleshooting
Troubleshoot an Secure Firewall ASA Device
ASA Fails to Reconnect to CDO After Reboot
Cannot onboard ASA due to certificate error
Determine the OpenSSL Cipher Suite Used by your ASA
Cipher Suites Supported by CDO's Secure Device Connector
Updating your ASA's Cipher Suite
Troubleshoot ASA using CLI commands
Troubleshoot ASA Remote Access VPN
Cannot Add ASA to an existing RA VPN Configuration
ASA Real-time Logging
View ASA Real-time Logs
ASA Packet Tracer
Troubleshoot an ASA Device Security Policy
Troubleshoot an Access Rule
Troubleshoot a NAT Rule
Troubleshoot a Twice NAT Rule
Analyze Packet Tracer Results
Cisco ASA Advisory cisco-sa-20180129-asa1
Confirming ASA Running Configuration Size
Container Privilege Escalation Vulnerability Affecting Secure Device Connector: cisco-sa-20190215-runc
Updating a CDO-Standard SDC Host
Updating a Custom SDC Host
Bug Tracking
Large ASA Running Configuration Files
Troubleshoot FDM-Managed Devices
Troubleshoot the Executive Summary Report
Troubleshoot FDM-Managed Device Onboarding
Failed Because of Insufficient License
Troubleshoot Device Unregistered
Troubleshooting Device Registration Failure during Onboarding with a Registration Key
Troubleshoot Intrusion Prevention System
Troubleshooting SSL Decryption Issues
Troubleshoot FDM-Managed HA Creation
FDM-Managed Device Executive Summary Report
Troubleshoot a Secure Device Connector
SDC is Unreachable
SDC Status Does not Become Active on CDO after Deployment
Changed IP Address of the SDC is not Reflected in CDO
Troubleshoot Device Connectivity with the SDC
Intermittent or No Connectivity with SDC
Container Privilege Escalation Vulnerability Affecting Secure Device Connector: cisco-sa-20190215-runc
Updating a CDO-Standard SDC Host
Updating a Custom SDC Host
Bug Tracking
Invalid System Time
SDC version is lower than 202311****
Certificate or Connection errors with AWS servers
Secure Event Connector Troubleshooting
Troubleshooting SEC Onboarding Failures
Troubleshooting Secure Event Connector Registration Failure
Troubleshooting NSEL Data Flows
Event Logging Troubleshooting Log Files
Run the Troubleshooting Script
Uncompress the sec_troubleshoot.tar.gz file
Generating SEC Bootstrap data failed.
SEC status is "Inactive" in CDO Secure Connectors page after onboarding
The SEC is "online", but there are no events in CDO Event Logging Page
SEC Cleanup Command
SEC Cleanup Command Failure
Use Health Check to Learn the State of your Secure Event Connector
Troubleshoot Cisco Defense Orchestrator
Troubleshooting Login Failures
Troubleshooting Login Failures after Migration
Troubleshooting Access and Certificates
Troubleshoot User Access with CDO
Resolve New Fingerprint Detected State
Troubleshooting SSL Decryption Issues
Troubleshoot Intrusion Prevention System
Troubleshooting Objects
Resolve Duplicate Object Issues
Resolving Inconsistent or Unused Security Zone Objects
Resolve Unused Object Issues
Resolve an Unused Object Issue
Remove Unused Objects in Bulk
Resolve Inconsistent Object Issues
Resolve Object Issues in Bulk
Unignore Objects
Device Connectivity States
Troubleshoot Device Unregistered
Troubleshoot Insufficient Licenses
Troubleshoot Invalid Credentials
Troubleshoot New Certificate Issues
New Certificate Detected
Troubleshoot Onboarding Error
Troubleshoot FDM-Managed Device Onboarding Using Serial Number
Claim Error
Provisioning Error
Resolve "Conflict Detected" Status
Resolve "Not Synced" Status
Troubleshoot Unreachable Connection State
FAQ and Support
Cisco Defense Orchestrator
FAQ About Onboarding Devices to Cisco Defense Orchestrator
FAQs About Onboarding Secure Firewall ASA to CDO
FAQs About Onboarding FDM-Managed Devices to CDO
FAQs About Onboarding Secure Firewall Threat Defense to Cloud-delivered Firewall Management Center
FAQs About On-Premises Secure Firewall Management Center
FAQs About Onboarding Meraki Devices to CDO
FAQs About Onboarding SSH Devices to CDO
FAQs About Onboarding IOS Devices to CDO
Device Types
Security
Troubleshooting
Terminologies and Definitions used in Low-Touch Provisioning
Policy Optimization
Connectivity
Complete the Initial Configuration of a Secure Firewall Threat Defense Device Using the CLI
About Data Interfaces
How CDO Processes Personal Information
Contact Cisco Defense Orchestrator Support
Export The Workflow
Open a Support Ticket with TAC
How CDO Customers Open a Support Ticket with TAC
How CDO Trial Customers Open a Support Ticket with TAC
CDO Service Status Page
Security and Internet Access
Internet Access Requirements
Open Source and 3rd Party License Attribution
Open Source and Third-Party License in SDC
Terraform
About Terraform
>
Open Source and 3rd Party License Attribution
Open Source and 3rd Party License Attribution
Open Source and Third-Party License in SDC