Cisco's Cloud Defense Orchestrator - Alive and Kicking

June 24th, 2019
Cisco's Cloud Defense Orchestrator - Alive and Kicking

Cisco has a cloud-based management tool for IOS routers, ASAs, FirePOWER on ASA, ASA on FTD, Umbrella and real soon FTD on FTD.  A once forgotten about application, Cisco Defense Orchestrator (CDO) is still alive and kicking. 

CDO provides much-needed automation when delivering policy changes, software upgrades, and configuration assistance across a  plethora of Cisco security products.  It is also primed to add more value hooking into Stealthwatch's cloud offering for logging and advanced threat analytics in the near future.

Managing multiple firewalls can be daunting. Duplicate object and entries, shadow IT rules, and lack of an audit trail has made a Cisco firewall admin's job less than smooth.   Cisco does have a Security Manager product, but it is clunky, hard to use, and doesn't plug into with any of the next generation firewall features.  Clearly, something better is needed.

Along comes CDO.  It advertises being "up" in minutes and adding value day 1.  It is a true SAAS offering with device-specific licensing required.  You purchase the quantiles needed by model and device type and choose a duration for the service.

We will run through the turn-up process to show how quickly we can get started with CDO.

#1 After our CDO account is created, we are required to setup MFA.  With that completed, we login to CDO and begin setting up our account.

#2 We set up a Secure Device Connector  (SDC) from our portal.  We have two options for CDO to manage our equipment.   We can choose to have our devices managed directly from the cloud (they need to be directly accessible over the internet) or use an onsite proxy server.   We can build our own SDC with any CentOS box (8 MB of RAM 10G of disk) or deploy a pre-configured VMWare OVA file.  We also have the option of importing configurations for offline management of boxes we can't manage directly. 

CDO – Wizard – Getting Started

CDO – Wizard – Getting Started

 #3 Next, we are off to adding devices.  The configurations will be reviewed, and recommendations are generated to help with some common configuration problems.

In this example, we have onboarded an ASA using the Cloud Secure Device Connector.  This is provided at no cost. If we are adding a device that is managed through the same interface that is providing Anyconnect VPN, we need to change our default port number for ASDM.

ASA Changes for CDO access

http 52.34.234.2 255.255.255.255 outside

http 52.36.70.147 255.255.255.255 outside

http server enable 8443

 

CDO – Wizard – Getting Started

  • First we choose our device type

 CDO – Wizard – Getting Started

  • Next we provide device specific information

CDO – Wizard – Getting Started

  • After confirming it can connect to the device we are prompted for credentials.

 CDO – Wizard – Getting Started

In just a few minutes CDO has onboarded the device and is evaluating the policy

Policy Feedback - Clearly some work to be done!

Examine Shadow IT rules

 

We can also drill down to are heavy hit rules and see if there are any misconfigurations or obvious optimizations to be made.

 

 

  

Troubleshoot VPN issues

   

Perform bulk upgrades   

Review audit logs

Some other popular use cases are listed below. 

  • Reduce errors and misconfigurations with device templates
  • Discover inventory based on Smart License inventory (FTD 6.3 +)
  • Configure NGFW features with wizard walkthrough ease and feel
    • Easy roll back with multiple configuration revisions
    • Take advantage of licenses sitting dormant and unused
  • Migrate platforms
    • ASA to FTD, ASA to MX, MX to FTD
  • Manage a single block list across multiple Cisco security products
  • Perform rapid device deployment and replacement
  • Bulk upgrades with pre-staging
    • Supports intelligent failover monitoring

This is truly one of Cisco's more affordable solutions.  It’s able to support new and legacy devices easing the transition and streamlining new deployments.  For more information feel free to contact us at info@hainc.com

Join the High Availability, Inc. Mailing List

Subscribe