Cisco Cdo

Posted onby

Clustered around the established CEO, COO, and CFO roles is a whole new line of commander-in-chiefs, like the emerging CDO. These roles steer the increasingly elaborate data and tech operations of the world’s biggest firms.

Though there is no doubt that these new tech-focused positions can and should overlap, an understanding of their varying ownerships and responsibilities is critical for companies that want to divide and conquer their expanding technological operations successfully.

NOTE: Connection 7.1(3) and later has support for administration tasks via a REST based API.A new developer support site for Connection was put up with the release of 7.1(3) and can be found at the Developer support forums site which has links to resources including support forums and samples related to CUPI/CUMI/CUNI or any of the REST APIs related to Connection.

The Traditional Players

For the purposes of this discussion, description will center on the engagement between the CTO (Chief Technology Officer), the CIO (Chief Information Officer), the CMO (Chief Marketing Officer), the CDO (Chief Digital Officer), and the other variety of CDO (Chief Data Officer).

All of these roles vary, of course, depending on the company’s product and business model — and larger firms may boast all five of these roles while some may focus responsibility onto just two or three.

The first considered is the CTO and CIO; two positions that are most often conflated. A CIO is a go-to commander and problem solver for a company’s existing technologies, responsible for making sure that the company is consistently adapting to new and necessary tech and IT products, including software or hardware.

  1. Cisco Defense Orchestrator (CDO) is a cloud-based multi-device manager you can use to manage security policy changes across various security products. This platform enables the efficient management of policies in branch offices and other highly distributed environments to achieve a consistent security implementation.
  2. The Cisco Defense Orchestrator (CDO) is a cloud-based multi-device manager that allows network operations staff to establish and maintain consistent security policies across Cisco security devices such as the Adaptive Security Appliance (ASA) and Cisco Firepower Next-Generation Firewalls (NGFW).
  3. Dec 17, 2019 Cisco Defense Orchestrator is a cloud-based management solution that allows you to manage security policies and device configurations with ease across multiple Cisco and cloud-native security platforms. Setup is easy, fast, and frictionless, allowing customers to onboard and start managing hundreds of devices within hours.
  4. CDO is cloud based (could have a local VM with small resources to communicate with the cloud and not expose your devices management). You need to see CDO like the Meraki portal for Cisco Security Firewalls. CDO for FTD is based on FDM capabilities meaning features limitations from FDM compared to FMC based managed devices will be still there.

The CTO’s focus, on the other hand, is on identifying and implementing new technologies, and he or she is the more externally driven of the two roles — the CTO is tasked with making sure that customers and clients are on the receiving end of the highest-quality and most efficient technology possible.

To maximally simplify these functions: a CTO handles external operations and improvements, while a CIO’s focus is largely internal.

The next and most easily differentiable role is the CMO. Often referred to as a company’s informative “nexus,” the CMO’s responsibilities span from sales to product development to marketing and even further into customer service.

As this marketing-driven nexus, a CMO must work closely with other C-level employees to make sure that the marketing sector is utilizing the most up-to-date technologies and strategies to promote their product or brand to the world.

Chief Data Officer

The last two roles — Chief Digital Officer and Chief Data Officer — share not only an acronym but are very different. As you might expect, a data officer extracts and analyzes data to inform a company’s business strategy — they must know how to gather information and, more importantly, they must know how to use it to improve a business effectively.

The Critical Chief Digital Officer

The Chief Digital Officer, on the other hand, is a role that’s appearing more frequently and is becoming more necessary. In the most general sense, a digital officer oversees data and technology assets with a marketing and strategically sensitive eye.

In many ways, a fruitful combination of the CIO, CTO, and CMO — and also, perhaps, their eventual successor — a CDO’s job is to constantly reshape a company’s structure and strategies to ensure that the company takes advantage of new technologies and data services, including those involving social and mobile.

The most important role of the CDO is to anticipate disruption and remain focused on the need for reinvention and innovation within the organization. The speed of digital innovation and disruption is accelerating and organizations must have a leader dedicated to staying ahead of the curve. The CDO must have the foresight to see where the industry is headed, but also the internal clout to get it done. This can involve sparring with board members and other C-suite execs – conflicts between CIOs and CDOs can be frequent, as tech-stacks struggle to keep up with new integrations.

All of these responsibilities makes the CDO a challenging but critical position for any company hoping to become a digital (and therefore industry) leader.

The Common Goal

Differences in roles and responsibilities aside, most of these officers are working toward a greater common goal: using tech to better business.

Although some positions are certainly more data-driven while others are geared toward marketing, it is most important to note that companies are increasingly assigning C-level roles to people who know how to seamlessly blend technology into an overall business strategy and daily operations.

Many of these positions didn’t exist a decade or two ago, with the CDO specifically becoming an increasingly sought-after title — more and more former CDO’s are being appointed to CEO spots, thanks to their importance in driving company growth.

Ultimately, the names of these positions does not matter — what matters is that a company devotes the necessary resources to hiring, training, and capitalizing on C-level digital experts.

As the business world continues to spin on a data-tilted axis, making the move from conventional business models to tech-driven ones is more important than ever, and most importantly, in the digital world, is that all of these positions — and the people that fill them — are on the same page working together to develop a cohesive 360-degree approach to business that exists outside of technical titles.

Cisco Defense Orchestrator (CDO) is Cisco’s cloud-based management solution, which enables centralised management of security devices and policies. CDO provides the ability to share configuration such as network objects and policies across multiple Cisco devices (ASA, FTD, Meraki and IOS switches). CDO communicates with an organisations’ managed devices using a proxy called Secure Device Connector (SDC), this can either be a cloud-based SDC or on premises. The SDC monitors CDO for commands and messages that need to be executed on the managed devices. SDC executes the commands on behalf of CDO and sends messages to CDO on behalf of the managed devices.

This post covers the basic onboarding of a Cisco ASAv and Cisco FTDv devices into CDO using a Cloud hosted SDC.

Onboard ASA

ASA Configuration

Before attempting to establish a connection from CDO to the ASA, access inbound HTTPS access must be permitted from the CDO servers 35.157.12.126 and 35.157.12.15 to the outside interface.

Define a dedicated MGMT user account for CDO

Define a basic Access List

Define network objects

CDO Configuration

  • Login to the CDO Dashboard https://www.defenseorchestrator.eu or https://defenseorchestrator.com
  • Navigate to Devices & Services
  • Click + select ASA
  • Click Use Credentials
  • Enter the Device Name and Device Location (IP address or FQDN)
  • Enter the credentials (Username and Password)
  • Click Connect
  • Add labels (optional)
  • Click Continue
  • Click Finish

Onboard FTD

If you are connecting to the EU hosted FDO cloud service https://www.defenseorchestrator.eu then you must Use Credentials (Username/Password/IP Address) onboarding method. Registering with a token is not currently supported on the EU CDO servers.

Cisco Cdo
  • Before you start, ensure that the FTD is not registered in Smart Licensing
  • You can only onboard FTD’s managed locally by FDM, FTD’s managed by an FMC cannot be managed by CDO.

Ftd Cdo

FDM Configuration

The FTD can be managed from CDO Cloud SDC using either the dedicated Management interface or the outside data interface. Using the dedicated management interface would be beneficial and best practice as this allows the opportunity to reconfigure the outside interface and routing without fear of losing connectivity. However, in certain customer scenarios a dedicated management interface connected to the internet is not possible. This configuration below covers management via either the dedicated management interface or the outside data interface.

Management Access via OUTSIDE interface

If managing the FTD over the internet to the FTD’s outside interface, inbound HTTPS access must be permitted from the CDO SDC servers 35.157.12.126 and 35.157.12.15 for Europe, Middle East and Africa (EMEA) or 52.34.234.2 and 52.36.70.147 for United States.

  • Navigate to Objects > Networks
  • Click + to create a new host object
  • Define a new object called CDO-SDC-EU-1, type HOST with an IP address of 35.157.12.126
  • Define another object called CDO-SDC-EU-2, type HOST with an IP address of 35.157.12.15
  • Navigate to Device: DEVICENAME > System Settings > Management Access
  • Click Data Interfaces
  • Click Create Data Interface
  • From the drop-down list select outside interface
  • Specify the allowed protocols as HTTPS
  • Specify the Allowed Networks as CDO-SDC-EU-1 and CDO-SDC-EU-2
  • Click Ok
  • Click to deploy the configuration changes to the FTD
  • From the CLI enter the command show running-config http to confirm the correct settings have been applied

Management Access via Management Interface

If the data interface is not being used for CDO management, then the management interface must have internet access in order to communicate to the Cloud SDC. If using an on-premise SDC then internet access from the management interface would not be required.

  • Navigate to Device: DEVICENAME > System Settings > Management Access
  • Click Data Interfaces

By default, HTTPS and SSH is accessible on the management interface from any network. Connectivity from the Cloud SDC should work without any changes. Modify the allowed networks if required.

Policy Configuration

  • Navigate to Policies > Access Control
  • Define a basic policy

CDO Configuration

  • Login to the CDO Dashboard
  • Navigate to Devices & Services
  • Click + select FTD
  • Click Use Credentials
  • Enter the Device Name and Device Location (IP address or FQDN)
  • Click Go

CDO will connect to the outside interface IP address on port 443. If an ISP router is in front of the FTD and natting, then port forwarding may need to be setup in order to forward TCP/443 to the FTD’s outside IP address.

Once connectivity has been established you will be prompted to enter the username and password.

  • Enter the MGMT username and password

As of FTD 6.4 it is not possible to create additional MGMT user accounts to use as a dedicated CDO account.

  • Click Connect

Cisco Executives The Network

  • Add labels (optional)
  • Click Finish

Verification

We will now confirm that the ASA and FTD have successfully onboarded into CDO.

  • Login to the CDO Dashboard
  • Navigate to Devices & Services

The devices should appear as Synced and Online

  • Click the FTD object

You will observe the configuration options specific to this device

  • Click Interfaces

You will notice that only the data interfaces are configurable. If the outside interface is used for CDO management, then be aware any changes made to the outside data interface could result in loss of connectivity to CDO.

Cisco Cdo Vs Fmc

  • Navigate to Configuration >Objects

Observe that the objects defined either in FDM or on the ASA are present in the CDO Dashboard. You can confirm which device(s) the object is used on.

  • Click one of the objects, you then have the ability to Edit the object
  • Modify the object by changing the subnet mask
  • Click Save

Notice the Devices with Pending Changes button changes

  • Click the button
  • Click the Device with the pending change

Scroll through the configuration and observe the change made, which is helpfully highlighted.

  • Click Deploy Now
  • Click the Jobs button (left hand side of the screen) to confirm when the change has been applied.
  • Login to the CLI of the ASA and run show running-config object

Observe that the subnet mask has been changed from /22 to /23

  • Return to the CDO Dashboard
  • Navigate to Policies > ASA Policies

Observe the ASA’s Access List called OUTSIDE_IN has been imported.

  • Click the ACL

You will notice that for the ICMP entries in the ACL that each rule appears to be configured the same, they do not distinguish between ICMP echo-reply, time-exceeded or unreachable as defined in the actual ACL.

Click on one of the ICMP lines, you will notice that at the bottom of Network Policy section CDO does define the ICMP Type correctly. In the screenshot below, we can confirm ICMP Type is time-exceeded.

  • Navigate to Policies > FTD / Meraki / AWS Policies

We can confirm the FTD’s policy has been imported

Clicking the policy will confirm the configuration, which should mirror what was configured using FDM.

Additional rules can be created by clicking the and then deploying to the device.

This post is just an overview of what is possible with CDO, hopefully enough to get you started.