Cisco Defense Orchestrator v1 - Instant Demo · Cisco® Defense Orchestrator (CDO) is a cloud-based security policy management product that helps network operations establish and

Demo Zone Cisco dCloud

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 1 of 29

Cisco Defense Orchestrator v1 - Instant Demo

Last Updated: 26-September-2019

About This Demonstration

This guide for the preconfigured demonstration includes:

About This Demonstration

Requirements

About This Solution

Scenario 1. Data Loss Prevention

Scenario 2. Multi-Device Policy Compliance Checking

Scenario 3. Multi-Device Policy Deployment

What’s Next?



Requirements

The table below outlines the requirements for this preconfigured demonstration.

Required Optional

Laptop Cisco AnyConnect®

About This Solution

Cisco® Defense Orchestrator (CDO) is a cloud-based security policy management product that helps network operations establish and maintain a security posture by managing security policies across Cisco security devices. It is an always available, highly reliable, highly scalable, multi-tenant cloud platform.

The Defense Orchestrator analyzes security policy configurations for Cisco Adaptive Security Appliances (ASA), Cisco Adaptive Security Virtual Appliances, Cisco ASA with FirePOWER™ Services, Cisco Firepower™Next-Generation Firewalls (NGFW), and OpenDNS. It identifies and resolves policy inconsistencies, models policy changes to validate their impact, and orchestrates policy changes to achieve consistency and maintain clarity in your security posture.

The Defense Orchestrator reduces the setup time, moves the cost from capital expenditures to operating expenses, and reduces day-to-day operational challenges. It provides a simple, consistent, and highly secure way of enforcing security policies, thus reducing costs and quickly delivering value in your security enforcement. Some of the functionality available includes:

• Security Posture Consistency

• End-to-End Policy Management

• Quick Time to Value

• Features and Benefits like easy onboarding, end-to-end policy analysis, modeling, remediation and visualization.

NOTE: The CDO demonstration is a shared environment among all dCloud users. It is recommended that users explore the full capabilities of CDO, but that major changes such as deleting devices be cancelled before confirming in the demonstration. This shared environment will also mean that some screenshot examples used in this guide may not appear exactly in the demonstration. The user should explore their dCloud CDO session using the examples provided to guide them, and not feel constrained to use the specific examples shown.



Scenario 1. Data Loss Prevention Defense Orchestrator allows users to investigate data loss prevention in their organizations. In this scenario, CDO will allow the user to set Application Policies for OpenDNS and FirePOWER devices in the organization from one management tool interface.

Steps

NOTE: The shared environment of the CDO dCloud demonstration means that not all examples will be reflective of your current session. Use the following steps to guide you through use of CDO capabilities, and be aware that some Devices & Services, Policies, Objects may appear differently based on user activity within the demonstration.

1. From the workstation, open the Chrome browser and log into the Defense Orchestrator environment using the saved credentials.

2. Begin the session with a reset of devices that have been altered in the shared environment. Click on Devices & Services from top menu bar.



3. In the list of Devices & Services, locate any devices that are Not Synced. If all devices are Synced, continue to Step 7 in this Scenario.



4. Click on the row of a device that is Not Synced to open the corresponding edit window. Bangalore FirewPOWER is shown here as an example.

5. In the edit window, click Read Policy to sync the device and remove changes made in the shared demonstration environment.

6. Reload from device message window will open to advise of device changes. Click Continue.

NOTE: It may take a few minutes for CDO to reflect the updated Configuration Status.



7. Refresh the page, and check that the Configuration Status is now Synced. Repeat for any other devices that may be used in the demonstration.

NOTE: Defense Orchestrator treats each OpenDNS policy as an individual device in order to streamline oversight and management of changes.



8. Click on Policies on the top menu bar, and click on Application from the drop down menu.

NOTE: CDO enables blocking of any file sharing application. For this example, we will use Dropbox.

9. In the Application Policies search bar, type ‘dropbox’.

10. Click on Online Storage and Backup row to view polices in the URL Category for OpenDNS and FirePOWER devices.



11. In Application Policies list, select OpenDNS and FirePOWER devices to update. To select multiple devices, click on one row and hold down the CTRL key as you click on other rows to select. After selecting the devices, CDO indicates that the Policy rules for the multiple devices are Inconsistent.

12. In Rule Action window, change rule from Inconsistent to Block.

13. Once Block is selected for the policy rule, CDO successfully creates policies that block users from online storage and backup for Dropbox URL.



14. Next, go to the Devices & Services page to view the updated devices. Click on the row of a device that you added an application policy to in the previous steps. Bangalore FirePOWER is shown here as an example.

15. In the edit window, click on Write Changes.



16. In the Policy Sync window that opens, click on the URL Categories tab.

17. Scroll down to review all category status as Synced or Not Synced. In this instance, note the Online Storage and Backup category that was updated in the Application Policies is Not Synced.

NOTE: The application policy write to device time can take 1-2 minutes before CDO reflects the update.



18. Click Sync Policy button, and CDO will write the application policy to the device.



Scenario 2. Multi-Device Policy Compliance Checking Defense Orchestrator enables administrators to look for problems in their environments from a high level view. In this scenario, we will look at Object and Access Group inconsistencies. CDO is able to identify and expose these problems, and allow administrators to fix them for consistent policy management from one place with one tool.


Steps

19. Begin by selecting Objects from the top menu row.

20. From the Objects Filter window, click on Issues to expand the menu.



21. From the list of Object Issues, click on Duplicate to view and resolve objects that are identical on the network.

22. Choose one of the identified pairs with identical network objects, and click on Duplicate to open Object Details.

23. Scroll down each item in the Object Details window to view the shared Network and Relationships that CDO has identified for each object.

24. Click Pick to Keep to resolve the duplicate issue.



25. Select the Object to keep, and click on the corresponding box. Click Resolve to keep object selected.

26. Review the Devices, Access Groups and Parent Objects that CDO identifies that will be affected. Click Confirm to tell CDO to send the command to remove duplicates.

27. CDO updates that duplicates are removed.

28. To resolve unused objects on the network, click Unused from the Object Issues menu to open list.



29. Select an item on the Objects list, and click on it to expand and open detail window. The partner_nets object is shown as an example.

30. In detail window, review Network and Relationships. Click Garbage Can icon to remove the unused object from the network.

31. Review the list of devices where CDO has identified the unused object is located, and select one or all of the device locations. Click Remove to eliminate the unused object from selected devices.



32. CDO updates that object is removed.

33. To resolve inconsistent objects that CDO had identified, click on Inconsistent in the Object Issues list.

34. Select one of the inconsistent objects, and click in box to expand the Object Details window for comparison.



35. Scroll down in each object window to view the details and compare.

36. After reviewing the details, click on Merge All to resolve the inconsistencies.

37. Review the Devices, Access Groups and Parent Objects that CDO has identified across the network. Click Confirm to merge all items.



38. CDO updates that merge command is sent.

39. To view and compare Shared objects across the network, click on Shared to open list.

40. Select an object from the list, and click on the row to open expanded edit window. The block-list object is shown here as an example.

41. In the object edit window, click Edit.



42. In Edit Network Group window, click on Add Object.

43. Select an object or element from the listing and click Select.

44. The object or element displays in the Editing Network Group window. Click Save.

45. Review Devices, Access Groups and Parent Objects that CDO has identified will be affected. Click Confirm.



46. Next, we will look at how to edit network object policies for access groups. Go to top menu bar and click on Policies, then click Network from the drop down menu.

47. Select a policy from the list, and click in the plus sign (+) in row to expand details and open edit window. The outside_access_in policy for Amsterdam is shown here as an example.



48. In the policy edit window, click Edit Policy to access edit options.

49. In Access Rules Edit Tools, click on plus sign (+) to add a row to the network policy that allows you to define the new access rule.

50. In the new row, select the Source column and click on any to expand the drop down menu. Click on the named source (in this example, it is North_Korea).



51. CDO adds selection to Objects Unused list in edit window.

52. In detail edit window, click Save to keep new Access Rule for Network Policy.

53. Review devices that CDO has identified will be affected, and click Confirm.



54. View the detail edit windows to see that the Access Rule has been added as a Named Policy to the affected devices listed.



Scenario 3. Multi-Device Policy Deployment

Value Proposition: In this scenario, we will explore how Defense Orchestrator allows the user to make a change to rules across all of their ASA devices.


Steps

55. Click on Devices & Services on top menu bar. View list of ASA devices that are listed as Not Synced in the Configuration Status column.



56. Click on row of ASA device that is not synced to open detailed Configuration edit window. Click on Write Changes…. The San Jose ASA device is shown here as an example.



57. Device Sync window will open while CDO generate executable commands, and will display Commands when complete.

NOTE: The dCloud CDO demo is a shared environment. For purposes of this demonstration, we do not recommend applying changes to devices. Continue to next steps to learn how to download a file with configuration change commands from this window.

Value Proposition: Defense Orchestrator generates a Configuration Change Command that can be downloaded and saved for use in change communication decisions, design review meetings, and multiple other configuration records. The Commands download file also includes Revert Commands.



58. Click View Manual Synchronization Instructions to access configuration details and save a file with the Configuration Change Commands.

59. Click on Download Commands to download configuration file.



60. Open and review Configuration Command file with Revert commands.

61. Click Got It to close the Device Sync download command window.



What’s Next?

Check out the related information to learn more about Firepower offerings.

Cisco Firepower Next-Generation Firewall 6.3 Basics Lab v2.4

Cisco Firepower Next-Generation Firewall 6.3 Advanced Lab v2.4

Cisco Firepower Management Center - Executive Summary for Cisco Sales

Cisco Firepower 6.4 FXOS Multi-Instance Lab v1.1

https://dcloud-cms.cisco.com/demo/cisco-firepower-next-generation-firewall-6-3-basics-lab-v2-4

https://dcloud-cms.cisco.com/demo/cisco-firepower-next-generation-firewall-6-3-advanced-lab-v2-4

https://dcloud2-rtp.cisco.com/content/proposal/1518/download

https://dcloud-cms.cisco.com/demo/cisco-firepower-6-4-fxos-multi-instance-lab-v1-1

Documents

Cisco Defense Orchestrator v1 - Instant Demo · Cisco® Defense Orchestrator (CDO) is a cloud-based security policy management product that helps network operations establish and