Cisco Defense Orchestrator Review

Security admin can see changes on a firewall and determine if they are permitted

What is our primary use case?

My primary use case was just to see what the solution is about. I'm a system engineer and a Cisco partner. I was using the trial to see what it can do.

I rolled it out in my home lab. I have a Cisco ASA firewall so I used it to push configurations to my firewall. I used the Secure Device Connector as a virtual appliance, so I rolled it out like a production environment.

How has it helped my organization?

It could improve things when I need to create an object and to create a new policy. Instead of logging into several devices, one at a time, I could push the policy at one time and mitigate, let's say, vulnerability. Instead of taking three hours or two days, I could do it in 30 minutes. It would save time.

It could improve visibility. When I try to push a configuration tool to my firewall locally - instead of doing it through Defense Orchestrator - I can see through the Defense Orchestrator that configuration on the firewall doesn't match. In that way, it can provide better visibility for a security administrator. He can see that there have been changes on this firewall and determine if they are permitted changes.

In terms of the management of firewalls or firewall builds, it is possible to do upgrades from Defense Orchestrator. I could also push new certificates and that would help because I wouldn't have to go to each firewall or each device to deploy a new certificate or upgrade. I could do it all from a single pane of glass.

Its support for ASA, FTD, and Meraki MX devices could potentially free up staff to do other work, although I have not tried the FTD or the MX.

What is most valuable?

The most valuable feature is that you can push one policy or one rule out to several devices at a time. That's pretty neat.

What needs improvement?

If I make a change locally to the firewall, CDO gives an alarm or an error message and says there's a change in compliance: "The firewall has this configuration but the last time it was compiled it had that configuration." That view of new changes versus the old could be better. Which one is the new configuration? Which one is the old one? I had trouble seeing which configuration of the two which CDO showed me was the one that was actually running. I had to log in manually, locally on the firewall, to check which version, which configuration, was actually running. I couldn't see it in CDO.

For how long have I used the solution?

I used it for a month as long as my trial was running. It was a PoV so I can go sell it. The trial ended two or three weeks ago.

What do I think about the stability of the solution?

The stability seems fine. I didn't experience any outages.

How are customer service and technical support?

The tech support was great.

Which solution did I use previously and why did I switch?

I'm using Cisco ISE, and I use Firewall Device Manager, and FireSIGHT Manager Center. I haven't worked with Defense Orchestrator in-depth as I have been with the FireSIGHT Manager Center (aka FirePOWER Manager Center) but what I can see and what I have experienced is that Defense Orchestrator is better built than FirePOWER Manager Center.

There are a lot of things you can't do with the FireSIGHT Manager Center. You have to have FirePOWER Management Center to get all the features. You install the FirePOWER device manager on the device to get rid of FirePOWER Management Center, but some of the features aren't available in the Firepower device manager if you don't have the FirePOWER Management Center. That's not good.

Now there is Adaptive Security Device Manager (ASDM). If we compare these two, Defense Orchestrator is much better because you can handle many devices at once.

How was the initial setup?

I had a problem. I couldn't deploy the Secure Device Connector. I tried to deploy it in a VMware environment and I had some issues. I needed help from Cisco tech. I also had an issue deploying the on-prem virtual appliance. I had a Cisco guy helping me and he solved it for me.

If I didn't have those issues, it would have taken one hour, but because of the issue it took me three days. It took three days because I had to wait for a technician to become available. When the technician was available, we solved it in two to three hours. That was okay.

But I have tried many of Cisco's products and, normally, it's pretty straightforward to deploy their products or services.

Once it was up and running, I could see value from it straight away, in the first minute. I saw that I could push policies from the cloud. I could push certificates, I could push upgrades. I could push a command line. I could do anything. The value was not hard to see.

What was our ROI?

For one customer I have in mind, I think it could save up them eight to ten hours per week.

What's my experience with pricing, setup cost, and licensing?

I tried to see what the pricing is. What I could see it is that it is about a $100 per year for the ASA 5506 firewall, and from there it keeps going up if you have a bigger box. For example, the 5516 is $200 to $300 per year. It can sound like a lot but I see the potential it has to free up many hours of technician time. So the pricing is okay.

What other advice do I have?

It's worth it to dive in. If you have an environment with several firewalls, more than five, I would recommend just doing it.

The biggest lesson I've learned from using it is that you can configure multiple devices at once.

In terms of its security features for storing firewall configurations in the cloud, I'm not bothered by it. I don't see that as a security issue because I believe that Cisco is protecting it. I'm generally not against the cloud. It's good that we can do more and more from a single pane of glass, like Cisco Meraki, Cisco Defense Orchestrator, DNA Center, and so on. They should keep going in that direction. I think it's good.

I didn't try that many features but I can see that it has a VPN feature. I would like to try some of these things, but I only have one firewall. It's difficult to do everything with one firewall. I would like to test out the VPN functionality and how it can save time in troubleshooting. I would also like to test the ease of creating new VPNs between firewalls.

I would rate CDO at ten out of ten. It's a nice product and that's taking into account my experience with other products.

Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor. The reviewer's company has a business relationship with this vendor other than being a customer: Partner.

Add a Comment