Cisco Defense Orchestrator Review

Helps us identify shadow rules and duplicated objects which aren't being used

What is our primary use case?

We have around 30 firewalls and we use it to centrally manage the firewalls. We use it to have one panel where we can log in and see all the firewall rules, all the objects, where they're deployed, where they duplicate across firewalls. We use it to maintain the configuration. We also use it to perform centrally managed updates. We can update ASDM and ASA images on the firewalls.

We have a connector on-premise and we have that linked to all of our ASAs internally. It runs within their cloud environment, which I believe is AWS. It talks back to a cloud connector on-premise which, in turn, talks to all of our firewalls to manage them centrally.

We use it daily for firewall administration and change management, and we use it as and when required to do all the software and firmware upgrades.

How has it helped my organization?

It is saving us at least a week's worth of work because we can log in and instantly see what version all the ASAs are at and which ones need to be upgraded. If we have a vulnerability and we need to patch that vulnerability, we can log in and see which ASAs are at which version, and then we can apply that patch. It's saving us a lot of time because we're not going around to all the ASAs and looking at the versions.

The other thing it's helped us identify is where we've got shadow rules and duplicated objects which aren't being used. Where before, we probably wouldn't have detected those objects and the shadow rules - where there's a rule that conflicts with another rule we wouldn't necessarily have picked that up. Now, CDO highlights that for us. It makes us have a more consistent rule set. It makes our configuration better because we haven't got rules in there that are not doing anything or are duplicated.

Regarding auditing or the visibility into security, it gives me a full change-log of all the changes that are going on across all of the ASAs, and I wouldn't have had that before, necessarily. It gives me that and, from a security point of view, obviously it gives me rules that are shadowed, as I mentioned, which improves security because we do not have duplicate rules everywhere.

Defense Orchestrator has made my network team more productive, since it's the network team which manages it. I can't talk about security team because that's a separate team which doesn't do any management of the solution.

Also, the support for ASA helps us to maintain a consistent approach.

What is most valuable?

The most valuable feature is being able to do centralized upgrades on the ASAs. We can literally go in and tick a bunch of ASAs - we have them grouped within their business uses. We can select all of those ASAs, and say, "Upgrade these ASAs at this scheduled time." It will copy down the ASA image, ASDM image, and then do the upgrade and failovers, and then put it all back into service as required at a scheduled time. It automates that process for us.

We use the command-line tool quite a lot to push out bulk commands and changes to ASAs. That saves us a considerable amount of time. We have firewalls that are used for guest WiFi access. We try and maintain them as a standard policy. We can do that centrally and push that out.

As for its security features around storing our firewall configurations in the cloud, I take it that it's secure, from conversations I had at the time. It's all encrypted on REST and in transit. That goes through our security team, who respond with that information. It doesn't concern me particularly because I know it's all encrypted. We also use two-factor authentication to be able to log in to the solution as well. Obviously, you need the user name and password, and you need the multifactor authentication key. That's built-in, we use the one that's provided by CDO, which is OneProtect. That works for rules.

Everybody has their own login and I've got a full, change-management log view, so I can see who's done what changes. The other advantage we get from that is, if somebody makes a change and there happens to be an out-of-hours issue, the users can log back in and they can look at the changes that were made on that firewall, and they can roll it back by clicking a button.

What needs improvement?

There could be some slight improvements to navigation. In some of the navigation you've got to go back to be able to get into where you need to be once you've made a change. If I make a change, I've then got to go back to submit and send the change.

For how long have I used the solution?

We've been using it now for about 12 months, maybe just a little more.

What do I think about the stability of the solution?

The stability has been very good. We've had no issues with stability.

What do I think about the scalability of the solution?

It has performed flawlessly in terms of scalability. It has dealt with everything that we've put out there. I have the feeling that it would expand beyond the 30 firewalls we currently have. It does what we need to do with no problems.

How are customer service and technical support?

Tech support has been very good. They've always answered the questions very quickly and resolved the issues very quickly. The last issue they did for me was a new user account.

The CDO team has been really good with us. They've been really helpful and they're always open to new ideas and improvements to the application. It's very good because, with a company the size of Cisco, quite often you don't get to give that type of feedback. But I've had quite a lot of conversations with Derek around bits that could be improved or bits that are not quite there but need to be. They've taken them away and worked on them and then you start seeing all the new features coming through.

Which solution did I use previously and why did I switch?

This is the first solution of its kind in our organization. Before that, I was managing everything as a point solution. We came to the realization that we needed something like CDO when we were doing firewall upgrades. It was taking us a couple of weeks to go through all of our firewalls and upgrade them and reboot them. It was clear that we needed a centralized solution that would do this for us.

I originally saw Defense Orchestrator at Cisco Live. It was Derek who did the demonstration, and it was clear that that was the right solution for us. Also, it was at the right price point.

How was the initial setup?

The initial setup was very straightforward. To get the system up and running, including installing the connector, took us about half a day. Getting all the firewalls onboarded and into the system was done over a period of two or three weeks, but that was very quick. We were onboarding firewalls within five minutes.

We had a roll-out plan within the project to roll out so many firewalls per week. We had set up that staged rollout prior to deploying. To be honest, we could've onboarded them all in one day. The only reason we did it that way was to limit the amount of change.

Within a couple of months, we started to see improvements in change management and configuration management in the ASA.

What about the implementation team?

It was all in-house, with support from team if needed. I did all the install and deployment myself. 

It's maintained by my team. But, on a daily basis, it needs very little maintenance. In fact, we don't even go into it every day. There are eight or nine users of the solution in our company. They are operational users, and they would be maintaining it as required.

What was our ROI?

I don't measure ROI, but for me, the return of investment would be the amount of time saved, versus doing it manually. The upgrades of the ASAs would be where the biggest time savings are for us.

What's my experience with pricing, setup cost, and licensing?

It's around £500 per unit for a three-year license. We have 30 units but because we require availability, we only need one license per unit. With a high-availability pair, you only need one license for the pair. There were no other costs, other than resource time to install it.

Which other solutions did I evaluate?

We didn't evaluate any other options.

What other advice do I have?

For me, it was a very straightforward setup. It worked as described on the box. There are a few little issues that we've had. For example, when you create an object, you can't set a description on the object. But there are feature requests that are coming down the line as the product evolves.

So far, the biggest things we've learned from it is about the rules we've got in place that are duplicated or which shadow another rule within the firewalls. That's something which would've been very difficult to identify.

In terms of it simplifying security policy management across an extended network, we're not using a single policy across the firewalls. Excluding our guest WiFi firewall, all of our other firewalls have different configurations because of the way they work.

As far as its effect on firewall builds and daily management of existing firewalls go, at the moment, we're not using the templates, but we are going to move towards the templates. At that point, it will make our builds quicker because we will have a templated model where we just click and deploy from that template. It will make that faster and more consistent. We've been using it for about a year. We've got some projects lined up for next year where we will take some of those features and start to use them a lot.

In the long term, we'd like to get to standardized policies, but because we've implemented it into existing solutions, there's obviously a lot of rework needed to get the policy standardized.

On a scale from one to ten, I would rate CDO as an eight. The thing that comes to mind with that rating is the centralized view of everything in one place. I've got a centralized view and I can make all the changes, from one central console, to any of the firewalls I need to.

To get it to a ten, for me, it would need those little bits there around descriptions on objects. Also, in the firewall, by default, there are some system rules. They don't work in CDO, so you have to create custom rules instead of using the system rules so that CDO knows as well. It needs some little improvements like that.

**Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
More Cisco Defense Orchestrator reviews from users
...who compared it with FireMon
Add a Comment