Cisco Defense Orchestrator Review

Upgrade feature is valuable to me because I have dual ASAs


What is our primary use case?

What I take primarily take advantage of are ASA upgrades. I also use it, sometimes, to see other backups, because each time there's a configuration change, it creates a backup for it. I also check out conflicts or unused rules. But I mostly use it for ASA, for management. 

How has it helped my organization?

Ideally, I like CDO to be a central management tool for all my firewalls. It is not there completely, in my opinion, but I think it's going in that direction. I still do some stuff on my ASA, but I haven't done it globally. If I do any global changes, they are through my FMC. But adding or removal of single rules is done through CDO.

What is most valuable?

I like the upgrade feature. That is pretty valuable to me because I have dual ASAs and when I go through CDO it does it for me pretty well. It's all done in the back-end and I don't really have to be involved. I just initiate, pick the image, and I pick when I want it done and it just does it, whether I have a single ASA or have a dual ASA. If I have a dual ASA and the primary is not active, the secondary wants me to make the primary active. It tells me that, but it's not a big deal.

I like the solution’s ability to make bulk changes across image upgrades.

For configuration changes, every time there's a change in the firewall, it records it in the cloud. If not, I have to go there and manually make sure it is sent. But it does have a configuration in the cloud.

In terms of firewall builds and daily management of existing firewalls, I use it for a rule-change or to add a rule to a single firewall.

What needs improvement?

The main thing that would useful for us would the logging and monitoring. I have to check it out, to get the beta, because I don't have access to them.

I know they recently added Meraki to it and I tried to join it and it didn't work. I didn't create a support case for it to figure out why. It says there is an onboarding error on the Meraki devices.

Also, I wanted CDO to be a central place so where I could do everything but right now I don't think that's possible. I really don't want to go back and forth between this and FMC. Maybe the logging portion, when I look at it, will give me some similarities.

Finally, right now, it supports VPN but it's only site-to-site. It would help if had remote-access VPN.

For how long have I used the solution?

I've been using CDO for close to two years.

What do I think about the stability of the solution?

It's been stable. There have been a lot of upgrades since the beginning and a lot of features added, which is good. I've been testing those out. I don't recall having major issues.

What do I think about the scalability of the solution?

The scalability is pretty good, with all the features that keep getting added. They're constantly improving it.

We're a fairly small company. We have over six sites, and some of them have multiple ASAs. I probably have about 14 or 15 ASAs on it. There are three guys managing the ASAs. We have about 700 users globally. The biggest site is in San Jose, then Fort Wayne, then Bangalor. The other sites are small sites. And, of course, we have a couple of them in our data center as well.

How are customer service and technical support?

Tech support is pretty good. Since day one I have received support. Anytime I have a question, I still reach out to my product manager and he and his teammates help me out.

I may have opened a TAC case once or twice and that was because of something that happened when adding a user. One thing I would like to see is more control when it comes to user setup. I don't have that. I cannot go ahead and set up a user. I have to open a case. It's time-consuming. Granted, it was fast, but I still had to send an email, wait, and go back and forth. That's something that I'd like to see changed. I don't know what the reason behind it is.

If you previously used a different solution, which one did you use and why did you switch?

I didn't use anything prior to CDO. I went to CDO for better management, central management. CDO was suggested to me and they gave me a free trial for a couple of devices. We eventually signed the agreement for security, which is included.

How was the initial setup?

The way we have it, we have a server here and that server talks to the cloud. I got help from the Cisco product manager and he set it up for me. It was easy. Since then, I really haven't done anything. I may have upgraded once, but then again they were involved because I really don't have access to it. It's just a server that gets the information and then talks to the cloud.

The initial setup took less than an hour. Then I added a couple of ASAs and the rest of them. The product manager walked me through what I could do with it. It was all WebEx-based and not much effort.

If there's a new application or a new device out, Cisco contacts me and helps me to set it up and then walks me through, to show me the features, etc.

What was our ROI?

The benefit that I really like, which has made my job easier, is the update portion. It saves time.

What's my experience with pricing, setup cost, and licensing?

After our free trial was done we got a subscription for three years and it was under $3,000 or so. It's part of the EA we already paid for, so I don't know what it would be if it was a la carte. I'm guessing it's probably less expensive than other tools.

Which other solutions did I evaluate?

I didn't assess any other options at the time but I'm familiar with a couple of them. I tried Tufin, but that's just an auditing tool. 

Another one was FireMon, but I haven't tested it out. That may be pricey, although I'm not sure. It seemed like it was an overlay on the ASAs, on the firewalls, so you could manage everything. What you could do in ASA you could do there. And the monitoring was pretty good too. But that was a few years back. I haven't looked at it recently. That tool was much better than CDO, when I think back.

What other advice do I have?

It's fairly straightforward and I didn't run into any hiccups where I would say, "Hey, be aware that or be aware of this." The only advice I'd give is that if the device is out of sync, be aware of which configuration you want to keep: the one on your outer-band, that you did on the ASA, or the one that you did here. That's something to be aware of. Other than that, I think it's pretty straightforward.

The support for ASA makes management somewhat easier, but I don't have a basic template for all our sites because each site is different. I would only use a template if I were to bring on a new site, but I haven't done that yet. Then the next thing I am going to do is buy FTDs, so I'll have to add them, but that is also supported. That was announced at Cisco Live. So I'll have to play with that. But it does help, especially if you have duplicate entries.

As for other bulk changes, such as policy management, I have FMC. So usually, if I want to block something, I'll just do it through FMC. I was told when I started using it - and I don't know if this is still the case - if I use FMC, leave everything there. Don't integrate, don't try to do the management through CDO. I don't know how it is right now, if I can get rid of the FMC. I doubt it. So for policy changes, I usually do them through FMC. I have a global rule that that applies to all my firewalls, so that's easier for me. I haven't done it through CDO. I've done it on a single ASA, but not for all of them.

CDO hasn't affected the visibility of security in my organization. I use FMC more. I do use CDO for upgrades and some cleanup stuff, but I haven't used it where it has affected visibility.

The monitoring will probably help me, the event logging, etc. I think there's a better version out now which has that. I'd like to use that. If the logging really takes off and it's more advanced than what I get currently, I would probably utilize CDO more, because currently, the monitoring is limited. Event-logging exists but I have to request a beta for it. Before that, there was not much there, so I wasn't going to utilize it. I will utilize it more often if the logging or monitoring is enabled.

Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor. The reviewer's company has a business relationship with this vendor other than being a customer: Partner.
Add a Comment
Guest
Sign Up with Email