Cisco Defense Orchestrator Overview

Cisco Defense Orchestrator is the #4 ranked solution in our list of top Firewall Security Management tools. It is most often compared to Tufin: Cisco Defense Orchestrator vs Tufin

What is Cisco Defense Orchestrator?

Cisco Defense Orchestrator is a cloud based policy management solution to drive simple and consistent security policy across multiple Cisco security platforms.

Cisco Defense Orchestrator is also known as CDO.

Cisco Defense Orchestrator Buyer's Guide

Download the Cisco Defense Orchestrator Buyer's Guide including reviews and more. Updated: April 2021

Cisco Defense Orchestrator Customers

Insurance Company of British Columbia, Shawmut

Cisco Defense Orchestrator Video

Pricing Advice

What users are saying about Cisco Defense Orchestrator pricing:
  • "It's around £500 per unit for a three-year license."
  • "After our free trial was done we got a subscription for three years and it was under $3,000 or so. It's part of the EA we already paid for, so I don't know what it would be if it was a la carte."
  • "It is about a $100 per year for an ASA 5506 firewall, and from there it keeps going up if you have a bigger box. For example, the 5516 is $200 to $300 per year."
  • "It is covered under the CIsco Enterprise License Agreement (ELA). So, it is licensed and ours."

Filter Reviews

Filter by:
Filter Reviews
Industry
Loading...
Filter Unavailable
Company Size
Loading...
Filter Unavailable
Job Level
Loading...
Filter Unavailable
Rating
Loading...
Filter Unavailable
Considered
Loading...
Filter Unavailable
Order by:
Loading...
  • Date
  • Highest Rating
  • Lowest Rating
  • Review Length
Search:
Showingreviews based on the current filters. Reset all filters
Todd Ellis
CTO at Secure Networkers
Real User
Top 20
Jul 24, 2019
Provides visibility into entire infrastructure and bulk changes save time and resources

What is our primary use case?

Most of the time we use it for the simplicity, for streamlining security policy management. We have other layers of stuff that we use with Cisco, from an integrated standpoint. Defense Orchestrator brings everything together.

Pros and Cons

  • "There are a lot of templates that are already built-in. They give you quick-to-create and quick-to-apply policies that are typically a little more complicated for people."
  • "When we're looking to the policies, it identifies the shadow rules. It notifies us about anything that will supersede other rules."
  • "We had some MX devices that were blocking Windows Update from happening. We found out it was a Meraki issue, but it would have been nice if it had been flagged for us: "Hey, these updates are failing because the MX is blocking it." It wasn't a huge problem, but there was a loss of our time as well as the fact that the updates didn't get pushed out... It would have been nice if CDO had let us know that that was an issue."

What other advice do I have?

As an engineer, I would say that if you can afford it, you will not be sorry that you invested in it. There's no question of whether it's going to deliver. The question is more from a value standpoint, the size of your business. If you're a national company with multiple locations across the US, CDO is the direction you need to be going in. If you're a small company, 50 people or less, you can probably get by using Threat Grid. Medium-size businesses will probably also be okay with using something like that. From an outside-of-Cisco vantage point, for small and medium-size business, Fortinet…
Dave Klunk
Network Security Engineer at a manufacturing company with 10,001+ employees
Real User
Aug 14, 2019
If a firewall goes down, we can pull the latest configuration and get it back up quickly

What is our primary use case?

The primary use case for it is to verify that we have connectivity with the systems that we put into it. We also use it for configuration backup.

Pros and Cons

  • "If we have a firewall go down, I can hop into CDO, pull the latest configuration off and apply it. That's really good. It helps save time."
  • "We have quite a few Active Stone by pairs. If they fail over... I'll see that there's a change on it and I'll have a look. The only change on it is that now this one is the standby, it took over the active role. I can go into that firewall and find out what happened... and troubleshoot based on that. That's pretty cool too."
  • "I'd like CDO to be the one-stop-shop where we could do all the configurations easily. It would be nice, for ASA upgrades, if we could do them from a central repository and not have to reach out to Cisco. That would be a definite plus."

What other advice do I have?

The biggest lesson I've learned from using CDO is, of course: Have a backup. And this gives us the means to have a backup. I think management was under the impression for a long time along the lines of, "Hey, you've got backup on your hard drive for all this stuff don't you?" And the answer was "no." There was an expectation in other areas, things they assumed we were doing but that we couldn't do. Ultimately, it's like you tell anybody with any form of data storage: Back up, back up, back up. We weren't doing backups, we didn't have a way to do backups, and this gave us that opportunity…
Learn what your peers think about Cisco Defense Orchestrator. Get advice and tips from experienced pros sharing their opinions. Updated: April 2021.
476,163 professionals have used our research since 2012.
PB
Architect1152942
Systems Architect at a university with 1,001-5,000 employees
MSP
Jul 26, 2019
Makes it easier to manage firewalls, even for those without much experience

What is our primary use case?

We use it to manage our firewalls.

Pros and Cons

  • "The ability to do operations on multiple firewalls at once is valuable because it saves time and mental effort. The solution's ability to make bulk changes makes it very convenient to manage things at once on multiple targets."
  • "For this product, they are very uncharacteristically interested in resolving whatever issue the customer reports. They're really attentive, and they address whatever we bring up as quickly as they can. That's been a very positive aspect of the product."
  • "I've found dozens of bugs over the year we've been using it. The more I use it for different things, the more problems I find... Most of the problems have to do with the user interface. A lot of thought and work has gone into the back-end component to make the product do what it's intended to do, but the way it is presented for use hasn't gotten nearly as much thought to make it smart and bug-free."

What other advice do I have?

Try it with realistic situations in your environment. Make sure that you're able to perform the tasks that you were doing before. In other words, make sure you don't lose capabilities because you're going to do everything exclusively through the product. Make sure you understand what it covers and what it doesn't. Do your homework before you buy. We haven't learned any big lessons from using this solution, but we have learned that using a firewall management tool that is good enough will allow you to save time and staffing, but that applies to any product, not just this one. This product…
Richard Barton
Network and Data Centre Platform Manager at a manufacturing company with 1,001-5,000 employees
Real User
Top 20
Jul 26, 2019
Helps us identify shadow rules and duplicated objects which aren't being used

What is our primary use case?

We have around 30 firewalls and we use it to centrally manage the firewalls. We use it to have one panel where we can log in and see all the firewall rules, all the objects, where they're deployed, where they duplicate across firewalls. We use it to maintain the configuration. We also use it to perform centrally managed updates. We can update ASDM and ASA images on the firewalls. We have a connector on-premise and we have that linked to all of our ASAs internally. It runs within their cloud environment, which I believe is AWS. It talks back to a cloud connector on-premise which, in turn, talks… more »

Pros and Cons

  • "The most valuable feature is being able to do centralized upgrades on the ASAs. We can select all of those ASAs, and say, "Upgrade these ASAs at this scheduled time." It will copy down the ASA image, ASDM image, and then do the upgrade and failovers, and then put it all back into service as required at a scheduled time. It automates that process for us."
  • "There could be some slight improvements to navigation. In some of the navigation you've got to go back to be able to get into where you need to be once you've made a change. If I make a change, I've then got to go back to submit and send the change."

What other advice do I have?

For me, it was a very straightforward setup. It worked as described on the box. There are a few little issues that we've had. For example, when you create an object, you can't set a description on the object. But there are feature requests that are coming down the line as the product evolves. So far, the biggest things we've learned from it is about the rules we've got in place that are duplicated or which shadow another rule within the firewalls. That's something which would've been very difficult to identify. In terms of it simplifying security policy management across an extended network…
HK
Hamed Khakipour
Sr. Network Engineer at Vocera
Real User
Aug 13, 2019
Upgrade feature is valuable to me because I have dual ASAs

What is our primary use case?

What I take primarily take advantage of are ASA upgrades. I also use it, sometimes, to see other backups, because each time there's a configuration change, it creates a backup for it. I also check out conflicts or unused rules. But I mostly use it for ASA, for management.

Pros and Cons

  • "I like the upgrade feature. That is pretty valuable to me because I have dual ASAs and when I go through CDO it does it for me pretty well. It's all done in the back-end and I don't really have to be involved. I just initiate, pick the image, and I pick when I want it done and it just does it, whether I have a single ASA or have a dual ASA."
  • "The main thing that would useful for us would the logging and monitoring. I have to check it out, to get the beta, because I don't have access to them... I wanted CDO to be a central place so where I could do everything but right now I don't think that's possible. I really don't want to go back and forth between this and FMC. Maybe the logging portion, when I look at it, will give me some similarities."

What other advice do I have?

It's fairly straightforward and I didn't run into any hiccups where I would say, "Hey, be aware that or be aware of this." The only advice I'd give is that if the device is out of sync, be aware of which configuration you want to keep: the one on your outer-band, that you did on the ASA, or the one that you did here. That's something to be aware of. Other than that, I think it's pretty straightforward. The support for ASA makes management somewhat easier, but I don't have a basic template for all our sites because each site is different. I would only use a template if I were to bring on a new…
Jairo Mendes
Network and Security Specialist at Connected Technology, LLC
Real User
Jan 7, 2020
Restore history automatically prevents system crashes, but reporting and monitoring need work

What is our primary use case?

We manage all ASA devices, from versions 5506 to 5516, through CDO.

Pros and Cons

  • "We use a lot of image upgrades. We take some 20 devices and then we update everything at once, including the policies. We apply policies for groups. For certain groups, like anti-viruses, we send out policies and apply them to every single device. It's really easy and simple."
  • "CDO doesn't have a report, an official report that I can check daily. It has another module called FTD, but it doesn't have that specifically for ASA. In the reporting, there are a lot of things that aren't there. There is also room for improvement in the daily monitoring."

What other advice do I have?

My advice is to try to gain more knowledge of SSH. CDO needs to improve monitoring and reporting. Every six months, we go in deep. We check the devices to make sure everything is working correctly. We have another system, not related to CDO, which is alerting us if something is not working correctly. It runs daily. For example, if we find any ASAs with vulnerabilities, we take the information from that third-party software and go to CDO and again do the update for all the devices that are affected. We're not using CDO for firewall builds or daily management of existing files. It is not as…
AF
reviewer1141920
Systems Engineer at a tech services company with 11-50 employees
Real User
Top 5
Jul 25, 2019
Security admin can see changes on a firewall and determine if they are permitted

What is our primary use case?

My primary use case was just to see what the solution is about. I'm a system engineer and a Cisco partner. I was using the trial to see what it can do. I rolled it out in my home lab. I have a Cisco ASA firewall so I used it to push configurations to my firewall. I used the Secure Device Connector as a virtual appliance, so I rolled it out like a production environment.

Pros and Cons

  • "The most valuable feature is that you can push one policy or one rule out to several devices at a time."
  • "If I make a change locally to the firewall, CDO gives an alarm or an error message and says there's a change in compliance: "The firewall has this configuration but the last time it was compiled it had that configuration." That view of new changes versus the old could be better... I had to log in manually, locally on the firewall, to check which version, which configuration was actually running. I couldn't see it in CDO."

What other advice do I have?

It's worth it to dive in. If you have an environment with several firewalls, more than five, I would recommend just doing it. The biggest lesson I've learned from using it is that you can configure multiple devices at once. In terms of its security features for storing firewall configurations in the cloud, I'm not bothered by it. I don't see that as a security issue because I believe that Cisco is protecting it. I'm generally not against the cloud. It's good that we can do more and more from a single pane of glass, like Cisco Meraki, Cisco Defense Orchestrator, DNA Center, and so on. They…
JS
NetworkEa55f
Network Engineer at a healthcare company with 10,001+ employees
Real User
Aug 14, 2019
The rule usage is a nice feature, but we have problems with it staying in sync when logging into the device

What is our primary use case?

We have it set up to test to look at policy from an overarching perspective. Then, we are hoping to use it for policy push, such as making both changes across different firewalls, but we haven't gotten to that point yet. We have the on-prem relay, and then that connects into the cloud for Cisco Defense Orchestrator (CDO), We deployed the most recent version about a year ago. We don't use it on a day-to-day basis. It's not something that we really spend a lot of time reviewing. I just haven't had time to sit down with it.

Pros and Cons

  • "The initial setup was straightforward. We spun up the VM onsite. We generated the key that it needed to talk to the Cloud Orchestrator. After that, as I started adding devices, it was relatively quick and easy."
  • "The ability to see the uptimes on the different VPNs that we have configured for site-to-site."
  • "When logging into the device, we sort of had problems with it staying in sync. If somebody made a change onsite, it wouldn't do an automatic sync. It would have to wait, as you would have to do a manual sync up."

What other advice do I have?

It was just something for us to spin up and look through, then see if it was something that could benefit us from a policy perspective by pushing policy out. It might have been able to, but it was a little cumbersome to select firewalls. We just didn't go through and spend a lot of time with it. With the security features around storing firewall configurations in the cloud, I sort of go back and forth on it. you are putting a configuration out there on the cloud for somebody to read. However, it is a private cloud that Cisco manages, so all we can really do is hold Cisco accountable if…
See 5 more Cisco Defense Orchestrator Reviews