Cisco Security Cloud Control Reviews

Most of the time we use it for the simplicity, for streamlining security policy management. We have other layers of stuff that we use with Cisco, from an integrated standpoint. Defense Orchestrator brings everything together.

For one particular client, we had almost a 20 percent remediation on some of their equipment as a result of all kinds of attacks from the desktop department. We got them down to a zero percent remediation. In other words, in retrospect, their data center and their desktop division went to zero percent when we deployed everything along with Defense Orchestrator. It was a huge success for the client. Defense Orchestrator was instrumental in that. In terms of visibility and getting everybody involved, it was simple, scalable, and saved them tons of time, which in turn saved them money. Sadly enough, they didn't need as many people any longer in certain departments. They were able to move them over, get them training and move them out. They got more projects done and had to do less firefighting. The biggest thing was that it allowed them to dial in, quickly, on what the threat landscape was for their architecture.

When it comes to making bulk changes across common tasks, like policy management and image upgrades, one of the biggest complaints that I had from a lot of network engineers, was that everything was GUI, that Cisco had gone to GUI. But they can do bulk changes on the CLI. That was a big win for them, being able to do that across all the ASAs without having to log into every single ASA and make changes. They can do a lot of bulk changes on the fly. It's a huge time-saver. The biggest benefit is obviously from the security standpoint, but at the C-level what they see are the cost savings. It's less billable time and fewer resources.

One of the biggest problems we were able to solve was due to its ability to use third-party apps, using a RESTful API and being able to integrate Splunk - things the clients already had in place - without any issues. That part was very easy. 

There's a lot of built-in stuff. You pull logs on the fly and you can troubleshoot problems when they come up, as well. That's been really helpful. It has solved clients pain points. 

When there are issues when they roll out configs, CDO allows us to do rollbacks really easily on a bulk level. That works really well too. It keeps track of "good configs."

In terms of simplifying security policy management across an extended network, if a lot of people are working on the same stuff, then the architecture has been broken up to different areas. Now, from a management standpoint, it is no longer a nightmare when I go in there and try to determine what is going on in the network. I have one "throat to choke." When I login, I have visibility into what is going on over the entire infrastructure. In case somebody left the door open, I have that visibility now.

Its effect on firewall builds and daily management of firewalls is that it's super-simple on new deployments. We haven't done any really large ones, but I've read some deployments where people have done thousands of ASAs with one massive import and there wasn't any downtime with respect to changing out equipment which was no longer under Smart Net.

Also, when we're looking at policies, it identifies the shadow rules. It notifies us about anything that will supersede other rules.

The simplicity, efficiency, and effectiveness of it are valuable.

There are a lot of templates that are already built-in. They give you quick-to-create and quick-to-apply policies that are typically a little more complicated for people.

Some of the issues we've had aren't really a CDO problem. For example, we had some MX devices that were blocking Windows Update from happening. We found out it was a Meraki issue, but it would have been nice if it had been flagged for us: "Hey, these updates are failing because the MX is blocking it." It wasn't a huge problem, but there was a loss of our time as well as the fact that the updates didn't get pushed out. You could look at that as a security issue but, at the same time, when updates won't run for any reason on certain machines, you freak out a little bit.

We thought it was a licensing issue with Microsoft or it could have been Dell EMC. But we were wasting time making all these phone calls and having people remotely troubleshoot it. The troubleshooters were saying, "Man, this looks like a network issue." They tethered a phone and joined it to the wireless on the phone to see if it would update and, boom, it started working. The weird thing was that when we switched it back over to the network, the Meraki was letting it through at that point. It would have been nice if CDO had let us know that that was an issue.

There are probably some things that it could do as far as some of the analytics are concerned, things I know it would be capable of: "Hey, why are all these requests coming in? The reason is that a firmware update needs to happen on the Meraki. It's a known issue." That would be helpful.

We got some training from Cisco and it was in the fall of last year when we got really heavy into it, about eight months ago. There was some earlier development stuff through which we got some exposure to it. We're a Cisco partner, and our typical vendor of choice is either Tech Data or Ingram Micro and that's how we got some early exposure to it.

We don't have a large window of time to look back on, we don't have years of experience, but so far the stability has been pretty darn good compared to anything we've ever had.

When it comes to scalability it's flexible, absolutely.

The largest network deployment that I've been involved with - we're not a very large company - had about 10 ASAs on the data center side and there were 29 other locations. There were less than 50, as far as the firewall devices go. At the largest deployment, the user count is somewhere a little over 1,000.

Scalability isn't an issue. We had some opportunities we didn't close, a university campus where the deployments were for about 15,000. We scoped it and scaled it out. The licensing gets a little different on some of the products when you go over 10,000 users. Sometimes the product line changes too in terms of design and scope.

When we had to use tech support on the first setup, it was more for asking questions because we got pretty good training prior.

There's a lot of different stuff, solutions which integrate into companies' ticketing systems. It depends on what your needs are. Even stand-alone, with FirePOWER, Umbrella, and AMP for Endpoints, there is Threat Grid - think CDO but on a very small scale. Prior to CDO, Cisco had, and they still have, Threat Grid. To me, Defense Orchestrator is a higher-scale evolution of Threat Grid. People wanted more, and that "more" was delivered with Defense Orchestrator. 

Threat Grid is like a small, short-line railroad; it handles a small area of traffic. In the metaphor it might take stuff off ships and put it on the back of 18-wheelers. CDO is more like a Class I railroad like Union Pacific or BNSF or Norfolk Southern. They're going to go all over the place, on a much larger scale. The strength and power that CDO has is huge. It's like comparing a lawnmower engine to a V12 from a Bentley or an Aston Martin.

There's a huge difference in cost between these solutions. With the smaller solutions there's lag, even if it's not huge. What you're getting for almost no cost is a huge, valuable piece. But it's not going to be the same type of visibility and logging speed that you're going to get with CDO.

On our end, the initial setup was pretty straightforward. We did receive some training along the way. I had done some test deployments, which I would tell anybody to do. There are certain things you can do inside of Cisco's dCloud to prepare you for deployments. But overall, it's efficient, simple, and there's the visibility on the security side. Deployment is fast. As a security person, I love the visibility and the ease of use when doing my upgrades.

In terms of implementation strategy, even before making the sell, we start from that standpoint. I don't want to say we're in the tank for Cisco, but it's what we have bought into. A lot of our engineers have training in it and they get ongoing training. Maybe it would be different if Fortinet gave us a ton of more training on their stuff.

There's a community that we're connected with, so when there are issues we typically hear about them in the communities beforehand. We know limitations going into projects and already have a good idea, a vision, of what direction we're going to go, so we can start planning properly. Cisco does a good job of training us in that process: When we model and design everything, how it's going to be set up; and once everything is deployed, how to analyze, how to remediate, how to get visibility into everything.

The time to deploy depends on the size of the deployment. In my experience, the longest part of the process is getting everything built and approved in CCW (Cisco Commerce Workspace). From a deployment standpoint, it's pretty easy at our end. We get the equipment in place, we stage the gear, we have all the existing stuff in place from the original infrastructure. The longest we've taken is about a month, once we have the gear in place and all the configs lined out. Typically, we've done a lot of front-load work in the process. In general, from first meeting the client to completing the end-to-end process, we're in and out in 120 days.

Everybody has a different part that they play, including the people who are doing racking and stacking. For the size of deployment that we've been discussing, we typically need ten to 12 people. There can be some travel involved so sometimes we need resources elsewhere, depending on the scale of the client and how far they are spread out.

Once it's deployed, an example of maintenance requirements is a location with a 24-hour operation, three eight-hour shifts, meaning three people are monitoring it and it works fine. You might need a fourth if you include like a "float guy" for when people go on vacation or get sick.

Once up and running, we see value from it right away. The impact is immediate. The biggest problem I have now is that something that gets forgotten is how bad things were before the implementation. C-level people tend to forget that.

The biggest part of ROI is the improvement to the operations. Our clients with CDO are having fewer issues. Things are just not going down. People are more productive. I don't know if any of the organizations that I've been with have done a study, but from an IT ticketing standpoint, tickets are down to one-tenth of what they were. People are able to bring in new projects and think about new things. From a staff being overtaxed due to remediation, because so-and-so clicked on an email or there was an issue with some type of a compromise, now it's eerily quiet.

If I had to say anything negative it's the price point. Clients who can't invest in the complete package, it's a disservice to them because they don't have everything. They don't have as many layers. They don't have Defense Orchestrator. It shortchanges the product. Going back to old school theory, you broke up your infrastructure so you weren't tied into one architecture, but that's not necessarily the case anymore. Even if you have other hardware, with APIs, a lot of Cisco stuff and gear integrates very well, even with other devices.

I'm more on the engineering side, I'm not in CCW (Cisco Commerce Workspace) as much as the sales team and the account managers are. But I can tell you that it's not inexpensive. But to be honest, there are not a whole lot of products that give you all those features. There isn't an apples and oranges comparison. You can't compare a McLaren or a Ferrari or a Lamborghini to a Smart Car. There are different purposes and different requirements. Typically, you're buying these devices because you want performance and you're willing to go the extra mile for whatever it is you're trying to protect, whatever your crown jewels are. Whereas with the other devices, in my opinion, people are just trying to save money and do a "best-effort" against some of these things.

If it were me and it was my company, and my main goal was to protect my infrastructure, then I'd be using Cisco devices.

There are all kinds of different costs and now there is the advent of Cisco DNA. Cisco DNA is where they have that service-as-a-service type of billing. There's a monthly cost that's tied in to give you some additional analytics and visibility into what's going on in your environment. It's like taking a little piece of Meraki, all the cloud analytics that are coming in from their cloud-control devices. It's that middle-of-the-road step from them with Catalyst switches. I haven't seen anything on the Fabric side, from a storage standpoint, but I think it's just a matter of time. You're going to be getting data on a different layer, analytics on everything.

As an engineer, I would say that if you can afford it, you will not be sorry that you invested in it. There's no question of whether it's going to deliver. The question is more from a value standpoint, the size of your business. If you're a national company with multiple locations across the US, CDO is the direction you need to be going in. If you're a small company, 50 people or less, you can probably get by using Threat Grid. Medium-size businesses will probably also be okay with using something like that. From an outside-of-Cisco vantage point, for small and medium-size business, Fortinet does a pretty decent job. But when you start getting into large-scale enterprise, there isn't anything right now that's doing the things that CDO is doing to enable you to integrate.

Cisco still has Tetration. To me, they are giving me a taste of Tetration, which is very high-scale leveraging. Think CDO but well beyond that. It's a multi-million-dollar device, a 42U-rack equipment storage device which is going to manage any and all network transactions happening on any of my networks. Tetration is for Exxon or Apple or Google-type visibility into the infrastructure. CDO gives me a taste of that without spending millions of dollars.

The biggest lesson I've learned from using it is that it sure is nice when people buy it. It just makes our job a lot easier. If you ask me to get a job done, with CDO you're giving me all of the components that I need to make everything you're asking me to do a success.

When it comes to its security features around storing firewall configurations in the cloud, there are things about that I probably don't fully understand, from a security standpoint. We've been doing that kind of thing for a long time, so I'm confident in it. But I'm a security guy, so I don't really trust anything. But that's where everything's going. It's good to know that I've got backups. "Cloud" is such an overused word too. As long as you thought through the security of everything, it's just some other place. Your attack spectrum is everywhere nowadays. To me, the biggest security problem is the human element. When you start looking at it like that, the fact that it's stored in the cloud is not really that big a deal.

It's just a different way of doing business. These are things that traditionally, ten years ago, even five years ago, people weren't comfortable doing. Cisco was kind of late to the party in a lot of these things, but over the last three years - the acquisitions, the overall way they've attacked everything - they're doing the best job of bringing everything in.

There are all the products which they have through acquisition, such as the OpenDNS acquisition for Umbrella, and CloudLock is going to be integrated into that as well; the next-gen firewall of FirePOWER and that's the evolution going into the FTD. They made a lot of improvements with ISE, even though there were some complexities that caused a lot of my higher-end clients to frown. It seems like they've righted the ship on all those things. So, there's a lot of good things happening. There are more things that I'm not really talking about, such as the evolution of even their switches, going with the FTD architecture of using Lina - Linux ASA - to do a lot of those pieces. One thing that they still have to rethink is how they're going to integrate a lot of the stuff that's on the ASA alone with AnyConnect, into FTD and those types of devices. We've been very pleased with the overall experience.

In terms of the solution’s support for ASA, FTD, and Meraki MX devices, we have tons of clients who use all these devices. Since 2007, we've done over 2,000 medical facilities in the southeast Texas market, just using Cisco ASA firewalls. But in many cases, these places aren't large enough to use Defense Orchestrator. Now, if we took over complete management, I see how we could integrate CDO from an industry standpoint because a lot of these places are very similar. They use the same EMR practice management. They operate the same way on their infrastructure, have the same type of buildings. In many cases they're in the same building, a medical center. But they don't operate that way. They have independent practice managers. They're typically somewhere between 25 to 60 users. It would be nice to be able to have something like that. Maybe somebody really forward-thinking in my organization could possibly sell that idea, although I'm sure our legal department would tell us it's a bad idea.

When you start dealing with HIPAA, there's a whole lot more to it than just IT. In managing that side of things, we do a lot of compliance and testing. We give them a HIPAA compliance report from an IT standpoint. And a lot of that is difficult because it has to be answered by someone within the organization who is familiar with their processes; for example, how they're turning their screen in an encounter with a patient. To have something like Defense Orchestrator, where I could manage hundreds of clients - their ASA or their Meraki MX or FTD - that would be huge.

As for increasing our usage of CDO, we don't have it in our internal infrastructure yet, due to cost and the fact that our needs aren't that great. If we start doing some private cloud hosting or the like, I could see us utilizing it. That's one of our goals. We've got four data center locations where we're planning on rolling out Cisco UCS with some redundancy and failover. We're looking at CDO as our main point of visibility.

I would rate Defense Orchestrator a ten. The only caveat I have for anybody trying to decide on it would be in terms of the budget and does it make sense for you. Do you need a 10,000-pound hammer to drive it home? We have a wide variety of clients in terms of size. Most people are somewhere in the middle-to-upper echelon with us. Others, and this is going to sound ugly, can't afford to use our services, because they're just looking for break-fix IT. They're still doing things the old-school way. Half of their data is compromised. They've been through several ransomware and malware attacks to the point where it has crippled their businesses. I don't know how those people operate.

It's difficult because the attack spectrum is in our backyard. As a security guy, with the things that are being done and that happen, I just don't know how people do it. That's especially true if they're using a static firewall or if they have in-house equipment and services opened up to the public. If they're using a static firewall and trying to do traditional things like port-forwarding, we see that. We walk in there and they're saying, "Everything's running really slowly." And they're completely compromised. We had somebody who couldn't place phone calls. Somehow, half their trunks had been compromised and were being used for a telemarketing service in Philippines. It's to the point where, if you're a fireman, you just let it burn. They need insurance at that point because they have massive problems.

We are using this solution for filtering and blocking some websites. It's a firewall.

This is the main tool for network segmentation and intrusion prevention. It blocks malware and malicious activity.

The most valuable feature is the Intrusion prevention.

It's a stable solution, but it could always be improved.

They need to work on the user interface. It needs to be improved to make it more user-friendly.

I have been working with Cisco Defense Orchestrator for five years.

It's a stable solution.

Cisco Defense Orchestrator is scalable.

We have 1,000 users but we don't plan to increase our usage.

Technical support is good.

Previously, we were not using another solution. We have been using Cisco Defense Orchestrator from the beginning.

The initial setup is straightforward.

It can take up to five hours to deploy.

We have a team of five who are mainly engineers to maintain this solution.

If you compare to what is available on the market, they are in the same range with respect to pricing.

I would recommend this product to anyone who is interested in using it.

I would rate this solution an eight out of ten.

On-premises

We provide consultation for all Cisco solutions. We give consultations to customers for buying a preventive solution like Cisco Email Security, Cisco IronPort, Cisco Security, Cisco Web Security. 

With Cisco Defense Orchestrator, we can manage the complete Cisco Security solution. It provides a simple and centralized way to manage all products. 

They can centralize all products and provide a correlation about an incident and the response.

They can also provide an on-premises solution. Currently, Cisco Defense Orchestrator is just for cloud deployments, not for on-premises deployments. Customers have to manage it on the cloud. We are based in Vietnam, and most of the customers here prefer to have on-premises deployments. Customers, especially from banking and government sectors, do not prefer to do anything on the cloud. Some of the small enterprises use the cloud.

I have been working with this solution for around four years.

The stability depends upon the Cisco cloud. 

Because it's on the cloud, Cisco Defense Orchestrator can scale up very well.

They have good technical support. They're very good, and they can very well help a customer with implementation.

Cisco Defense Orchestrator is on the cloud. It's really fast to deploy.

I would recommend Cisco Defense Orchestrator. Cisco is a very good company and has a reputation. They can provide a comprehensive solution to customers. They have a lot of defense solutions for the network and endpoint security.

Cisco buys a lot of solutions and has a lot of acquisitions. When they combine them into one central management, the setup can be quite complex.

I would rate Cisco Defense Orchestrator an eight out of ten.

Private Cloud

This is part of our network orchestration solution. It allows us to optimize our network. For example, if I want to communicate with a laptop, this solution gives us a way to route the communication.

We have a public cloud deployment using Microsoft Azure.

If our server is blocked, this solution shows us why it is blocked and allows us to update the network routing. It gives us recommendations of what to do, and it can be done automatically.

The most valuable feature of this solution is the visibility that it provides into our network. It shows a graphical topography of the network.

The dashboard needs to be more customizable to provide better reporting for our network.

I have been using this solution for about two weeks.

This solution appears to be stable for the moment.

The scalability of this solution is good.

There are three people who use this solution. We have an administrator, and engineering architect, and a software engineer.

I would rate technical support a seven out of ten.

Prior to this solution, I was working on Skybox. It is primarily used for firewalls.

The initial setup of this solution is of medium difficulty. The deployment took one day, although for a larger infrastructure I think it will take more than one day.

One person is suitable for deployment. In terms of maintenance, two people including the administrator are sufficient.

We deployed this solution with assistance from Cisco.

My advice for anybody who is researching this solution is to consider the advantages that it provides in terms of infrastructure.

It is easy to configure administrators and other users who can generate reports and check the dashboard. For the moment, this solution meets our needs and I cannot think of any additional features that should be added.

I would rate this solution an eight out of ten.

I use it to manage my group of firewalls, and I make some configuration changes with it. If I have to update multiple devices at one time I will use it as well.

Its ability to make bulk changes makes it much easier, that's for sure, when I have to upgrade multiple clients. Although I don't update too often, maybe every six months, it saves me 20 minutes per device for the four devices we have.

It also helps that I'm able to look at synchronizing my configuration across all of the devices. When it comes to configuration of my access rules, it allows me to create a standard across all of them.

Our security team is just me, one guy. We're a pretty small organization. But in a way, it has made me more productive.

In addition, its support for ASA, FTD, and Meraki MX helps maintain consistent security.

• The bulk changes feature is definitely the most valuable. 
• Being able to look at the configuration before and after the change is made, is helpful.

They should make it more of a one-stop shop for everything. It should have more features to manage FirePOWER appliances.

We've been using CDO ( /products/cisco-defense-orchestrator-reviews ) for about two years.

I'm pretty impressed with the stability. It hasn't broken on me. I'm pretty satisfied.

Since I only have the four devices I really haven't done anything on a mass scale. I can see us possibly increasing usage in the future.

I haven't used tech support.

We didn't have a previous solution.

The initial setup was pretty straightforward. I had one of the guys from Cisco show me how to onboard one device, and I was able to get the others onboard within about five minutes. There wasn't really an implementation strategy. He just showed me how to do one device at a time.

It's just a good product to have.

In terms of CDO's security features around storing firewall configurations in the cloud, I haven't delved into that yet. I plan to get into it this month, but I haven't logged into it yet. I still use the ASDM a lot of times. I also have a FirePOWER which most of the firewalls are in and I will the FirePOWER Management Center for that because Orchestrator doesn't manage it quite as well. For firewall builds and daily management of existing firewalls, I normally use FirePOWER, as far as monitoring goes.

As an IT person for Egypt Foods Group company, we primarily rely on Cisco Defense Orchestrator as centralized management for our Cisco devices (e.g., firewalls and other security devices).

Implementing the solution improves our company's performance. It does this by providing timely reporting, saving money, advising our IT personnel and improving the defense of our servers and internal network. It helps us to make sure our customers' information and practices are secure when using our company.

The most valuable feature of this solution is the centralization of device control. This helps to ensure that transactions between us and other companies are all secure. After we installed the firewalls we get reports for a safety check on a daily basis. Executive reports, custom reports, and penetration testing reports are all very valuable.

While I think it's a good product right now and does everything we need it to, everything has some room for improvement. I'm sure Cisco would definitely be looking for ways that they can make its product better. My suggestion would be for Cisco to add third-party devices to the management family. Third-party integration would allow more flexibility and I think that would be a feature that would satisfy the business needs of other potential clients today. Some companies may want flexibility in the products they choose and others may already have legacy equipment that they are not ready to get rid of.

We have been using the solution for about a year

So far we find the solution to be quite stable. We do not experience interruptions and down-time.

Scalability is pretty good for a company. We do not have immediate plans to scale much, though we probably will in the future. We work with three firewalls currently. One external firewall and two for the circuits. We have about 800 employees using the system across our organization and scaling from here will be incremental. When we need to we are confident we can scale easily. For example, firewall configuration in the cloud seems like a good idea, so we may take advantage of that — though that may be flexibility rather than scalability.

The customer service is helping us out and giving us great support when we need it. The Cisco team is helpful and knowledgeable when we put in queries or tickets. They consistently respond very fast to our issues and that helps us maintain productivity.

This product was the first firewall security manager that we installed at our organization, and we didn't really consider anything else because we were already very dedicated to Cisco products.

The product was easy to implement. We are using the Cisco Defense Orchestrator on-prem solution. It only took about two weeks to have it on board. I'm not the one in charge of security as we have a team for security. The team is happy with the solution and doing well with it.

To implement the product originally we used a consultant from outside our company. It was 
SIGMA IT. They had a small team of two come to do the deployment. We keep a security team of three to monitor and maintain the system.

We do experience a return on investment in time savings, security and device management. It would be hard to quantify.

As I'm in higher management, I was involved in the product selection but not the pricing negotiations. Security and finance officers would know more about the pricing.

Because of our environment, Cisco was the only vendor that we looked into. The product did what we needed it to, so we went with it.

Cisco Defense Orchestrator is a very great solution to centralizing device management and security. I would want to give it a nine out of ten. It is not a ten because everything can be improved — such as the integration of third-party options, as I mentioned.

As far as advice for those considering this solution, it will save a lot of time. It actually saves our organization about 40% or 60% of the time we used to take to do things manually. That is about three days of labor a week. Now those resources can be used in different and better ways to benefit productivity and the organization.

We have obviously also realized security improvements.

My primary use case was just to see what the solution is about. I'm a system engineer and a Cisco partner. I was using the trial to see what it can do.

I rolled it out in my home lab. I have a Cisco ASA firewall so I used it to push configurations to my firewall. I used the Secure Device Connector as a virtual appliance, so I rolled it out like a production environment.

It could improve things when I need to create an object and to create a new policy. Instead of logging into several devices, one at a time, I could push the policy at one time and mitigate, let's say, vulnerability. Instead of taking three hours or two days, I could do it in 30 minutes. It would save time.

It could improve visibility. When I try to push a configuration tool to my firewall locally - instead of doing it through Defense Orchestrator - I can see through the Defense Orchestrator that configuration on the firewall doesn't match. In that way, it can provide better visibility for a security administrator. He can see that there have been changes on this firewall and determine if they are permitted changes.

In terms of the management of firewalls or firewall builds, it is possible to do upgrades from Defense Orchestrator. I could also push new certificates and that would help because I wouldn't have to go to each firewall or each device to deploy a new certificate or upgrade. I could do it all from a single pane of glass.

Its support for ASA, FTD, and Meraki MX devices could potentially free up staff to do other work, although I have not tried the FTD or the MX.

The most valuable feature is that you can push one policy or one rule out to several devices at a time. That's pretty neat.

If I make a change locally to the firewall, CDO gives an alarm or an error message and says there's a change in compliance: "The firewall has this configuration but the last time it was compiled it had that configuration." That view of new changes versus the old could be better. Which one is the new configuration? Which one is the old one? I had trouble seeing which configuration of the two which CDO showed me was the one that was actually running. I had to log in manually, locally on the firewall, to check which version, which configuration, was actually running. I couldn't see it in CDO.

I used it for a month as long as my trial was running. It was a PoV so I can go sell it. The trial ended two or three weeks ago.

The stability seems fine. I didn't experience any outages.

The tech support was great.

I'm using Cisco ISE, and I use Firewall Device Manager, and FireSIGHT Manager Center. I haven't worked with Defense Orchestrator in-depth as I have been with the FireSIGHT Manager Center (aka FirePOWER Manager Center) but what I can see and what I have experienced is that Defense Orchestrator is better built than FirePOWER Manager Center.

There are a lot of things you can't do with the FireSIGHT Manager Center. You have to have FirePOWER Management Center to get all the features. You install the FirePOWER device manager on the device to get rid of FirePOWER Management Center, but some of the features aren't available in the Firepower device manager if you don't have the FirePOWER Management Center. That's not good.

Now there is Adaptive Security Device Manager (ASDM). If we compare these two, Defense Orchestrator is much better because you can handle many devices at once.

I had a problem. I couldn't deploy the Secure Device Connector. I tried to deploy it in a VMware environment and I had some issues. I needed help from Cisco tech. I also had an issue deploying the on-prem virtual appliance. I had a Cisco guy helping me and he solved it for me.

If I didn't have those issues, it would have taken one hour, but because of the issue it took me three days. It took three days because I had to wait for a technician to become available. When the technician was available, we solved it in two to three hours. That was okay.

But I have tried many of Cisco's products and, normally, it's pretty straightforward to deploy their products or services.

Once it was up and running, I could see value from it straight away, in the first minute. I saw that I could push policies from the cloud. I could push certificates, I could push upgrades. I could push a command line. I could do anything. The value was not hard to see.

For one customer I have in mind, I think it could save up them eight to ten hours per week.

I tried to see what the pricing is. What I could see it is that it is about a $100 per year for the ASA 5506 firewall, and from there it keeps going up if you have a bigger box. For example, the 5516 is $200 to $300 per year. It can sound like a lot but I see the potential it has to free up many hours of technician time. So the pricing is okay.

It's worth it to dive in. If you have an environment with several firewalls, more than five, I would recommend just doing it.

The biggest lesson I've learned from using it is that you can configure multiple devices at once.

In terms of its security features for storing firewall configurations in the cloud, I'm not bothered by it. I don't see that as a security issue because I believe that Cisco is protecting it. I'm generally not against the cloud. It's good that we can do more and more from a single pane of glass, like Cisco Meraki, Cisco Defense Orchestrator, DNA Center, and so on. They should keep going in that direction. I think it's good.

I didn't try that many features but I can see that it has a VPN feature. I would like to try some of these things, but I only have one firewall. It's difficult to do everything with one firewall. I would like to test out the VPN functionality and how it can save time in troubleshooting. I would also like to test the ease of creating new VPNs between firewalls.

I would rate CDO at ten out of ten. It's a nice product and that's taking into account my experience with other products.