Cisco ASA Series Cli Configuration Manual page 895
Software version 9.0 for the services module
Hide thumbs
Also See for ASA Series:
- Configuration manual (429 pages) ,
- Getting started (31 pages) ,
- Mount and connect (12 pages)
Table of Contents
Advertisement
Chapter 1
Configuring the Identity Firewall
Command
Step 4
hostname(config)# user-identity logout-probe netbios
local-system probe-time minutes minutes
retry-interval seconds seconds retry-count times
[user-not-needed|match-any|exact-match]
Example:
hostname(config)# user-identity logout-probe netbios
local-system probe-time minutes 10 retry-interval
seconds 10 retry-count 2 user-not-needed
Step 5
hostname(config)# user-identity inactive-user-timer
minutes minutes
Example:
hostname(config)# user-identity inactive-user-timer
minutes 120
Task Flow for Configuring the Identity Firewall
Purpose
Enables NetBIOS probing. Enabling this option
configures how often the ASA probes the user client
IP address to determine whether the client is still
active. By default, NetBIOS probing is disabled.
To minimize the NetBIOS packets, the ASA only
sends a NetBIOS probe to a client when the user has
been idle for more than the specified number of
minutes.
Specify the number of times to retry the probe:
•
match-any—As long as the NetBIOS response
from the client contains the user name of the
user assigned to the IP address, the user identity
is be considered valid.
•
exact-match—The user name of the user
assigned to the IP address must be the only one
in the NetBIOS response. Otherwise, the user
identity of that IP address is considered invalid.
•
user-not-needed—As long as the ASA received
a NetBIOS response from the client the user
identity is considered valid.
The Identity Firewall only performs NetBIOS
probing for those users identities that are in the
active state and exist in at least one security policy.
The ASA does not perform NetBIOS probing for
clients where the users logged in through
cut-through proxy or by using VPN.
Specifies the amount of time before a user is
considered idle, meaning the ASA has not received
traffic from the user's IP address for specified
amount of time.
When the timer expires, the user's IP address is
marked as inactive and removed from the local
cached user identity-IP address mappings database
and the ASA no longer notifies the AD Agent about
that IP address removal. Existing traffic is still
allowed to pass. When this command is specified,
the ASA runs an inactive timer even when the
NetBIOS Logout Probe is configured.
By default, the idle timeout is set to 60 minutes.
Note
The Idle Timeout option does not apply to
VPN or cut through proxy users.
Cisco ASA Series CLI Configuration Guide
1-15
Hide quick links:
Advertisement
Chapters
Table of Contents
Troubleshooting
