Setting The Query-For-Posture-Changes Timer - Cisco FirePOWER ASA 5500 series Configuration Manual
Security appliance command line
Hide thumbs
Also See for FirePOWER ASA 5500 series:
- Datasheet (20 pages) ,
- Configuration manual (1140 pages)
Table of Contents
Advertisement
Chapter 33
Configuring Network Admission Control
Setting the Query-for-Posture-Changes Timer
After each successful posture validation, the security appliance starts a status query timer. The expiration
of this timer triggers a query to the remote host for changes in posture since the last posture validation.
A response indicating no change resets the status query timer. A response indicating a change in posture
triggers an unconditional posture revalidation. The security appliance maintains the current access
policy during revalidation.
By default, the interval between each successful posture validation and the status query, and each
subsequent status query, is 300 seconds (5 minutes). The group policy inherits the value of the status
query timer from the default group policy unless you change it. Enter the following command in
group-policy configuration mode to change the status query interval:
seconds must be in the range is 300 to 1800 seconds (5 to 30 minutes).
The following example changes the status query timer to 1800 seconds:
hostname(config-group-policy)# nac-sq-period 1800
hostname(config-group-policy)
To inherit the value of the status query timer from the default group policy, access the alternative group
policy from which to inherit it, then enter the following command.
For example:
hostname(config-group-policy)# no nac-sq-period
hostname(config-group-policy)
Setting the Revalidation Timer
After each successful posture validation, the security appliance starts a revalidation timer. The expiration
of this timer triggers the next unconditional posture validation. The security appliance maintains the
current access policy during revalidation.
By default, the interval between each successful posture validation is 36000 seconds (10 hours). The
group policy inherits the value of the revalidation timer from the default group policy unless you change
it. Enter the following command in group-policy configuration mode to change the revalidation interval:
seconds must be in the range is 300 to 86400 seconds (5 minutes to 24 hours).
For example, enter the following command to change the revalidation timer to 86400 seconds:
hostname(config-group-policy)# nac-reval-period 86400
hostname(config-group-policy)
To inherit the value of the revalidation timer from the default group policy, access the alternative group
policy from which to inherit it, then enter the following command.
For example:
OL-10088-01
nac-sq-period seconds
no nac-sq-period [seconds]
nac-reval-period seconds
no nac-reval-period
Cisco Security Appliance Command Line Configuration Guide
Changing Advanced Settings
33-9
Advertisement
Table of Contents
Troubleshooting
