39-18
Cisco ASA 5500 Series Configuration Guide using ASDM
Chapter39 Configuring the Identity Firewall
Task Flow for Configuring the Identity Firewall
Selecting this option specifies the action when NetBIOS probing to a user is blocked (for example, the
user client does not respond to a NetBIOS probe). The network connection might be blocked to that
client or the client is not active. When this option is selected, the ASA disables the identity rules
associated with that user’s IP address.
Step12 In the Error Conditions section, select whether to remove a user’s MAC address when it is inconsistent
with the IP address that the ASA has currently mapped to that MAC address. When this option is
selected, the ASA disables the user identity rules associated with the specific user.
Step13 In the Error Conditions section, select whether to track users that are not found.
Step14 In the Users section, select the Idle Timeout option and enter a time in minutes from 1 minute to 65535.
By default, the idle timeout is set to 60 minutes.
Enabling this option configures a timer when an active user is considered idle, meaning the ASA does
not receive traffic from the user’s IP address for more than the specified time. Once the timer expires,
the user’s IP address is marked inactive and removed from the local cached IP-user database and the ASA
no longer notifies the AD Agent about that IP address. Existing traffic is still allowed to pass. When the
Idle Timeout option is enabled, the ASA runs an inactive timer even when the NetBIOS Logout Probe
is configured.
Note The Idle Timeout option does not apply to VPN or cut through proxy users.
Step15 In the NetBIOS Logout Probe section, enable NetBIOS probing and set the probe timer (from1 to 65535
minutes) before a user's IP addresses is probed and the retry interval (from 1 to 256 retries) between retry
probes.
Enabling this option configures how often the ASA probes the user host to determine whether the user
client is still active. To minimize the NetBIOS packets, ASA only sends a NetBIOS probe to the client
when the user has been idle for more than the specified number of minutes in the Idle Timeout minutes
field.
Step16 In the NetBIOS Logout Probe section, select an option from the User Name list:
Match Any—As long as the NetBIOS response from the host contains the user name of the user
assigned to the IP address, the user identity is be considered valid. Specifying this option requires
that the host enabled the Messenger service and configured a WINS server.
Exact Match—The user name of the user assigned to the IP address must be the only one in the
NetBIOS response. Otherwise, the user identity of that IP address is considered invalid. Specifying
this option requires that the host enabled the Messenger service and configured a WINS server.
User Not Needed—As long as the ASA received a NetBIOS response from the host the user identity
is considered valid.
Step17 Click Apply to save the Identity Firewall Configuration.
What to Do Next
Configure the Active Directory domain and server groups. See Configuring the Active Directory
Domain, page 11 and Configuring Active Directory Server Groups, page13.
Configure AD Agents. See Configuring Active Directory Server Groups, page13.