Cisco ASA 5505 User Manual
Page 728
36-16
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter 36 Configuring the Identity Firewall
Task Flow for Configuring the Identity Firewall
Step 4
hostname(config)# user-identity logout-probe netbios
local-system probe-time
minutes minutes
retry-interval
seconds seconds retry-count times
[user-not-needed|match-any|exact-match]
Example:
hostname(config)# user-identity logout-probe netbios
local-system probe-time minutes 10 retry-interval
seconds 10 retry-count 2 user-not-needed
Enables NetBIOS probing. Enabling this option
configures how often the ASA probes the user client
IP address to determine whether the client is still
active. By default, NetBIOS probing is disabled.
To minimize the NetBIOS packets, the ASA only
sends a NetBIOS probe to a client when the user has
been idle for more than the specified number of
minutes.
Set the NetBIOS probe timer from1 to 65535
minutes and the retry interval from 1 to 256 retries.
Specify the number of times to retry the probe:
•
match-any—As long as the NetBIOS response
from the client contains the user name of the
user assigned to the IP address, the user identity
is be considered valid. Specifying this option
requires that the client enabled the Messenger
service and configured a WINS server.
•
exact-match—The user name of the user
assigned to the IP address must be the only one
in the NetBIOS response. Otherwise, the user
identity of that IP address is considered invalid.
Specifying this option requires that the client
enabled the Messenger service and configured a
WINS server.
•
user-not-needed—As long as the ASA received
a NetBIOS response from the client the user
identity is considered valid.
The Identity Firewall only performs NetBIOS
probing for those users identities that are in the
active state and exist in at least one security policy.
The ASA does not perform NetBIOS probing for
clients where the users logged in through
cut-through proxy or by using VPN.
Command
Purpose