5-16
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 5 Identity Firewall
Configure the Identity Firewall
If a user is added to or deleted from an Active Directory group, the ASA received the updated user group
after the import group timer ran. By default, the poll-import-user-group-timer hours value is 8 hours.
To immediately update user group information, enter the user-identity update import-user command.
Step 7 Specify the action when a client does not respond to a NetBIOS probe.
user-identity action netbios-response-fail remove-user-ip
Example:
hostname(config)# user-identity action netbios-response-fail remove-user-ip
For example, the network connection might be blocked to that client or the client is not active.
When this command is configured, the ASA removes the user identity-IP address mapping for that client.
By default, this command is disabled.
Step 8 Specify the action when the domain is down, because the Active Directory domain controller is not
responding.
user-identity action domain-controller-down domain_nickname disable-user-identity-rule
Example:
hostname(config)# user-identity action domain-controller-down SAMPLE
disable-user-identity-rule
When the domain is down and the disable-user-identity-rule keyword is configured, the ASA disables
the user identity-IP address mapping for that domain. Additionally, the status of all user IP addresses in
that domain are marked as disabled in the output displayed by the show user-identity user command.
By default, this command is disabled.
Step 9 Enable user-not-found tracking. By default, this command is disabled.
user-identity user-not-found enable
Example:
hostname(config)# user-identity user-not-found enable
Only the last 1024 IP addresses are tracked.
Step 10 Specify the action when the AD Agent is not responding.
user-identity action ad-agent-down disable-user-identity-rule
Example:
hostname(config)# user-identity action ad-agent-down disable-user-identity-rule
When the AD Agent is down and this command is configured, the ASA disables the user identity rules
associated with the users in that domain. Additionally, the status of all user IP addresses in that domain
is marked as disabled in the output displayed by the show user-identity user command.
By default, this command is disabled.
Step 11 Specify the action when a user's MAC address is found to be inconsistent with the ASA IP address
currently mapped to that MAC address.
user-identity action mac-address-mismatch remove-user-ip
Example:
hostname(config)# user-identity action mac-address-mismatch remove-user-ip
To Next Page
Loading...
