Filter
Top Products
13-17
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 13 Managing Identity-Aware Firewall Policies
Configuring Identity-Aware Firewall Policies
NetBIOS Logout Probe
Enable (NetBIOS Logout
Probe)
Whether to enable the NetBIOS logout probe.
You can use the probe to proactively determine if a user has logged out
of the network, allowing the device to remove the user-to-IP address
mapping more quickly than if idle timeout is the only mechanism used
for this purpose. By default the probe is disabled, and users are removed
only if they are idle for longer than the Idle Timeout value.
Users are probed only if they are in the active state and they are used in
at least one activated rule. VPN and cut-through proxy users are not
probed. The AD agent is notified if the user-to-IP mapping is removed
by the NetBIOS logout probe.
In addition to configuring the following options, see Requirements for
Identity-Aware Firewall Policies, page 13-3.
Probe Timer The frequency of sending NetBIOS probes to activated users,
regardless of whether the user is idle. The default is 15 minutes, the
range is 1 to 65535 minutes.
Retry Interval The frequency of retrying the probe if a response is not received from
an IP address, and the number of times the probe should be retried. The
default is 3 seconds and 3 retries. The range is 1 to 65535 seconds, for
retry count, 1 to 256.
If there is no response from the final retry, the user-to-IP address
mapping is removed if you selected the Remove User IP When
NetBIOS Probe Fails option; otherwise, the address is probed during
the next interval.
User Name When a NetBIOS response is received, how to handle the response
based on the usernames returned:
• Match Any (the default)—Any username in the response can
match the username in the database for the IP address. If there are
multiple names in the response (that is, more than one user is
logged into the workstation), if any user in the response matches a
user in the database, the probe is considered successful and the
mapping is retained.
• User Not Needed—The usernames in the NetBIOS response are
ignored; the query response is sufficient to maintain the user-to-IP
address mapping. This option is useful if the messenger service is
not turned on in the workstation, in which case the NetBIOS
response will not contain usernames. The option is also useful
when multiple users log into a workstation.
• Exact Match—There must be one username in the NetBIOS
response, and it must exactly match the username in the user-to-IP
address mapping database. If there is more than one user, or if the
username does not match, the mapping is removed from the
database and the IP address is marked as inactive.
Table 13-5 Identity Options Advanced Tab (Continued)
Element Description