Support User Manuals

Cisco Systems CL-28826-01 Security Camera User Manual

Open as PDF

of 2616

13-18

User Guide for Cisco Security Manager 4.4

OL-28826-01

Chapter 13 Managing Identity-Aware Firewall Policies

Configuring Identity-Aware Firewall Policies

Users

Idle Timeout The amount of time, in minutes, to allow the user to be idle before

removing the user-to-IP address mapping in the database. Once

removed, the user must log in again to update the mapping (for

example, by using Ctrl+Alt+Delete to lock the workstation, then log in

again). The default is 60 minutes, the range is 1 to 65535 minutes.

You can deselect the option to disable idle timeout checking, in which

case user-to-IP mappings are not removed due to idleness.

VPN and cut-through proxy users are not subject to this timer. The AD

agent is not notified if the user-to-IP address mapping is removed due

to idle timeout.

Active Directory Agent

Hello Timer The frequency of sending Hello packets to the AD agent. The ASA uses

Hello packets to obtain ASA replication status and domain status. If the

ASA does not receive a response after the final retry, the AD agent is

considered down, and the ASA switches to the backup AD agent, if you

configure one.

By default, Hello packets are sent every 30 seconds, and up to 5 retries

are attempted if no response is received. The range is 10 to 65535

seconds and 1 to 65535 retries.

Poll Groups Timer How often the Active Directory server should be queried to obtain user

membership lists for user groups that you have specified in firewall

rules. The ASA queries the server for membership in a group only if

you have used the group; it does not query every group defined in the

AD server. The default is 8 hours, the range is 1 to 65535 hours.

Tip If group membership changes, the changes are not reflected in

rule processing until this timer expires and the ASA polls the

AD server for updated information. Thus, you should configure

the timer based on the frequency of changes to group

membership in your network, balancing the need to update

group membership in the ASA with the desire to reduce the

amount of polling.

Table 13-5 Identity Options Advanced Tab (Continued)

Element Description

previous next