Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

Identity Firewall - inactive/active

How can i force the firewall to update automatically the inactive users to active, without the user logoff/logon? A lot of users are inactive, because of the configuration Users - inactive timer (120min.) and the rules doesn't take effect.

I turn off NetBIOS logout probe:

The ASA has an inactive user timeout that is also used to remove users from the database. The timer applies to all user types. Thus, implementing NetBIOS probing is not required to remove inactive users from the database.

http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/security_manager/4.2/user/guide/fwident.pdf

Comments

http://blog.pbmit.com/asa_identity_fw2

- Inactive and stale user IP mapping entries seem to remain on the ASA unless being cleared manually. (OMFG!)

- Once a user becomes inactive (ie. idle timer expired), he will not be evaluated by any identity ACL rules, during which time he may be denied by subsequent ACL rules, until his next domain re-login , or a manual user-to-IP mapping table update is performed. (My problem)

Conclusion:


             Based on our observations, deploying identity firewall requires careful design of ACL and extensive testing to make sure an AD agent outage will not neither cause user traffic to be blocked nor accidently allow an unauthorized access. Idle timer may also need to be adjusted to prevent deny-access due to users prematurely becoming inactive while they are still logged in to the domain. (How can i adjust this if my company is 24x7?, disable this function? What could happen?) In addition, there is a chance that the ASA user-to-IP mapping table becomes out-of-sync from the AD agent. Although we can manually force update, this certainly is not practical.

Maybe with this problems, is not a good idea deploy identity firewall...

This was the best configuration in my case. The user in ADGENT must have registered with the correct permissions, I would not have a DOMAIN ADMIN for that, but without much success in updates of the mappings. Now everything is ok!

untitled.bmp

1243
Views
0
Helpful
2
Comments