Cisco Systems ASA 5510 Network Router User Manual


  Open as PDF
of 2086
 
70-29
Cisco ASA 5500 Series Configuration Guide using ASDM
Chapter 70 Configuring Dynamic Access Policies
Configuring Endpoint Attributes Used in DAPs
Step 7 If you want to disregard the case of the registry entry when scanning, click the Caseless checkbox. If
you want the search to be case-sensitive, do not ccheck the Caseless check box.
Step 8 Click OK.
Step 9 Return to Configuring Dynamic Access Policies, page 70-10.
Additional References
See Endpoint Attribute Definitions, page 70-29 for additional information on the Registry endpoint
attribute requirements.
DAP and AntiVirus, AntiSpyware, and Personal Firewall Programs
The security appliance uses a DAP policy when the user attributes matches the configured AAA and
endpoint attributes. The Prelogin Assessment and Host Scan modules of Cisco Secure Desktop return
information to the security appliance about the configured endpoint attributes, and the DAP subsystem
uses that information to select a DAP record that matches the values of those attributes.
Most, but not all, antivirus, antispyware, and personal firewall programs support active scan, which
means that the programs are memory-resident, and therefore always running. Host Scan checks to see if
an endpoint has a program installed, and if it is memory-resident as follows:
If the installed program does not support active scan, Host Scan reports the presence of the software.
The DAP system selects DAP records that specify the program.
If the installed program does support active scan, and active scan is enabled for the program, Host
Scan reports the presence of the software. Again the security appliance selects DAP records that
specify the program.
If the installed program does support active scan and active scan is disabled for the program, Host
Scan ignores the presence of the software. The security appliance does not select DAP records that
specify the program. Further, the output of the debug trace command, which includes a lot of
information about DAP, does not indicate the program presence, even though it is installed.
Endpoint Attribute Definitions
Table 70-3 defines the endpoint selection attribute names that are available for DAP use.The Attribute
Name field shows you how to enter each attribute name in a Lua logical expression, which you might do
in the Advanced area in the Add/Edit Dynamic Access Policy pane. The label variable identifies the
application, filename, process, or registry entry.