Filter
Top Products
70-40
Cisco ASA 5500 Series Configuration Guide using ASDM
Chapter 70 Configuring Dynamic Access Policies
Guide to Creating DAP Logical Expressions using LUA
Step 1 Copy and paste the following Lua expression into the Advanced field of the Add/Edit Dynamic Access
Policy pane (click the double arrow on the far right to expand the field).
(CheckAndMsg(EVAL(endpoint.av[“NortonAV”].exists, "EQ", "false"),"Your Norton AV was found
but the active component of it was not enabled", nil) or
CheckAndMsg(EVAL(endpoint.av[“NortonAV”].exists, "NE", "true"),"Norton AV was not found on
your computer", nil) )
Step 2 In that same Advanced field, click the OR button.
Step 3 In the Access Attributes section below, in the leftmost tab, Action, click Terminate.
Step 4 Connect from a PC that does not have or has disabled Norton Antivirus.
The expected result is that the connection is not allowed and the message appears as a blinking ! point.
Step 5 Click the blinking ! to see the message.
Checking for Antivirus Programs and Definitions Older than 1 1/2 Days
This example checks for the presence of the Norton and McAfee antivirus programs, and whether the
virus definitions are older than 1 1/2 days (10,000 seconds). If the definitions are older than 1 1/2 days,
the ASA terminates the session with a message and links for remediation. To accomplish this task,
perform the following steps.
Step 1 Copy and paste the following Lua expression into the Advanced field of the Add/Edit Dynamic Access
Policy pane (click the double arrow on the far right to expand the field):
((EVAL(endpoint.av[“NortonAV”].exists,”EQ”,”true”,”string”) and
CheckAndMsg(EVAL(endpoint.av[“NortonAV”].lastupdate,”GT”,”10000”,integer”),To
remediate <a href=’http://www.symantec.com’>Click this link </a>”,nil)) or
(EVAL(endpoint.av[“McAfeeAV”].exists,”EQ”,”true”,”string”) and
CheckAndMsg(EVAL(endpoint.av[“McAfeeAV”].lastupdate,”GT”,”10000”,integer”),To
remediate <a href=’http://www.mcafee.com’>Click this link</a>”,nil))
Step 2
In that same Advanced field, click AND.
Step 3 In the Access Attributes section below, in leftmost tab, Action, click Terminate.
Step 4 Connect from a PC that has Norton and McAfee antivirus programs with versions that are older than
1 1/2 days.
The expected result is that the connection is not allowed and the message appears as a blinking ! point.
Step 5 Click the blinking ! to see the message and links for remediation.
Additional Lua Functions
When working with dynamic access policies for clientless SSL VPN, you might need additional
flexibility of match criteria. For example, you might want to apply a different DAP based on the
following: