Cisco Systems ASA 5510, ASA 5512-X, ASA 5515-X, ASA 5520, ASA 5525-X, ASA 5540, ASA 5545-X, ASA 5550, ASA 5555-X, ASA 5580, ASA 5585-X, ASA 5505 Additional Lua Functions

70-40

Cisco ASA 5500 Series Configuration Guide using ASDM

Chapter70 Configuring Dynamic Access Policies

Guide to Creating DAP Logical Expressions using LUA

Step1 Copy and paste the following Lua expression into the Advanced field of the Add/Edit Dynamic Access

Policy pane (click the double arrow on the far right to expand the field).

(CheckAndMsg(EVAL(endpoint.av[“NortonAV”].exists, "EQ", "false"),"Your Norton AV was found

but the active component of it was not enabled", nil) or

CheckAndMsg(EVAL(endpoint.av[“NortonAV”].exists, "NE", "true"),"Norton AV was not found on

your computer", nil) )

Step2 In that same Advanced field, click the OR button.

Step3 In the Access Attributes section below, in the leftmost tab, Action, click Terminate.

Step4 Connect from a PC that does not have or has disabled Norton Antivirus.

The expected result is that the connection is not allowed and the message appears as a blinking ! point.

Step5 Click the blinking ! to see the message.

This example checks for the presence of the Norton and McAfee antivirus programs, and whether the

virus definitions are older than 1 1/2 days (10,000 seconds). If the definitions are older than 1 1/2 days,

the ASA terminates the session with a message and links for remediation. To accomplish this task,

perform the following steps.

Step1 Copy and paste the following Lua expression into the Advanced field of the Add/Edit Dynamic Access

Policy pane (click the double arrow on the far right to expand the field):

((EVAL(endpoint.av[“NortonAV”].exists,”EQ”,”true”,”string”) and

CheckAndMsg(EVAL(endpoint.av[“NortonAV”].lastupdate,”GT”,”10000”,integer”),To

remediate <a href=’http://www.symantec.com’>Click this link </a>”,nil)) or

(EVAL(endpoint.av[“McAfeeAV”].exists,”EQ”,”true”,”string”) and

CheckAndMsg(EVAL(endpoint.av[“McAfeeAV”].lastupdate,”GT”,”10000”,integer”),To

remediate <a href=’http://www.mcafee.com’>Click this link</a>”,nil))

Step2 In that same Advanced field, click AND.

Step3 In the Access Attributes section below, in leftmost tab, Action, click Termin ate .

Step4 Connect from a PC that has Norton and McAfee antivirus programs with versions that are older than

1 1/2 days.

The expected result is that the connection is not allowed and the message appears as a blinking ! point.

Step5 Click the blinking ! to see the message and links for remediation.

Additional Lua Functions

When working with dynamic access policies for clientless SSL VPN, you might need additional

flexibility of match criteria. For example, you might want to apply a different DAP based on the

following:

Cisco Systems Additional Lua Functions