36-18
Cisco ASDM User Guide
OL-16647-01
Chapter 36 Configuring Dynamic Access Policies
Understanding VPN Access Policies
You use ASDM to configure CheckAndMsg through the Advanced field in DAP. The security appliance
displays the message to the user only when the DAP record containing the LUA CheckAndMsg function
is selected and results in a clientless SSL VPN or AnyConnect termination.
The syntax of the CheckAndMsg function follows:
CheckAndMsg(value, “<message string if value is true>”, “<message string if value if
false>”)
Be aware of the following when creating CheckAndMsg functions:
CheckAndMsg returns the value passed in as its first argument.
Use the EVAL function as the first argument if you do not want to use string comparison. For
example,
(CheckAndMsg((EVAL(...)) , "true msg", "false msg"))
CheckandMsg returns the result of the EVAL function and the security appliances uses it to
determine whether to select the DAP record. If the record is selected and results in termination, the
security appliance displays the appropriate message.
Checking for a Single Antivirus Program
This example checks if a single antivirus program, in this case McAfee, is installed on the user PC, and
displays a message if it is not.
(CheckAndMsg(EVAL(endpoint.av.McAfeeAV.exists,"NE","true"),"McAfee AV was not
found on your computer", nil))
Checking for Antivirus Definitions Within the Last 10 Days
This example checks antivirus definitions within the last 10 days (864000 sec), in particular the last
update of the McAfee AV dat file, and displays a message to a user lacking the appropriate update that
they need an antivirus update:
((CheckAndMsg(EVAL(endpoint.av.McAfeeAV.lastupdate,"GT","864000","integer"),"AV
Update needed! Please wait for the McAfee AV till it loads the latest dat
file.",nil) ))
Checking for a Hotfix on the User PC
This example checks for a specific hotfix. If a user does not have the hotfix on their PC, a message that
it is not installed displays.
(not CheckAndMsg(EVAL(endpoint.os.windows.hotfix["KB923414"],"EQ","true"),nil,"The
required hotfix is not installed on your PC."))
or you could define it this way (which makes more sense):
(CheckAndMsg(EVAL(endpoint.os.windows.hotfix["KB923414"],"NE","true"),"The
required hotfix is not installed on your PC.",nil))