Cisco ASDM User Guide
Chapter 36 Configuring Dynamic Access Policies
Understanding VPN Access Policies
You can build the expression in this example because the debug dap trace returns:
endpoint.os.windows.hotfix["KB923414"] = "true";
Checking for Antivirus Programs
You can configure messages so that the end user is aware of and able to fix problems with missing or not
running AVs. As a result, if access is denied, the security appliance collects all messages for the DAP
that caused the "terminate" condition and displays them in the browser on the logon page. If access is
allowed, the security appliance displays all messages generated in the process of DAP evaluation on the
portal page.
The following instructions show how to use this feature to check on the Norton Antivirus program.
Step 1 Copy and paste the following Lua expression into the Advanced field of the Add/Edit Dynamic Access
Policy pane (click the double arrow on the far right to expand the field).
(CheckAndMsg(EVAL(endpoint.av.NortonAV.exists, "EQ", "false"),"Your Norton AV was found
but the active component of it was not enabled", nil) or
CheckAndMsg(EVAL(endpoint.av.NortonAV.exists, "NE", "true"),"Norton AV was not found on
your computer", nil) )
Step 2 In that same Advanced field, select the OR button.
Step 3 In the Access Attributes section below, set the leftmost tab, Action, to Terminate.
Step 4 Connect from a PC that does not have or has disabled Norton Antivirus.
The expected result is that the connection is not allowed and the message appears as a blinking ! point.
Step 5 Click the blinking ! to see the message.
Checking for Antivirus Programs and Definitions Older than 1 1/2 Days
This example checks for the presence of the Norton and McAfee antivirus programs, and whether the
virus definitions are older than 1 1/2 days (10,000 seconds). If the definitions are older than 1 1/2 days,
the security appliance terminates the session with a message and links for remediation.
Step 1 Copy and paste the following Lua expression into the Advanced field of the Add/Edit Dynamic Access
Policy pane (click the double arrow on the far right to expand the field).
((EVAL(endpoint.av.NortonAV.esists,”EQ”,”true”,”string”) and
remediate <a href=’http://www.symantec.com’>Click this link </a>”,nil)) or
(EVAL(endpoint.av.McAfeeAV.esists,”EQ”,”true”,”string”) and
remediate <a href=’http://www.mcafee.com’>Click this link</a>”,nil))
Step 2 In that same Advanced field, select the AND button.
Step 3 In the Access Attributes section below, set the leftmost tab, Action, to Terminate.
Step 4 Connect from a PC that has Norton and McAfee antivirus programs with versions that are older than
1 1/2 days.