Cisco ASA 5505 Configuration Manual page 1448

Understanding VPN Access Policies
The DAP CheckAndMsg Function
CheckAndMsg is a Lua function that you can configure DAP to call. It generates a user message based
on a condition.
You use ASDM to configure CheckAndMsg through the Advanced field in DAP. The adaptive security
appliance displays the message to the user only when the DAP record containing the LUA
CheckAndMsg function is selected and results in a clientless SSL VPN or AnyConnect termination.
The syntax of the CheckAndMsg function follows:
Be aware of the following when creating CheckAndMsg functions:
•
•
Checking for a Single Antivirus Program
This example checks if a single antivirus program, in this case McAfee, is installed on the user PC, and
displays a message if it is not.
(CheckAndMsg(EVAL(endpoint.av["McAfeeAV"].exists,"NE","true"),"McAfee AV was not
found on your computer", nil))
Checking for Antivirus Definitions Within the Last 10 Days
This example checks antivirus definitions within the last 10 days (864000 sec), in particular the last
update of the McAfee AV dat file, and displays a message to a user lacking the appropriate update that
they need an antivirus update:
((CheckAndMsg(EVAL(endpoint.av
Update needed! Please wait for the McAfee AV till it loads the latest dat file.",nil) ))
Checking for a Hotfix on the User PC
This example checks for a specific hotfix. If a user does not have the hotfix on their PC, a message that
it is not installed displays.
(not CheckAndMsg(EVAL(endpoint.os.windows.hotfix["KB923414"],"EQ","true"),nil,"The
required hotfix is not installed on your PC."))
or you could define it this way (which makes more sense):
(CheckAndMsg(EVAL(endpoint.os.windows.hotfix["KB923414"],"NE","true"),"The required hotfix
is not installed on your PC.",nil))
You can build the expression in this example because the debug dap trace returns:
Cisco ASA 5500 Series Configuration Guide using ASDM
65-24
CheckAndMsg(value, "<message string if value is true>", "<message string if value if
false>")
CheckAndMsg returns the value passed in as its first argument.
Use the EVAL function as the first argument if you do not want to use string comparison. For
example:
(CheckAndMsg((EVAL(...)) , "true msg", "false msg"))
CheckandMsg returns the result of the EVAL function and the security appliances uses it to
determine whether to select the DAP record. If the record is selected and results in termination, the
security appliance displays the appropriate message.
["McAfeeAV"]
.lastupdate,"GT","864000","integer"),"AV
Chapter 65 Configuring Dynamic Access Policies
OL-20339-01