https://community.cisco.com/t5/network-security/dap-rule-for-ipsec-clients/m-p/1337574#M969933 <HTML><HEAD></HEAD><BODY><P>Ok, that worked. Follow-up question though. So the only thing I'm looking at doing right now is setting up a policy to look at Anti-virus and disallow if the signature is more than a week old. Works fine with the AnyConnect. But if I add that to the IPSec rule (app = ipsec and av exists (&lt; 7 days), it won't let the IPSec client connect at all. I seem to recall something about if we're doing posturing with IPSec client, we have to use endpoint assesment or pre-login policy? Is that the case; it would be nice to do it all w/in one DAP rule.</P><P></P><P>Thanks</P><P></P><P>Brian</P></BODY></HTML> Mon, 02 Nov 2009 17:18:18 GMT brian.kennedy 2009-11-02T17:18:18Z https://community.cisco.com/t5/network-security/dap-rule-for-ipsec-clients/m-p/1337572#M969931 <P>I'm setting up DAP rules for AnyConnect clients. When I set the default policy to terminate, I get the right results from AnyConnect connections, but all IPSec clients cannont connect. I know I need to set up a DAP rule for IPSec clients to allow them through, but can't remember how to set that up.</P> Fri, 21 Feb 2020 11:46:09 GMT https://community.cisco.com/t5/network-security/dap-rule-for-ipsec-clients/m-p/1337572#M969931 brian.kennedy 2020-02-21T11:46:09Z https://community.cisco.com/t5/network-security/dap-rule-for-ipsec-clients/m-p/1337573#M969932 <HTML><HEAD></HEAD><BODY><P>You can add a policy for your IPSec users which will match on the "application" endpoint attribute type. You will then set the "client type" to "IPSec" and the default action to continue.</P></BODY></HTML> Mon, 02 Nov 2009 16:09:06 GMT https://community.cisco.com/t5/network-security/dap-rule-for-ipsec-clients/m-p/1337573#M969932 Todd Pula 2009-11-02T16:09:06Z https://community.cisco.com/t5/network-security/dap-rule-for-ipsec-clients/m-p/1337574#M969933 <HTML><HEAD></HEAD><BODY><P>Ok, that worked. Follow-up question though. So the only thing I'm looking at doing right now is setting up a policy to look at Anti-virus and disallow if the signature is more than a week old. Works fine with the AnyConnect. But if I add that to the IPSec rule (app = ipsec and av exists (&lt; 7 days), it won't let the IPSec client connect at all. I seem to recall something about if we're doing posturing with IPSec client, we have to use endpoint assesment or pre-login policy? Is that the case; it would be nice to do it all w/in one DAP rule.</P><P></P><P>Thanks</P><P></P><P>Brian</P></BODY></HTML> Mon, 02 Nov 2009 17:18:18 GMT https://community.cisco.com/t5/network-security/dap-rule-for-ipsec-clients/m-p/1337574#M969933 brian.kennedy 2009-11-02T17:18:18Z https://community.cisco.com/t5/network-security/dap-rule-for-ipsec-clients/m-p/1337575#M969935 <HTML><HEAD></HEAD><BODY><P>Brian, </P><P></P><P>You can't do hostscan with IPSEC, which is required for checking whether av/as/fw is installed. You have to use anyconnect.</P><P></P><P>--Jason</P></BODY></HTML> Mon, 02 Nov 2009 17:23:20 GMT https://community.cisco.com/t5/network-security/dap-rule-for-ipsec-clients/m-p/1337575#M969935 Jason Gervia 2009-11-02T17:23:20Z https://community.cisco.com/t5/network-security/dap-rule-for-ipsec-clients/m-p/1337576#M969937 <HTML><HEAD></HEAD><BODY><P>Hmm, no posturing for av/as/fw at all with IPSec, or just through the DAP? W/ pre-login policies you can check for file/registry/os, etc.</P></BODY></HTML> Mon, 02 Nov 2009 17:32:58 GMT https://community.cisco.com/t5/network-security/dap-rule-for-ipsec-clients/m-p/1337576#M969937 brian.kennedy 2009-11-02T17:32:58Z