ā12-19-2017 01:08 PM - edited ā03-12-2019 04:51 AM
This script is from a Cisco doc and is supposed to check for any AV and FW in the hostscan table and, if parameters are met, then access passes. However, it only seems to be checking for FW. With FW and AV on, access works. With FW off and AV on, access is denied, but with FW on and AV off, access is permitted. I don't know LUA and am trying to learn it, but I cannot find the error in the script. Any suggestions? I've tried removing the last parentheses and with and without a space, but no luck.
(assert(function()
function checkav(antix)
if (type(antix) == "table") then
for k,v in pairs(antix) do
if (EVAL(v.activescan, "EQ", "ok", "string") and EVAL (v.lastupdate, "LT", "2592000", "integer")) then
return true
end
end
end
return false
end
function checkfw(antix)
if (type(antix) == "table") then
for k,v in pairs(antix) do
if (EVAL(v.enabled, "EQ", "ok", "string")) then
return true
end
end
end
return false
end
return (checkav(endpoint.av) and checkfw(endpoint.fw))
end) () )
It came from here: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/115947-dap-adv-functions-00.html#anc7
ā12-20-2017 05:52 AM
Hello @JESSICA Walsh,
Can you perform the same test you already did but collecting the debugs for DAP in order to look further what could be the issue on your conection?
We can do the debugs once you perform a change, with FW and AV on, with FW off and AV on and with FW on and AV off:
debug menu dap 2
debug dap trace
Share the outputs and I will further,
HTH
Gio
ā12-20-2017 08:09 AM - edited ā01-02-2018 04:57 AM
DAP record [ RECORD-NAME ]:
((EVAL(aaa.cisco.grouppolicy,"EQ","XXX","string") and EVAL(aaa.radius["25"],"EQ","XXX","string") and EVAL(aaa.cisco.tunnelgroup,"EQ","XXX","string"))) and ((assert(function()
function checkav(antix)
if (type(antix) == "table") then
for k,v in pairs(antix) do
if (EVAL(v.activescan, "EQ", "ok", "string") and EVAL (v.lastupdate, "LT", "2592000", "integer")) then
return true
end
end
end
return false
end
function checkfw(antix)
if (type(antix) == "table") then
for k,v in pairs(antix) do
if (EVAL(v.enabled, "EQ", "ok", "string")) then
return true
end
end
end
return false
end
return (checkav(endpoint.av) and checkfw(endpoint.fw))
end) () ))
ā12-20-2017 08:36 AM - edited ā01-02-2018 05:00 AM
I have taken out my user name and some other info that I cannot post. this was a successful access with FW and AV turned on
ā12-20-2017 08:48 AM - edited ā01-02-2018 05:00 AM
FW is on, AV is disabled and it sees it as disabled, but picks the right DAP anyway.
ā12-20-2017 11:44 AM
Hello @JESSICA Walsh,
By any chance, do you have the output for "debug menu dap 2", I want to see what is configured on the ASA when you try the connection.
Gio
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide