Forum Discussion
NimbostratusReport on av check big ip apm
Guys,
I know how to do av check in the Apm policy before login and if the client doesn't have running av it will just deny it.but what I want to achieve is do the av check and still allow the access if the machine doesn't have av just to gather the information about the client without av.
Can this be achieve?now the client av information in therehow do I generate a report that tells me client and user without av accessing the portal?
I have got big ip apm version 11.2
7 Replies
Seth_CooperEmployee
Hi,
You can add a new "Logging" action on the fallback leg of the AV check... After you add the action then click "add new entry" and from the drop down select... "Antivirus Check" which will populate "session.check_av.last.*"... this will log the values into the syslog and the reports section. You will also have to change the ending to "Allow" for that branch.
You will then have to parse the logs to get a client name and av information. Let me know if this helps or if you have any questions.
Seth Cooper- Ram_Khakurel_75Hi Seth,
Thanks for that.i have done that in the access policy. Now how do I create a custom report that tells me the client with av information.
I created a custom report that included session variable name and value.but that includes everything session.av.check.*
I want a report that tells me user client ip and version and type of av present. - Seth_CooperCan you send me the output of all the session variables of a machine that you want to report on? I think you will just need to tweak the constraints... I will try to replicate for you but if you can send the variables you are getting and the output you want to report on then it might make it go faster.
Seth - Ram_Khakurel_75
Hi seth,
I have attached the vpe screenshot i have.It doesnt let me upload the spreadsheet here.so
Below is what i get in session report.
19365 1.35E+09 session.check_av./Common/fireplace_test_act_av_check_ag.count 1 1.35E+09 Session variable 'session.check_av./Common/fireplace_test_act_av_check_ag.count' set to '1' Common
19365 1.35E+09 session.check_av./Common/fireplace_test_act_av_check_ag.error 0 1.35E+09 Session variable 'session.check_av./Common/fireplace_test_act_av_check_ag.error' set to '0' Common
19365 1.35E+09 session.check_av./Common/fireplace_test_act_av_check_ag.item_1.db_signature 1.35E+09 Session variable 'session.check_av./Common/fireplace_test_act_av_check_ag.item_1.db_signature' set to '' Common
19365 1.35E+09 session.check_av./Common/fireplace_test_act_av_check_ag.item_1.db_time 1.35E+09 1.35E+09 Session variable 'session.check_av./Common/fireplace_test_act_av_check_ag.item_1.db_time' set to '1352898000' Common
19365 1.35E+09 session.check_av./Common/fireplace_test_act_av_check_ag.item_1.db_version 6897 1.35E+09 Session variable 'session.check_av./Common/fireplace_test_act_av_check_ag.item_1.db_version' set to '6897' Common
19365 1.35E+09 session.check_av./Common/fireplace_test_act_av_check_ag.item_1.features 3 1.35E+09 Session variable 'session.check_av./Common/fireplace_test_act_av_check_ag.item_1.features' set to '3' Common
19365 1.35E+09 session.check_av./Common/fireplace_test_act_av_check_ag.item_1.id McAfeeAV 1.35E+09 Session variable 'session.check_av./Common/fireplace_test_act_av_check_ag.item_1.id' set to 'McAfeeAV' Common
19365 1.35E+09 session.check_av./Common/fireplace_test_act_av_check_ag.item_1.name McAfee VirusScan Enterprise 1.35E+09 Session variable 'session.check_av./Common/fireplace_test_act_av_check_ag.item_1.name' set to 'McAfee VirusScan Enterprise' Common
19365 1.35E+09 session.check_av./Common/fireplace_test_act_av_check_ag.item_1.state 1 1.35E+09 Session variable 'session.check_av./Common/fireplace_test_act_av_check_ag.item_1.state' set to '1' Common
19365 1.35E+09 session.check_av./Common/fireplace_test_act_av_check_ag.item_1.ui 0 1.35E+09 Session variable 'session.check_av./Common/fireplace_test_act_av_check_ag.item_1.ui' set to '0' Common
19365 1.35E+09 session.check_av./Common/fireplace_test_act_av_check_ag.item_1.vendor McAfee, Inc. 1.35E+09 Session variable 'session.check_av./Common/fireplace_test_act_av_check_ag.item_1.vendor' set to 'McAfee, Inc.' Common
19365 1.35E+09 session.check_av./Common/fireplace_test_act_av_check_ag.item_1.version 5400.116 1.35E+09 Session variable 'session.check_av./Common/fireplace_test_act_av_check_ag.item_1.version' set to '5400.1158' Common
19365 1.35E+09 session.check_av./Common/fireplace_test_act_av_check_ag.result 1 1.35E+09 Session variable 'session.check_av./Common/fireplace_test_act_av_check_ag.result' set to '1' Common
19365 1.35E+09 session.check_av./Common/fireplace_test_act_av_check_ag.sdk 3.5.1285.2 1.35E+09 Session variable 'session.check_av./Common/fireplace_test_act_av_check_ag.sdk' set to '3.5.1285.2' Common
19365 1.35E+09 session.check_av./Common/fireplace_test_act_av_check_ag.state 1 1.35E+09 Session variable 'session.check_av./Common/fireplace_test_act_av_check_ag.state' set to '1' Common
19365 1.35E+09 session.check_av.last.count 1 1.35E+09 Session variable 'session.check_av.last.count' set to '1' Common
19365 1.35E+09 session.check_av.last.error 0 1.35E+09 Session variable 'session.check_av.last.error' set to '0' Common
19365 1.35E+09 session.check_av.last.item_1.db_signature 1.35E+09 Session variable 'session.check_av.last.item_1.db_signature' set to '' Common
19365 1.35E+09 session.check_av.last.item_1.db_time 1.35E+09 1.35E+09 Session variable 'session.check_av.last.item_1.db_time' set to '1352898000' Common
19365 1.35E+09 session.check_av.last.item_1.db_version 6897 1.35E+09 Session variable 'session.check_av.last.item_1.db_version' set to '6897' Common
19365 1.35E+09 session.check_av.last.item_1.features 3 1.35E+09 Session variable 'session.check_av.last.item_1.features' set to '3' Common
19365 1.35E+09 session.check_av.last.item_1.id McAfeeAV 1.35E+09 Session variable 'session.check_av.last.item_1.id' set to 'McAfeeAV' Common
19365 1.35E+09 session.check_av.last.item_1.name McAfee VirusScan Enterprise 1.35E+09 Session variable 'session.check_av.last.item_1.name' set to 'McAfee VirusScan Enterprise' Common
19365 1.35E+09 session.check_av.last.item_1.state 1 1.35E+09 Session variable 'session.check_av.last.item_1.state' set to '1' Common
19365 1.35E+09 session.check_av.last.item_1.ui 0 1.35E+09 Session variable 'session.check_av.last.item_1.ui' set to '0' Common
19365 1.35E+09 session.check_av.last.item_1.vendor McAfee, Inc. 1.35E+09 Session variable 'session.check_av.last.item_1.vendor' set to 'McAfee, Inc.' Common
19365 1.35E+09 session.check_av.last.item_1.version 5400.116 1.35E+09 Session variable 'session.check_av.last.item_1.version' set to '5400.1158' Common
19365 1.35E+09 session.check_av.last.result 1 1.35E+09 Session variable 'session.check_av.last.result' set to '1' Common
19365 1.35E+09 session.check_av.last.sdk 3.5.1285.2 1.35E+09 Session variable 'session.check_av.last.sdk' set to '3.5.1285.2' Common
19365 1.35E+09 session.check_av.last.state 1 1.35E+09 Session variable 'session.check_av.last.state' set to '1' Common
19369 1.35E+09 \N 1.35E+09 \N: Logging Agent Common
19369 1.35E+09 session.check_av.last.count 1 1.35E+09 session.check_av.last.count is 1 Common
19369 1.35E+09 session.check_av.last.error 0 1.35E+09 session.check_av.last.error is 0 Common
19369 1.35E+09 session.check_av.last.item_1.db_signature 1.35E+09 session.check_av.last.item_1.db_signature is Common
19369 1.35E+09 session.check_av.last.item_1.db_time 1.35E+09 1.35E+09 session.check_av.last.item_1.db_time is 1352898000 Common
19369 1.35E+09 session.check_av.last.item_1.db_version 6897 1.35E+09 session.check_av.last.item_1.db_version is 6897 Common
19369 1.35E+09 session.check_av.last.item_1.features 3 1.35E+09 session.check_av.last.item_1.features is 3 Common
19369 1.35E+09 session.check_av.last.item_1.id McAfeeAV 1.35E+09 session.check_av.last.item_1.id is McAfeeAV Common
19369 1.35E+09 session.check_av.last.item_1.name McAfee VirusScan Enterprise 1.35E+09 session.check_av.last.item_1.name is McAfee VirusScan Enterprise Common
19369 1.35E+09 session.check_av.last.item_1.state 1 1.35E+09 session.check_av.last.item_1.state is 1 Common
19369 1.35E+09 session.check_av.last.item_1.ui 0 1.35E+09 session.check_av.last.item_1.ui is 0 Common
19369 1.35E+09 session.check_av.last.item_1.vendor McAfee, Inc. 1.35E+09 session.check_av.last.item_1.vendor is McAfee, Inc. Common
19369 1.35E+09 session.check_av.last.item_1.version 5400.116 1.35E+09 session.check_av.last.item_1.version is 5400.1158 Common
19369 1.35E+09 session.check_av.last.result 1 1.35E+09 session.check_av.last.result is 1 Common
19369 1.35E+09 session.check_av.last.sdk 3.5.1285.2 1.35E+09 session.check_av.last.sdk is 3.5.1285.2 Common
19369 1.35E+09 session.check_av.last.state 1 1.35E+09 session.check_av.last.state is 1 Common
19369 1.35E+09 /Common/fireplace_test_act_logging_1_ag 0 1.35E+09 Executed agent '/Common/fireplace_test_act_logging_1_ag', return value 0 Common
19369 1.35E+09 fallback Logging(1) Logon Page 1.35E+09 Following rule 'fallback' from item 'Logging(1)' to item 'Logon Page' Common
19369 1.35E+09 Logon executeInstance 1.35E+09 Logon agent: ENTER Function executeInstance Common
19369 1.35E+09 Logon executeInstance 1.35E+09 Logon agent: LEAVE Function executeInstance Common
- Seth_CooperHi,
I'm not sure how to do it through the GUI... but on the command line you can login and go to /var/log... then run the following..
[root@edge-gateway-box:Active:Standalone] log egrep "session.user.clientip|session.logon.last.username|session.check_av.last.item_1.name|session.check_av.last.item_1.version" apm | awk -F" " '{print $8, $11, $14}'
db5c7e14: 'session.check_av.last.item_1.name' 'Symantec
db5c7e14: 'session.check_av.last.item_1.version' '20121.2.1.2'
db5c7e14: 24.144.40.133
db5c7e14: 'session.logon.last.username' 'scoope'
[root@cwyegw01:Active:Standalone] log
You can then load this to a database or spreadsheet (depending on how many records you have) and do your analysis on it. the first value is the session ID and the second value is the variable and the third value is the value of the variable. (except for the ip address line... awk didn't work as well but you know what you have with that one... if you want to use it you can grep it out separately and format it for what you want.
I'm not sure exactly what you are looking for but please let me know if this will help... you could write a perl script to collect the data and then print it in a better format. I would also suggest send the logs to a syslog server where the data will be able to sit longer than on the VPN device.
Also... FYI... on your current policy do you want to allow them to connect either way.. currently they are allowed access with no auth or resources assigned in the policy. If you don't want them to connect you can change the ending to deny.
Please let me know if this helps...
Seth - Ram_Khakurel_75Hi Seth,
Thanks for the reply.
I thought custom report could take care of this but APM is very poor in this part.
I don;t want to do command line or script either.
All i wanted is a report that will give me client ip and av yes/no.
The av check fail is also allowed at the moment but will gather this av yes/no information and will put this to the management so that av check fail can be denied.
cheers
Ram - Seth_CooperRam,
I haven't used the custome reports that much since I prefer to do the analytics on my syslog server. You might open a support case asking for help with the custom report... if they don't wupport what you want then maybe you can request an RFE.
Seth
