Report on av check big ip apm

Question

Guys,&nbsp;
I know how to do av check in the Apm policy before login and if the client doesn't have running av it will just deny it.but what I want to achieve is do the av check and still allow the access if the machine doesn't have av just to gather the information  about the client without av.&nbsp;
 &nbsp;
Can this be achieve?now the client av information in therehow  do I generate a report that tells me client and user without av accessing the portal?&nbsp;
I have got big ip apm version 11.2 &nbsp;

seth_cooper · Answer

Hi, 
&nbsp;  
&nbsp; You can add a new "Logging" action on the fallback leg of the AV check... After you add the action then click "add new entry" and from the drop down select... "Antivirus Check" which will populate "session.check_av.last.*"... this will log the values into the syslog and the reports section.  You will also have to change the ending to "Allow" for that branch. 
&nbsp;  
&nbsp; You will then have to parse the logs to get a client name and av information.  Let me know if this helps or if you have any questions. 
&nbsp;  
&nbsp; Seth Cooper

ram_khakurel_75 · Answer

Hi Seth, 
&nbsp; Thanks for that.i have done that in the access policy. Now how do I create a custom report that tells me the client with av information. 
&nbsp; I created a custom report that included session variable name and value.but that includes everything session.av.check.* 
&nbsp; I want a report that tells me user client ip and version and type of av present.

seth_cooper · Answer

Can you send me the output of all the session variables of a machine that you want to report on?  I think you will just need to tweak the constraints... I will try to replicate for you but if you can send the variables you are getting and the output you want to report on then it might make it go faster. 
&nbsp;  
&nbsp; Seth

ram_khakurel_75 · Answer

Hi seth,&nbsp;
I have attached the vpe screenshot i have.It doesnt let me upload the spreadsheet here.so&nbsp;
Below is what i get in session  report.&nbsp;
 &nbsp;

19365 1.35E+09 session.check_av./Common/fireplace_test_act_av_check_ag.count 1 1.35E+09 Session variable 'session.check_av./Common/fireplace_test_act_av_check_ag.count' set to '1' Common&nbsp;
19365 1.35E+09 session.check_av./Common/fireplace_test_act_av_check_ag.error 0 1.35E+09 Session variable 'session.check_av./Common/fireplace_test_act_av_check_ag.error' set to '0' Common&nbsp;
19365 1.35E+09 session.check_av./Common/fireplace_test_act_av_check_ag.item_1.db_signature 1.35E+09 Session variable 'session.check_av./Common/fireplace_test_act_av_check_ag.item_1.db_signature' set to '' Common&nbsp;
19365 1.35E+09 session.check_av./Common/fireplace_test_act_av_check_ag.item_1.db_time 1.35E+09 1.35E+09 Session variable 'session.check_av./Common/fireplace_test_act_av_check_ag.item_1.db_time' set to '1352898000' Common&nbsp;
19365 1.35E+09 session.check_av./Common/fireplace_test_act_av_check_ag.item_1.db_version 6897 1.35E+09 Session variable 'session.check_av./Common/fireplace_test_act_av_check_ag.item_1.db_version' set to '6897' Common&nbsp;
19365 1.35E+09 session.check_av./Common/fireplace_test_act_av_check_ag.item_1.features 3 1.35E+09 Session variable 'session.check_av./Common/fireplace_test_act_av_check_ag.item_1.features' set to '3' Common&nbsp;
19365 1.35E+09 session.check_av./Common/fireplace_test_act_av_check_ag.item_1.id McAfeeAV 1.35E+09 Session variable 'session.check_av./Common/fireplace_test_act_av_check_ag.item_1.id' set to 'McAfeeAV' Common&nbsp;
19365 1.35E+09 session.check_av./Common/fireplace_test_act_av_check_ag.item_1.name McAfee VirusScan Enterprise 1.35E+09 Session variable 'session.check_av./Common/fireplace_test_act_av_check_ag.item_1.name' set to 'McAfee VirusScan Enterprise' Common&nbsp;
19365 1.35E+09 session.check_av./Common/fireplace_test_act_av_check_ag.item_1.state 1 1.35E+09 Session variable 'session.check_av./Common/fireplace_test_act_av_check_ag.item_1.state' set to '1' Common&nbsp;
19365 1.35E+09 session.check_av./Common/fireplace_test_act_av_check_ag.item_1.ui 0 1.35E+09 Session variable 'session.check_av./Common/fireplace_test_act_av_check_ag.item_1.ui' set to '0' Common&nbsp;
19365 1.35E+09 session.check_av./Common/fireplace_test_act_av_check_ag.item_1.vendor McAfee, Inc. 1.35E+09 Session variable 'session.check_av./Common/fireplace_test_act_av_check_ag.item_1.vendor' set to 'McAfee, Inc.' Common&nbsp;
19365 1.35E+09 session.check_av./Common/fireplace_test_act_av_check_ag.item_1.version 5400.116 1.35E+09 Session variable 'session.check_av./Common/fireplace_test_act_av_check_ag.item_1.version' set to '5400.1158' Common&nbsp;
19365 1.35E+09 session.check_av./Common/fireplace_test_act_av_check_ag.result 1 1.35E+09 Session variable 'session.check_av./Common/fireplace_test_act_av_check_ag.result' set to '1' Common&nbsp;
19365 1.35E+09 session.check_av./Common/fireplace_test_act_av_check_ag.sdk 3.5.1285.2 1.35E+09 Session variable 'session.check_av./Common/fireplace_test_act_av_check_ag.sdk' set to '3.5.1285.2' Common&nbsp;
19365 1.35E+09 session.check_av./Common/fireplace_test_act_av_check_ag.state 1 1.35E+09 Session variable 'session.check_av./Common/fireplace_test_act_av_check_ag.state' set to '1' Common&nbsp;
19365 1.35E+09 session.check_av.last.count 1 1.35E+09 Session variable 'session.check_av.last.count' set to '1' Common&nbsp;
19365 1.35E+09 session.check_av.last.error 0 1.35E+09 Session variable 'session.check_av.last.error' set to '0' Common&nbsp;
19365 1.35E+09 session.check_av.last.item_1.db_signature 1.35E+09 Session variable 'session.check_av.last.item_1.db_signature' set to '' Common&nbsp;
19365 1.35E+09 session.check_av.last.item_1.db_time 1.35E+09 1.35E+09 Session variable 'session.check_av.last.item_1.db_time' set to '1352898000' Common&nbsp;
19365 1.35E+09 session.check_av.last.item_1.db_version 6897 1.35E+09 Session variable 'session.check_av.last.item_1.db_version' set to '6897' Common&nbsp;
19365 1.35E+09 session.check_av.last.item_1.features 3 1.35E+09 Session variable 'session.check_av.last.item_1.features' set to '3' Common&nbsp;
19365 1.35E+09 session.check_av.last.item_1.id McAfeeAV 1.35E+09 Session variable 'session.check_av.last.item_1.id' set to 'McAfeeAV' Common&nbsp;
19365 1.35E+09 session.check_av.last.item_1.name McAfee VirusScan Enterprise 1.35E+09 Session variable 'session.check_av.last.item_1.name' set to 'McAfee VirusScan Enterprise' Common&nbsp;
19365 1.35E+09 session.check_av.last.item_1.state 1 1.35E+09 Session variable 'session.check_av.last.item_1.state' set to '1' Common&nbsp;
19365 1.35E+09 session.check_av.last.item_1.ui 0 1.35E+09 Session variable 'session.check_av.last.item_1.ui' set to '0' Common&nbsp;
19365 1.35E+09 session.check_av.last.item_1.vendor McAfee, Inc. 1.35E+09 Session variable 'session.check_av.last.item_1.vendor' set to 'McAfee, Inc.' Common&nbsp;
19365 1.35E+09 session.check_av.last.item_1.version 5400.116 1.35E+09 Session variable 'session.check_av.last.item_1.version' set to '5400.1158' Common&nbsp;
19365 1.35E+09 session.check_av.last.result 1 1.35E+09 Session variable 'session.check_av.last.result' set to '1' Common&nbsp;
19365 1.35E+09 session.check_av.last.sdk 3.5.1285.2 1.35E+09 Session variable 'session.check_av.last.sdk' set to '3.5.1285.2' Common&nbsp;
19365 1.35E+09 session.check_av.last.state 1 1.35E+09 Session variable 'session.check_av.last.state' set to '1' Common&nbsp;
19369 1.35E+09 \N 1.35E+09 \N: Logging Agent Common&nbsp;
19369 1.35E+09 session.check_av.last.count 1 1.35E+09 session.check_av.last.count is 1 Common&nbsp;
19369 1.35E+09 session.check_av.last.error 0 1.35E+09 session.check_av.last.error is 0 Common&nbsp;
19369 1.35E+09 session.check_av.last.item_1.db_signature 1.35E+09 session.check_av.last.item_1.db_signature is Common&nbsp;
19369 1.35E+09 session.check_av.last.item_1.db_time 1.35E+09 1.35E+09 session.check_av.last.item_1.db_time is 1352898000 Common&nbsp;
19369 1.35E+09 session.check_av.last.item_1.db_version 6897 1.35E+09 session.check_av.last.item_1.db_version is 6897 Common&nbsp;
19369 1.35E+09 session.check_av.last.item_1.features 3 1.35E+09 session.check_av.last.item_1.features is 3 Common&nbsp;
19369 1.35E+09 session.check_av.last.item_1.id McAfeeAV 1.35E+09 session.check_av.last.item_1.id is McAfeeAV Common&nbsp;
19369 1.35E+09 session.check_av.last.item_1.name McAfee VirusScan Enterprise 1.35E+09 session.check_av.last.item_1.name is McAfee VirusScan Enterprise Common&nbsp;
19369 1.35E+09 session.check_av.last.item_1.state 1 1.35E+09 session.check_av.last.item_1.state is 1 Common&nbsp;
19369 1.35E+09 session.check_av.last.item_1.ui 0 1.35E+09 session.check_av.last.item_1.ui is 0 Common&nbsp;
19369 1.35E+09 session.check_av.last.item_1.vendor McAfee, Inc. 1.35E+09 session.check_av.last.item_1.vendor is McAfee, Inc. Common&nbsp;
19369 1.35E+09 session.check_av.last.item_1.version 5400.116 1.35E+09 session.check_av.last.item_1.version is 5400.1158 Common&nbsp;
19369 1.35E+09 session.check_av.last.result 1 1.35E+09 session.check_av.last.result is 1 Common&nbsp;
19369 1.35E+09 session.check_av.last.sdk 3.5.1285.2 1.35E+09 session.check_av.last.sdk is 3.5.1285.2 Common&nbsp;
19369 1.35E+09 session.check_av.last.state 1 1.35E+09 session.check_av.last.state is 1 Common&nbsp;
19369 1.35E+09 /Common/fireplace_test_act_logging_1_ag 0 1.35E+09 Executed agent '/Common/fireplace_test_act_logging_1_ag', return value 0 Common&nbsp;
19369 1.35E+09 fallback Logging(1) Logon Page 1.35E+09 Following rule 'fallback' from item 'Logging(1)' to item 'Logon Page' Common&nbsp;
19369 1.35E+09 Logon executeInstance 1.35E+09 Logon agent: ENTER Function executeInstance Common&nbsp;
19369 1.35E+09 Logon executeInstance 1.35E+09 Logon agent: LEAVE Function executeInstance Common&nbsp;

&nbsp;

seth_cooper · Answer

Hi, 
&nbsp;  
&nbsp; I'm not sure how to do it through the GUI... but on the command line you can login and go to /var/log... then run the following.. 
&nbsp;  
&nbsp; [root@edge-gateway-box:Active:Standalone] log   egrep "session.user.clientip|session.logon.last.username|session.check_av.last.item_1.name|session.check_av.last.item_1.version" apm  | awk -F" " '{print $8, $11, $14}' 
&nbsp; db5c7e14: 'session.check_av.last.item_1.name' 'Symantec 
&nbsp; db5c7e14: 'session.check_av.last.item_1.version' '20121.2.1.2' 
&nbsp; db5c7e14: 24.144.40.133 
&nbsp; db5c7e14: 'session.logon.last.username' 'scoope' 
&nbsp; [root@cwyegw01:Active:Standalone] log  
&nbsp;  
&nbsp; You can then load this to a database or spreadsheet (depending on how many records you have) and do your analysis on it.  the first value is the session ID and the second value is the variable and the third value is the value of the variable. (except for the ip address line... awk didn't work as well but you know what you have with that one... if you want to use it you can grep it out separately and format it for what you want. 
&nbsp;  
&nbsp; I'm not sure exactly what you are looking for but please let me know if this will help... you could write a perl script to collect the data and then print it in a better format.  I would also suggest send the logs to a syslog server where the data will be able to sit longer than on the VPN device. 
&nbsp;  
&nbsp; Also... FYI... on your current policy do you want to allow them to connect either way.. currently they are allowed access with no auth or resources assigned in the policy.  If you don't want them to connect you can change the ending to deny.  
&nbsp;  
&nbsp; Please let me know if this helps... 
&nbsp;  
&nbsp; Seth

Forum Discussion

Report on av check big ip apm

7 Replies

Recent Discussions

Import PKCS 12 SSL to Device Certificate via API/Script or CLI on BIG-IP

Help with URL Masking

F5 iRule to replace host to path

Chrome V 124+ on MacOS - Virtual Server Access Issue

F5 Rseries R2600 Tenant sizing

Related Content

BIG-IP Report

Big-IP Reporting? Vserver traffic stats, etc.?

Protecting the F5 BIG-IP AFM system with AFM Protocol Inspection System Checks

What is BIG-IP Next?

Big iQ DNS statistics reports are blank