Skip to main content

Posture Rules

Define the device‑trust rules that produce each device's risk score — then gate network access on them. This is the org‑wide config behind the per‑device Posture tab.

The five pillars

Each device is scored against five checks:

PillarPasses when
AntivirusAV/EDR present and active
FirewallHost firewall on
Disk encryptionSystem drive encrypted (BitLocker / FileVault / LUKS)
PatchOS patches current
Screen lockAuto‑lock with password enforced

Tune the rules

  1. Go to Network → RADIUS / NAC → Posture Rules.
  2. Give each pillar a weight — how much it adds to the risk score when it fails.
  3. Ignore a pillar where it doesn't apply (e.g. skip screen lock on headless servers).

Enforce it

In Access Policies, turn on Require posture check and set a Max risk score (and optional Max posture age). Devices over the threshold are denied or sent to a restricted VLAN.

tip

Start in monitor mode — set posture rules and watch the scores in policies without enforcing — then flip to enforcement once you see the fleet is mostly compliant.