Posture Rules
Define the device‑trust rules that produce each device's risk score — then gate network access on them. This is the org‑wide config behind the per‑device Posture tab.
The five pillars
Each device is scored against five checks:
| Pillar | Passes when |
|---|---|
| Antivirus | AV/EDR present and active |
| Firewall | Host firewall on |
| Disk encryption | System drive encrypted (BitLocker / FileVault / LUKS) |
| Patch | OS patches current |
| Screen lock | Auto‑lock with password enforced |
Tune the rules
- Go to Network → RADIUS / NAC → Posture Rules.
- Give each pillar a weight — how much it adds to the risk score when it fails.
- Ignore a pillar where it doesn't apply (e.g. skip screen lock on headless servers).
Enforce it
In Access Policies, turn on Require posture check and set a Max risk score (and optional Max posture age). Devices over the threshold are denied or sent to a restricted VLAN.
tip
Start in monitor mode — set posture rules and watch the scores in policies without enforcing — then flip to enforcement once you see the fleet is mostly compliant.