Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1205
Views
1
Helpful
6
Replies

Posture Policy

Go to solution
jdal
Cisco Employee
Cisco Employee

‎04-23-2018 09:15 AM

When defining a posture policy, the requirements of any matching rule will need to be evaluated for a posture to be compliant (or not).

A customer is then asking what is best:

- one single rule with multiple requirements

- several rules with the same condition and a single requirement per rule

Functionally, this looks the same to me but is there any difference in terms of performance, scalability,...

From a manageability point of view, I'd tend to recommend a single rule with multiple requirements but happy to stand corrected ;-)

TIA,

JF

1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee

‎04-24-2018 08:49 PM

Usually we combine the requirements into one posture policy rule when they should be in some logical order. For example, check AV installed first before check AV definitions. See my response @ ISE Remediation Automatic Install

View solution in original post

0 Helpful
6 Replies 6

Go to solution
paul
Level 10
Level 10

‎04-23-2018 01:36 PM

Good question.  Interested to hear the answer.  I prefer to have individual rules so everything is very apparent vs. having to dig into the requirements of a single rule:

Windows AV Installed Audit

Windows AV Definitions Audit

Windows SCCM Installed Audit

Windows SCCM Enabled Audit

Windows SCCM Critical Patches Audit

etc.

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee

‎04-24-2018 08:49 PM

Usually we combine the requirements into one posture policy rule when they should be in some logical order. For example, check AV installed first before check AV definitions. See my response @ ISE Remediation Automatic Install

0 Helpful

Go to solution
jdal
Cisco Employee
Cisco Employee
In response to hslai

‎04-25-2018 12:34 AM

Thanks, that's interesting!!

What happens when there are different policies then? Are they run in parallel or they may not be run in the sequence you'd expect?

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to jdal

‎04-25-2018 04:22 PM

The latter. ISE Posture Policy rules are match-all so anything matched will be the requirements. For example, in case AV install and AV definition are two separate rules and both matched, then AnyConnect ISE posture would check for AV definition regardless AV installed on the endpoint.

0 Helpful

Go to solution
Ping Zhou
Level 8
Level 8
In response to hslai

‎04-26-2018 07:56 AM

So, just to confirm...

Posture Policy is not like Access Control List that gets processed in top-down, sequential order and the first match defines the results. It's different for Posture Policy rule list, which is... as long as the conditions, etc match, ALL the defined requirements of the matching conditions need to be satisfied. In other words, it's AND operator for these matching rules.

For instance, I have two separate rules in my Posture Policy with the same conditions {id group, operating system, other conditions}, one with requirements for AV and another rule with requirement for patch management. They both need to be checked off successfully to flag the session as compliant.

Am I correct? thanks.

0 Helpful

Go to solution
axeleratorcisco
Level 1
Level 1
In response to Ping Zhou

‎09-21-2022 04:26 AM

I would like to know as well if this is a match-all, and where I can find this in the Cisco documentation?

Currently can't find anything on this subject if official docs, apart from this forum post.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents