Posture redirection flow behavior

uRLKuzE — Tue, 10 Feb 2026 10:46:16 GMT

Hello,

I’ve setup a posture configuration to work with our RAVPN. Basically I’ve 3 rules:

Compliance OK, where I return a permit all ACL
Compliance not OK, where I return a limited ACL
Compliance unknow, where I’ve configured on the authorization profile a web redirection to trigger the posture

Rules 1 and 2 work as expected. For rule 3, to perform the redirect and have the posture checked, after reading the documentation, I’ve created the ACL below on the FTD, but the posture is not evaluated, the Secure Client cannot reach the PSN. In the ACL, the goal is to exclude DNS requests and flows to our PSNs from the redirection, everything else should be redirected:

But it doesn't work, I cannot reach the PSN from the Secure Client with this ACL, and posture is then not evaluated.

But for some reason I’d like to understand, it works if I add HTTP on the allow rule of the ACL (and only with HTTP):

With this ACL, redirection toward the PSN work, posture is evaluated, CoA is sent afterwards by the PSN and I recieve my full profile and can access my corporate network.

Besides, I see that while the redirection works and the posture is checked (so I don’t have my full profile at that moment), I notice that I can successfully connect to some internal resources of our corporate network. I view this behavior as a security risks, as I don’t want a device with a unknows compliance state to be allowed to access internal resources while the posture is checked.

Did I miss a configuration somewhere ? Or is there something I didn’t quite understood about the redirection workflow ?

Thanks for your inputs.

topic Posture redirection flow behavior in Network Security

Posture redirection flow behavior