cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
ISE 2.3 Patch 7 has been posted. This will be the last patch for the ISE 2.3 release!
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

151
Views
1
Helpful
5
Replies
Cisco Employee

Posture Policy

When defining a posture policy, the requirements of any matching rule will need to be evaluated for a posture to be compliant (or not).

A customer is then asking what is best:

- one single rule with multiple requirements

- several rules with the same condition and a single requirement per rule

Functionally, this looks the same to me but is there any difference in terms of performance, scalability,...

From a manageability point of view, I'd tend to recommend a single rule with multiple requirements but happy to stand corrected ;-)

TIA,

JF

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Posture Policy

Usually we combine the requirements into one posture policy rule when they should be in some logical order. For example, check AV installed first before check AV definitions. See my response @ ISE Remediation Automatic Install

5 REPLIES 5
VIP Engager

Re: Posture Policy

Good question.  Interested to hear the answer.  I prefer to have individual rules so everything is very apparent vs. having to dig into the requirements of a single rule:

Windows AV Installed Audit

Windows AV Definitions Audit

Windows SCCM Installed Audit

Windows SCCM Enabled Audit

Windows SCCM Critical Patches Audit

etc.

Cisco Employee

Re: Posture Policy

Usually we combine the requirements into one posture policy rule when they should be in some logical order. For example, check AV installed first before check AV definitions. See my response @ ISE Remediation Automatic Install

Highlighted
Cisco Employee

Re: Posture Policy

Thanks, that's interesting!!

What happens when there are different policies then? Are they run in parallel or they may not be run in the sequence you'd expect?

Cisco Employee

Re: Posture Policy

The latter. ISE Posture Policy rules are match-all so anything matched will be the requirements. For example, in case AV install and AV definition are two separate rules and both matched, then AnyConnect ISE posture would check for AV definition regardless AV installed on the endpoint.

Collaborator

Re: Posture Policy

So, just to confirm...

Posture Policy is not like Access Control List that gets processed in top-down, sequential order and the first match defines the results. It's different for Posture Policy rule list, which is... as long as the conditions, etc match, ALL the defined requirements of the matching conditions need to be satisfied. In other words, it's AND operator for these matching rules.

For instance, I have two separate rules in my Posture Policy with the same conditions {id group, operating system, other conditions}, one with requirements for AV and another rule with requirement for patch management. They both need to be checked off successfully to flag the session as compliant.

Am I correct? thanks.