Showing results for 
Search instead for 
Did you mean: 
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.


ISE Posture - AnyConnect Compliance module v3.x vs v4.x

Hello Community,

I have searched very hard to find info on that matter, but with almost no result, so I've decided to post a thread here. Our environment is based ISE 2.2 ASA 9.4 and AnyConnect 4.4

As you know there are two separate version "trains" for the ISE compliance module for AnyConnect:

  • v 3.x where the latest version is v 3.6.xxxx
  • v 4.x where the latest version is v 4.2.xxxx

Obviously they have some substantial functional differences that are reflected in the ISE posture condition policies, e.g.:

  • Anti-Malware is only for v4.x
  • Anti-Spyware is only for v3.x
  • Anti-Virus in only for v3.x
  • Application conditions are for both v3.x and v4.x
  • Patch management conditions have to separately configured for v3.x and v4.x
  • .. and so on..

So my questions are:

  • What is the general rule of thumb for choosing to use v3 or v4 AC Compliance module? Obviously both would do the job one way or the other, and both support the current AnyConnect versions. So what is the catch?
  • Since AV and Anti-Spyware checks seem "depreciated" in compliance module v4 is it true to assume that they have been consolidated into Anti-Malware checks that covers all?

Everyone's tags (1)
Hall of Fame Guru

Yes - v4.x is calling all

Yes - v4.x is calling all those related checks Anti-malware.

Use v4.x as a general rule as v3.x will totally be deprecated in the future.


Thanks Marvin,

Thanks Marvin,

do you know if there is any reason to still use v3.x - like any common functionality that is still not doable with 4.x ? Or maybe OS support.. Looked at available docs & release notes and couldn't find such..

Hall of Fame Guru

As far as I know, the only

As far as I know, the only reason to use 3.x compliance module is if you have clients with AnyConnect 3.x.

If you have no such clients, then you should only run the 4.x compliance module.