cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1554
Views
1
Helpful
6
Replies

Posture Policy

jdal
Cisco Employee
Cisco Employee

When defining a posture policy, the requirements of any matching rule will need to be evaluated for a posture to be compliant (or not).

A customer is then asking what is best:

- one single rule with multiple requirements

- several rules with the same condition and a single requirement per rule

Functionally, this looks the same to me but is there any difference in terms of performance, scalability,...

From a manageability point of view, I'd tend to recommend a single rule with multiple requirements but happy to stand corrected ;-)

TIA,

JF

1 Accepted Solution

Accepted Solutions

hslai
Cisco Employee
Cisco Employee

Usually we combine the requirements into one posture policy rule when they should be in some logical order. For example, check AV installed first before check AV definitions. See my response @ ISE Remediation Automatic Install

View solution in original post

6 Replies 6

paul
Level 10
Level 10

Good question.  Interested to hear the answer.  I prefer to have individual rules so everything is very apparent vs. having to dig into the requirements of a single rule:

Windows AV Installed Audit

Windows AV Definitions Audit

Windows SCCM Installed Audit

Windows SCCM Enabled Audit

Windows SCCM Critical Patches Audit

etc.

hslai
Cisco Employee
Cisco Employee

Usually we combine the requirements into one posture policy rule when they should be in some logical order. For example, check AV installed first before check AV definitions. See my response @ ISE Remediation Automatic Install

jdal
Cisco Employee
Cisco Employee

Thanks, that's interesting!!

What happens when there are different policies then? Are they run in parallel or they may not be run in the sequence you'd expect?

hslai
Cisco Employee
Cisco Employee

The latter. ISE Posture Policy rules are match-all so anything matched will be the requirements. For example, in case AV install and AV definition are two separate rules and both matched, then AnyConnect ISE posture would check for AV definition regardless AV installed on the endpoint.

So, just to confirm...

Posture Policy is not like Access Control List that gets processed in top-down, sequential order and the first match defines the results. It's different for Posture Policy rule list, which is... as long as the conditions, etc match, ALL the defined requirements of the matching conditions need to be satisfied. In other words, it's AND operator for these matching rules.

For instance, I have two separate rules in my Posture Policy with the same conditions {id group, operating system, other conditions}, one with requirements for AV and another rule with requirement for patch management. They both need to be checked off successfully to flag the session as compliant.

Am I correct? thanks.

I would like to know as well if this is a match-all, and where I can find this in the Cisco documentation?

Currently can't find anything on this subject if official docs, apart from this forum post.