Posture checks overview
Posture checks are a core security mechanism used to enforce the zero-trust model by continually verifying the security and compliance state (posture) of a connecting device. They ensure that only connections matching the continually evaluated policy are granted access to your network services.
You define a posture check to assert a security requirement (e.g., "The endpoint protection software must be running"). You then apply that check to a service policy to make it mandatory for access. If an application's host device fails the check at any point, the NetFoundry overlay network denies the connection regardless of the identity's permissions.
Posture check types
When creating a posture check, you can define the security requirements based on these types:
- MAC address check: Verifies the device has a specific, registered hardware MAC address. This is used to lock access down to known hardware.
- Operating system check: Verifies the device is running an expected operating system (OS) and version. This helps enforce compliance and prevents access from unsupported or vulnerable OS versions.
- Process check: Verifies that a single required process (like an antivirus client or monitoring agent) is running on the endpoint device.
- Process multi check: Verifies that multiple required processes are running on the endpoint.
- Windows domain check: Verifies the endpoint device is successfully joined to a specific Windows Active Directory domain.
- Multi-factor check: Verifies that the identity completed a secondary multi-factor authentication step upon sign-in.
Console reference
Posture checks table
The Posture checks tab displays all posture checks configured in your network. This list is a reference you use when building service policies.
| Column | Concept | Description |
|---|---|---|
| Name | Display label | The user-defined name for the posture check (e.g., test-posture-check). |
| Type | Check requirement | The type of check being performed (e.g., MAC, Operating System, Process). |
| Details | Value being checked | The specific value or pattern the endpoint must match (e.g., a specific MAC address like 11:11:11:11:11:11, a required OS version, or a process name). |
| Created At | Timestamp | The time and date when this posture check was defined in the controller. |