Enforce block policy when *any* device posture check fails

Struggling to understand how to use device posture in policies. Let’s simplify the goal as: “I want to block all access to Team-controlled resources for any device that doesn’t meet our posture requirements in any way whatsoever”.

What I think I understand so far is (please correct where wrong):

  1. You can’t refer to device posture in Settings > Devices > Device Enrollment Permissions > Rules m> Include (or anywhere else in this area that I can find).
    • So you can’t prevent users from enrolling bad-posture devices. This seems like a questionable zero-trust feature gap, but let’s continue…
  2. You can refer to device posture in Gateway policy rules, relating to Network or HTTP policies.
    • I think these are the only places you can use device posture to enforce policy (right?)
  3. However, Network and HTTP policies are all default-allow policies
    • Ie - if you have no custom policy rules, all Network/HTTP traffic is allowed
    • For our example we want to block some traffic where device posture is bad (has any posture failures at all).
  4. It isn’t possible through the dash.teams.cloudflare.com browser UI to set a policy that selects based on failed device posture attributes.
    • The only option that is available is “Passed Device Posture Checks”, even though articles like these refer (very much indirectly, as part of an example) to “device_posture.checks.failed[*]” as possibly being an option through the API.
    • There seems to be no combination of “Passed Device Posture Checks” and the available operators (“in”, “is”, “is not”, “not in”) which allows us to say “if any device posture check fails, block access (to something/everything)”. Fundamentally I want to refer to failed posture checks, not passed posture checks.
  5. (Side note) It doesn’t seem possible to create default-deny type policy rules either
    • There is no “any” of “all” selector
    • There is no “matches regex” operator for “Destination IP” selector
    • It isn’t possible to set Destination IP to “”, or “.*” under the “is” operator
    • Whereas it is possible to put “” as the value against an “is” operator, it isn’t clear in any docs I can find that “” means “all IP addresses” in this context (in fact, seems more likely it means that exact address, which is not what we’re after).

None of the logic available in the UI seems to fit this pretty obvious and likely use-case (“don’t allow any access to devices with any bad posture”). I can’t find any documentation that addresses this point, or any CF Zero Trust API documentation that shows how this might be possible through the API, if not through the UI.

Is part of my understanding wrong above, and/or am I missing something? If no, then I have cognitive dissonance on how device posture checking can be made useful at all. Even in the examples CF gives, like in the screenshot attached, if you can’t say “match where any device policy check fails” and you can’t say “I need all device policy checks to pass”, then I don’t see how device policy checks can be useful in the absence of default-deny rules lower down the policy order. I must be missing something.

THIS POST GOT CLOSED BEFORE ANY REPLIES and before we got a suitable response from CF Support, but the answer we eventually got (after just under a month) from CF Support was:

CONFIRMED - this is possible through the API but not (yet) through the UI.

curl -sX PUT "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules/3d4e1c75-63bc-4469-8ae0-ce16959173cd" \
     -H "X-Auth-Email: $X_AUTH_EMAIL" \
     -H "X-Auth-Key: $X_AUTH_KEY" \
     -H "Content-Type: application/json" --data '{"name": "Block Internet Access if Device Posture Check Fails","enabled": true,"action": "block","filters": ["http"],"traffic": "http.request.host == \"www.youtube.com\"","device_posture": "any(device_posture.checks.failed[*] in {\"da66e679-3ee2-4a8e-a675-f0f21a754fed\" \"4019309f-fcfe-4d02-9b56-d39871433f78\" \"ea2e7f68-f1d3-4ad9-80d9-192bc33fdac8\" \"009acf84-e238-4941-b2e2-0d8fa90ab565\"})"}'

Of course, you would need to use your own Account ID , X-Auth-Email , and X-Auth-Key values.
And you would need to replace da66e679-3ee2-4a8e-a675-f0f21a754fed , 4019309f-fcfe-4d02-9b56-d39871433f78 , ea2e7f68-f1d3-4ad9-80d9-192bc33fdac8 , and 009acf84-e238-4941-b2e2-0d8fa90ab565 with your own device posture check IDs.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.