Posture Check

The Posture Check page allows you to specify the posture requirements for the device. If the device does not meet the specified posture requirement, then the Harmony SASE Agent blocks private and internet access.

The posture check is performed periodically while the device connected to a network or every time when the device connects to the network.

To view the Posture Check page, access the Harmony SASE Administrator Portal and click Devices > Posture Check.

Supported Posture Requirement Checks

Posture Requirement

Windows

macOS

Linux

Specific or any Anti-Virus software is active and up to date on the device.*

Yes

Yes

Yes

Specific or any firewall or Windows Security Center is active and up to date on the device.

Yes

No

No

The device has the specific OS installed and running on the device.

Yes

Yes

No

Check for required or banned specific files on the device.

Yes

Yes

Yes

Check for required or banned registry keys and values on the device.

Yes

No

No

Check for required or banned processes on the device.

Yes

Yes

Yes

Hard drive on the device is encrypted.

Yes

Yes

No

Valid device certificate is installed trusted by a CA.

Yes

Yes

No

The user has signed in to a specified AD domain.

Yes

No

No

* The supported Anti-Virus software are:

  • Windows Defender

  • Symantec Norton

  • McAfee

  • Avast

  • Kaspersky

  • SentinelOne

  • Falcon Crowdstrike

  • Bitdefender Total Security

  • Eset

  • Malwarebytes

  • Webroot

  • ESET NOD32

  • ClamAV

  • Check Point Harmony Endpoint

Specifying the Device Posture Check Requirements

  1. Access the Harmony SASE Administrator Portal and click Devices > Posture Check.

  2. Click Add Profile.

    The Add Device Posture Check Profile window appears.

  3. In the Posture Check Profile Name field, enter a profile name.

  4. From the Assign Groups list, select the member group(s) to which you want to apply the posture check.

  5. In the Runtime Schedule section, select when to run the device posture check:

    • Prior to Connection and select the interval:

      • Every 20 minutes

      • Every 40 minutes

      • Every 60 minutes

    • Prior to Connection Only

  6. To add operating system, click Add OS to Profile.

  7. Select the Operating System from the list:

    1. MacOS

    2. Windows

    3. Linux

    4. iOS

    5. Android / Chromebook

  8. From the Select and Define Rules list, select the rule type:

    Posture Check Requirement

    Description

    Action
    Anti-virus

    Verifies if the specified Anti-Virus is installed, up-to-date and running.

    Select the Anti-Virus software products from the list.
    File Exists

    Verifies if certain file exist or do not exist (banned) in the specified path.

    Enter the path with forward slash. For example, C:/user/testing
    Disk Encryption

    Verifies that the OS hard drives are encrypted.

    N/A
    Certificate

    Verifies that a specific certificate is installed on the device (Mac Keychain).

    Enter the certificate name.
    Process Running

    Verifies that certain processes are running or not running (banned) on the device.

    Enter the process name with the extension .exe. For example, winload.exe.

    To get the process name, see Certificate Pinning. This can also be used to check Anti-viruses which are not pre-defined under the Anti-virus category.
    Operating System version

    Verifies if the specified OS version or higher is running.

    Select the operator and then enter the OS version number. For example, 10, 10.0 or 10.0.19045.
    Registry

    Verifies if the specific registry key exists or do not exist (banned).

    • In the Enter registry key in HKEY_format field, enter registry key name that must start with HKEY and must not end with \. For example, HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\New Key).

    • (Optional) In the Value field, enter the value of the registry key.

    Windows Security Center

    Verifies if the specified Firewall, Anti-virus, or Windows Security Center is installed and active.

    Select a list:

    • Antivirus

    • Firewall

    • Windows Security Center Service

    Active Directory Association

    Verifies if the user is signed in to a specified AD domain.

    Enter the domain name. You can add two domains by adding OR between the domain names.

    Define Access Permission

    Allows or blocks the network access to the device. Default is Allow.

    Select an action from the Define Access Permission list:

    • To allow mobile devices to access networks, select Allow.

    • To block mobile devices from accessing networks, select Deny.

    • To allow chromebook and prevent android devices to access networks, select Allow Chromebook only.

  9. To add more rules to OS, click Add Rule to OS and repeat step 8.

  10. Click Apply.

    The Device Posture Check profile is created.