Device posture
With Cloudflare Zero Trust, you can configure Zero Trust policies that rely on additional signals from the WARP client or from third-party endpoint security providers. When device posture checks are configured, users can only connect to a protected application or network resource if they have a managed or healthy device.
Setup instructions and requirements vary depending on the device posture attribute. Refer to the links below to view the setup guide for your provider.
- WARP client checks are performed by the Cloudflare WARP client.
- Service-to-service checks are performed by third-party device posture providers.
- Access integration checks are only configurable for Access applications. These attributes cannot be used in Gateway policies.
Before integrating a device posture check in a Gateway or Access policy, verify that the Pass/Fail results match your expectations. To view the latest test results for a specific device:
- In Zero Trust ↗, go to My Team > Devices.
- Select the device.
- Select View details.
- Select the Posture checks tab.
You can now use your device posture check in an Access policy or a Gateway network or HTTP policy. In Access, the enabled device posture attributes will appear in the list of available selectors. In Gateway, the attributes will appear when you choose the Passed Device Posture Check selector.
WARP client and service-to-service posture checks rely on traffic going through WARP to detect posture information for a device. In your Split Tunnel configuration, ensure that the following domains are included in WARP:
- The IdP used to authenticate to Cloudflare Zero Trust if posture check is part of an Access policy.
<your-team-name>.cloudflareaccess.comif posture check is part of an Access policy.- The application protected by the Access or Gateway policy.
Access detects changes in device posture at the same rate as the polling frequency configured for the posture check.
Because Gateway evaluates network and HTTP policies on every request, it maintains a local cache of posture results that is only updated every five minutes. Therefore, Gateway policies are subject to an additional five-minute delay. For example, if you set your polling frequency to 10 minutes, it may take up to 15 minutes for Gateway to detect posture changes on a device.
flowchart LR accTitle: Device posture policy enforcement A[Device] --schedule--> B[WARP client]--> C((Cloudflare)) --> D[Access policy] C --5 min--> E[Cache] --> F[Gateway policy] A --> G[Service provider] --interval--> C
By default, the posture result on Cloudflare remains valid until it is overwritten by new data. You can specify an expiration time using our API. We recommend setting the expiration to be longer than the polling frequency.
By default, the WARP client polls the device for status changes every five minutes. To modify the polling frequency, use the API to update the schedule parameter.
When setting up a service-to-service integration, you will choose a polling frequency to determine how often Cloudflare will query the third-party API. To set the polling frequency via the API, use the interval parameter.
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Products
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark
-
