---
title: Posture checks
description: Posture checks in Zero Trust.
image: https://developers.cloudflare.com/zt-preview.png
---

> Documentation Index  
> Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt  
> Use this file to discover all available pages before exploring further.

[Skip to content](#%5Ftop) 

### Tags

[ Posture ](https://developers.cloudflare.com/search/?tags=Posture) 

# Posture checks

With Cloudflare Zero Trust, you can configure Zero Trust policies that rely on additional signals from the Cloudflare One Client or from third-party endpoint security providers. When device posture checks are configured, users can only connect to a protected application or network resource if they have a managed or healthy device.

## 1\. Enable device posture checks

Setup instructions and requirements vary depending on the device posture attribute. Refer to the links below to view the setup guide for your provider.

* [Cloudflare One Client checks](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/client-checks/) are performed by the Cloudflare One Client.
* [Service-to-service checks](https://developers.cloudflare.com/cloudflare-one/integrations/service-providers/) are performed by third-party device posture providers.
* [Access integration checks](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/access-integrations/) are only configurable for Access applications. These attributes cannot be used in Gateway policies.

## 2\. Verify device posture checks

Before integrating a device posture check in a Gateway or Access policy, verify that the Pass/Fail results match your expectations. To view the latest test results for a specific device:

1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Team & Resources** \> **Devices**.
2. Select the device.
3. Select **View details**.
4. Select the **Posture checks** tab.

## 3\. Build a device posture policy

You can now use your device posture check in an [Access policy](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) or a Gateway [network](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/common-policies/#enforce-device-posture) or [HTTP](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/common-policies/#check-device-posture) policy. In Access, the enabled device posture attributes will appear in the list of available [selectors](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/#selectors). In Gateway, the attributes will appear when you choose the [Passed Device Posture Check](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/#device-posture) selector.

Gateway policy limitation

Gateway does not support device posture checks for the [Tanium Access integration](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/client-checks/tanium/).

## 4\. Ensure traffic is going through the Cloudflare One Client

[Cloudflare One Client](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/client-checks/) and [service-to-service](https://developers.cloudflare.com/cloudflare-one/integrations/service-providers/) posture checks rely on traffic going through the Cloudflare One Client to detect posture information for a device. In your [Split Tunnel configuration](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/split-tunnels/), ensure that the following domains are included in the Cloudflare One Client:

* The IdP used to authenticate to Cloudflare Zero Trust if posture check is part of an Access policy.
* `<your-team-name>.cloudflareaccess.com` if posture check is part of an Access policy.
* The application protected by the Access or Gateway policy.

## Policy enforcement rate

Access detects changes in device posture at the same rate as the [polling frequency](#polling-frequency) configured for the posture check.

Because Gateway evaluates network and HTTP policies on every request, it maintains a local cache of posture results that is only updated every five minutes. Therefore, Gateway policies are subject to an additional five-minute delay. For example, if you set your polling frequency to 10 minutes, it may take up to 15 minutes for Gateway to detect posture changes on a device.

flowchart LR
accTitle: Device posture policy enforcement
A[Device] --schedule--> B[Cloudflare One Client]--> C((Cloudflare)) --> D[Access policy]
C --5 min--> E[Cache] --> F[Gateway policy]
A --> G[Service provider] --interval--> C

Warning

Gateway does not terminate an [active session](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/client-sessions/#configure-warp-sessions-in-gateway) even if a subsequent posture check fails during that session. Gateway only evaluates posture checks at the beginning of a session, and ongoing sessions will remain uninterrupted.

For example, if you establish an SSH session based on a successful posture check, but a posture requirement fails after the session has started, the session will remain active.

### Expiration

By default, the posture result on Cloudflare remains valid until it is overwritten by new data. You can specify an `expiration` time using our [API](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/devices/subresources/posture/methods/update/). Cloudflare recommends setting the expiration to be at least double the [polling frequency](#polling-frequency). For example, if the posture check polling frequency is set to one hour, its expiration time should be set to two hours or greater.

### Polling frequency

#### Cloudflare One Client checks

By default, the Cloudflare One Client polls the device for status changes every five minutes. To modify the polling frequency, use the API to update the [schedule](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/devices/subresources/posture/methods/update/) parameter.

#### Service provider checks

When setting up a [service-to-service integration](https://developers.cloudflare.com/cloudflare-one/integrations/service-providers/), you will choose a polling frequency to determine how often Cloudflare will query the third-party API. To set the polling frequency via the API, use the [interval](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/devices/subresources/posture/subresources/integrations/methods/edit/) parameter.

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/reusable-components/","name":"Reusable components"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/reusable-components/posture-checks/","name":"Posture checks"}}]}
```