Custom Posture Check Management

Table of Contents

Incident Customization for Raise and Clear Conditions

Custom Posture Check Management

Manage custom posture checks in Strata™ Cloud Manager's Unified Incident Framework to enforce security policies and maintain compliance.

Where Can I Use This?	What Do I Need?
NGFW Prisma® Access	Strata Cloud Manager Pro Panorama® CloudConnector Plugin 3.0.0 for Panorama managed deployments Traffic logs in Strata Logging Service

Custom posture checks are configurable rules within Strata Cloud Manager's Unified Incident Framework that evaluate configuration compliance against your defined security policies. Posture Checks—which include pre-defined best practices—are global to your tenant. This means they appear in every incident setting and deliver verdicts regardless of your specific configuration. Incident Settings function as a filter applied to those verdicts, enabling you to define exceptions or trigger specific notification profiles. The behavior of these exceptions may vary based on which feature utilizes the check results.

Posture checks are organized under the Posture product category in your environment. This hierarchy subdivides into Configuration, which includes subcategories such as:

Infrastructure Best Practice & Compliance
Network Best Practice & Compliance
Security Best Practice & Compliance

This structure provides a logical framework for categorizing and locating specific checks.

Posture Check incident codes use the format: INC_BPA_OBJECT_NAME_POSTURE_CHECK_VIOLATION. For instance, if you manage checks that assess the Security Policy configuration object, the incident code you use is: INC_BPA_SECURITY_POLICY_POSTURE_CHECK_VIOLATION. You can quickly find the setting for a specific check by using the "Incident Code" filter at the top of the page. To manage the example check, search for "security_policy" in the Incident Code filter's search box.

Exceptions

Exceptions allow you to bypass specific posture check verdicts under defined circumstances, providing flexibility in policy enforcement. You can configure exceptions at two distinct levels: global and scope-based.

Global exceptions apply universally across all scopes within your tenant. You define them within the default incident code settings for a specific check, providing a broad mechanism to disable or enable a check's enforcement across your entire environment.

Scope-based exceptions offer more granular control, allowing you to define exceptions for specific configuration objects or groups. You configure these within custom settings, and they follow 'longest match' logic, meaning a custom setting with more specific match criteria overrides a broader default setting. This allows for exceptions down to a single configuration object, such as a particular security policy in your network. See Incident Setting Resolution.

Manage Custom Posture Checks

To manage custom posture checks in your Strata Cloud Manager environment, follow these steps to define, evaluate, and enforce security policies.

Select IncidentsIncidentsSettings to navigate to incident settings.
Expand Posture under Default Settings.
Locate specific posture checks using the Incident Code filter.
Select the incident code to open the side panel and view details.

You can see all the existing pre-defined (best practice) and custom checks for the configuration object at the end of the side panel. You cannot directly edit pre-defined "best practice" checks; however, if you have a Strata Cloud Manager Pro license, you can clone the pre-defined checks or directly create a custom check, and you can edit both.

Although Strata Cloud Manager does not provide predefined best practices for every incident code, Custom Posture Checks support all configuration objects. If an incident code such as INC_BPA_ADDRESS_POSTURE_CHECK_VIOLATION lacks a built-in check, you can still enforce your own organizational standards such as regex based naming conventions by creating a custom posture check.
Clone a predefined check or create a new custom check.
- To clone an existing check, select a predefined check or a default setting and then select Clone under Actions.
- To create a new check, select +Add Custom Check to <Incident Code>.
Configure the check metadata.
- Enter a Name and provide a Description.
- The Object Type is auto populated and you can't edit it.
- Confirm the Policy Manager Type, which identifies if the check evaluates configurations from:
  - Strata Cloud Manager
  - Panorama®
If you are managing your configuration via Panorama, the CloudConnector plugin is required. This plugin allows the custom check logic builder to auto-populate configuration objects directly from your Panorama configuration.
- Select the Rule Type. This field is only available when the object is "Security Policy" and Strata Cloud Manager is the Policy Manager type. Strata Cloud Manager uses two distinct rulebases: "Security Policy" and "Internet Access Policy." When creating a check, you must select one or both of these rule types. Because Internet Access Policies are a subset of Security Policies, they do not support the evaluation of the same full set of fields, which necessitates this distinction.
Build the check logic using the Logic Builder.
The Logic Builder is the core mechanism for constructing and visualizing the evaluation criteria for custom posture checks. It allows you to define precise conditions that configurations must meet to be deemed compliant. The Logic Builder can also evaluate referenced objects, such as ensuring a specific vulnerability profile is attached to a security policy.

The Logic Builder provides three distinct methods for constructing check logic:
- Expressions — Simple, single-line blocks linked by Boolean AND or OR logic, used for straightforward conditions where multiple criteria must be met or where any of several conditions indicates compliance.
- Conditionals — If-then-else blocks designed for complex scenarios requiring branching logic based on specific conditions, enabling the definition of sophisticated evaluation paths.
- Groups — Bundles of expressions and conditionals that are evaluated together to produce a single true or false result, providing a way to organize and combine multiple logical components into a cohesive unit.
Define the conditions the configuration must meet, including evaluations of referenced objects (for example, ensuring a specific vulnerability profile is attached to a security policy).

The final verdict of your logic is always True or False. By default, "True" equals "Pass." However, if you are writing logic to find a violation, you can use the selection at the bottom to invert this, so that a "True" result renders a "Fail" verdict.
Configure the 'block' action if it is applicable. Select the Block option to prevent the deployment of non-compliant configurations.

In Strata Cloud Manager, the 'block' action is enforced in real-time for security policies. For all other configuration objects, enforcement occurs at push time, providing immediate or near-immediate prevention of non-compliant security policy deployments. You need a Strata Cloud Manager Pro tier license to use the block action.

When you manage configurations via Panorama, the 'block' action is enforced at commit time for all objects. This involves sending the configuration to the cloud for analysis before the commit is finalized.
Create global exceptions that apply to all the scopes.

In the Default incident setting, toggle the Enabled switch for the desired check.
Create scope-based exceptions.

Navigate to Custom Settings and define granular match criteria to apply exceptions to specific parts of your environment. Narrow the scope down to a single configuration object, such as a specific security policy, for targeted exceptions. See Incident Setting Resolution.
Save Setting.