ZTNA integrated with Cloud SWG and users can access segment applications successfully from SEP Agents.

Admin enabled ZTNA device compliance policy (managed device authentication policy).

Created and successfully applied Host Integration policy on SESC that simply checks for the existence of a file on a Windows host.

SEP Agent runs on Windows host and detects the policy as non compliant as expected.

Adding Segment policy in ZTNA setup to authenticate device using compliant SEP Agent does not work however - SEP Agent device can connect and access segment application regardless of whether it is compliant or not.

ZTNA logs confirm that the access to segment application are allowed, as ZTNA believes the SEP Agent device is compliant.

SESC.

ZTNA.

Cloud SWG segment based applications with device posture checks.

Host Integration policy.

SESC message to upstream notification service truncated due to ':' and '\' characters in host integration policy name.

This truncation causes removal of key compliance information.

Make sure the Host Integration policy name does not include any extended characters.

In our failing example, the policy name included the string 'ZTNA HI policy check for c:\sample.txt filename'. Correcting to 'ZTNA HI policy check for sample filename' fixes the issue.

SEP engineering team aware of issue and will fix it on near future.

SEP Agent sends the posture information to SESC, which in turn communicated with ICDM (Symantec Integrated Cyber Defence Manager).

ZTNA ultimately receives the posture information from ICDM.

The ZTNA logs clearly showed the device posture was compliant, as this is the info it had obtained from ICDM (ICDM back end logs showed the device as compliant too when it should not have been).

Looking at REST calls from SEP into ICDM, we could see that the request was truncated after the extended character in policy name, and hence never got the accurate and complete posture information.