Understanding NetBird Posture Checks

Posture Checks is a security feature that enhances network protection by implementing automated assessments of a device's security status before granting network access, thus ensuring that only compliant devices can access your network resources.

In this regard, NetBird posture checks verify various aspects of a connecting device, offering granular control over network access. These checks include verifying the NetBird client version, allowing you to restrict access to peers with specific versions of the client software. Additionally, you can implement geographical restrictions based on country or region, giving you control over where connections can originate from.

The feature also allows for network-level restrictions by enabling you to allow or block specific peer network ranges. Furthermore, you can set constraints based on the operating system of the connecting device, ensuring that only approved OS versions can gain access. For an even more detailed level of control, Posture Checks can examine the running processes on a peer device, allowing or denying access based on the presence of specific applications or services.

By using these diverse checking capabilities, NetBird empowers you to create a robust and finely-tuned security posture for your network, significantly reducing the risk of unauthorized access and potential security breaches.

Setting Up Posture Checks

Setting up posture checks in NetBird is straightforward, you can follow the example in the video below:

Or follow the guide with other examples below:

Log in to your NetBird dashboard and navigate to Access Control > Posture Checks in the left menu. Click Create Posture Check or edit an existing one.

NetBird Posture Checks

A pop-up window will open with two tabs: Checks and Name & Description.

Create Posture Check

From here, you can manage access with posture checks based on several aspects:

NetBird Client Version

Restrict access to peers with specific NetBird client versions, thus ensuring that all devices connecting to the network use up-to-date, secure client software.

NetBird Client Version Posture Check

Country and Region

Limit network access based on geographical location, helping comply with data regulations or restrict access from high-risk areas. Note that you have two tabs available for this: Allow (green) and Block (red), making it easy to set up your preferred access rules..

Country and Region Posture Check

When allowing access from specific locations in the network settings, all other locations are automatically blocked. Conversely, blocking certain locations means only those are blocked, while access remains open for all other locations.

Peer Network Range

This posture check lets you precisely control network access by specifying which IP ranges can connect to your network. You can create policies allowing only connections from approved locations, such as office networks or trusted remote work setups. Additionally, you can enhance security by blocking high-risk IP ranges working in tandem with geo-based posture checks. This granular control helps create a more secure network environment by limiting access to known, trusted sources while preventing connections from potentially risky or unauthorized IP addresses.

Peer Network Range Posture Check

The check evaluates a peer against two sources of address information:

The peer's local network interfaces — the IP addresses configured on the device's NICs (e.g. the office LAN 192.168.1.0/24 the device is plugged into).
The peer's public connection IP — the source IP the NetBird management server observes when the peer connects (i.e. the egress / NAT'd IP).

A configured range matches when it contains any of these addresses, so the same check covers both private subnets and public CIDRs. Both IPv4 and IPv6 are supported. A few examples:

Block a single office public IPv4: 203.0.113.10/32
Allow a public ISP/office block: 1.0.0.0/24 or 3.0.0.0/23
Block an entire private network: 192.168.1.0/24
Block a single IPv6 host: 2001:db8::1/128
Block an IPv6 prefix: 2001:db8::/48

Matching against the public connection IP requires the management server to see the peer's real source IP. If NetBird sits behind a reverse proxy or load balancer, ensure the proxy forwards the client IP (e.g. via the PROXY protocol or X-Forwarded-For); otherwise the check will only see the proxy's IP. A quick sanity check: the country and city resolved on the peer in the dashboard should reflect the peer's actual location, not your proxy's.

Operating System

Restrict access based on the connecting device's OS, ensuring only approved and potentially more secure operating systems can connect.

Operating System Posture Check

The Operating System Check requires NetBird version 0.26.0 or newer.

The check evaluates the actual OS version for Android, macOS, and iOS, while for Linux and Windows, it assesses the kernel version.

Below are some examples of OS versions for each operating system:

Android 14 Upside Down Cake: 14, 14.3
macOS 13 Ventura: 13, 13.6.4
macOS 14 Sonoma: 14, 14.3.1
iOS 16 / iPadOS 16: 16, 16.7.5
Linux kernel: 6, 6.7.5
Windows 10, version 22H2: 10.0.19045
Windows 11, version 23H2: 10.0.22631
Windows Server 2022, Version 21H2: 10.0.20348

Process

Limit network access based on specific applications or services running on the connecting device. By verifying specific applications or processes, you ensure that only devices running essential security software, such as antivirus, firewalls, or endpoint protection agents, can connect to your network, reducing the risk of malware entering your network through unprotected devices. It also aids in maintaining compliance with regulatory requirements by enforcing consistent security measures across all devices.

Furthermore, this process-based posture check allows you to create specific policies for different user groups or network segments based on their unique security needs. Working in conjunction with other posture checks in NetBird, this setting offers a comprehensive and user-friendly approach to network security.

Process Posture Check

Name & Description

After enabling the desired posture check, go to the Name & Description tab. Here, enter a descriptive name for your newly created posture check and save it.

Name your Posture Check

You'll notice a gray dot to the left of the posture check name, indicating it's inactive. To activate the posture check, you need to link it to an access control policy.

New Posture Check

Applying Posture Checks to Access Control Policies

To apply a posture check:

Create or edit an access control policy.
Find the Posture Checks tab within the policy settings.
Choose Browse Checks to select an existing check or New Posture Check to create one.

Note that you can add multiple posture checks to a single policy as needed for comprehensive security.

Add Posture Check to Access Control Policy

After adding the posture check, it will appear in the POSTURE CHECKS column. For easy management, you can click on it to edit the access control policy, allowing you to add or remove posture checks as needed.

Access Control Policies Dashboard

If you revisit the Posture Checks dashboard, you'll notice a green dot next to your recently configured posture check. This color shift indicates that the posture check is now active and integrated into your network security framework, actively contributing to your system's protection.

Posture Checks Dashboard

Following these steps, you can effectively implement and manage NetBird's Posture Checks, significantly enhancing your network's security posture.

Known Limitations

Peer Network Range Check on Mobile Platforms

iOS and Android do not allow applications to enumerate the device's local network interfaces, so ranges intended to match a peer's local NIC IPs (e.g. an office LAN like 192.168.1.0/24) cannot be evaluated on those platforms.

Ranges that target the public connection IP still work on mobile, because the management server observes that source IP itself — it does not depend on anything the client reports. So public CIDRs (e.g. 203.0.113.10/32, 1.0.0.0/24) and public-IP-based deny/allow rules behave the same on mobile as on desktop.

Affected platforms:

iOS
Android

Impact:

If a policy's Peer Network Range posture check relies on local NIC ranges, the check cannot match on mobile clients and routes gated by that policy may become unavailable on those devices — even when the device is outside the blocked local range.

Recommendation:

If your deployment includes iOS or Android clients and you need to gate on local network membership, consider one of the following:

Create separate policies for mobile clients that do not include local-NIC-based Peer Network Range posture checks
Use alternative posture checks (such as Geo Location) that are supported on mobile platforms
Use Peer Network Range checks based on the public connection IP, which work on every platform
Apply local-NIC-based Peer Network Range posture checks only to policies targeting desktop platforms (Windows, macOS, Linux)

Get started with NetBird

Make sure to star us on GitHub
Follow us on X
Join our Slack Channel
NetBird latest release on GitHub

Platforms

Peers

Access Control

Networks

Network Routes

Reverse Proxy

DNS

Team

Activity

Settings

Integrations

Public API

For Partners

Maintenance

Authentication

Migration Guides