Restrict device access with CrowdStrike ZTA scores

CrowdStrike Falcon posture integration is available for the Enterprise plan.

CrowdStrike Falcon Zero Trust Assessment calculates a numeric trust score (from 0 to 100) for each device that runs a Falcon agent. Using that score as part of access rules in Tailscale can allow organizations to grant access to sensitive resources only to devices that have a high enough level of trust.

This can be achieved using Tailscale's device posture features:

CrowdStrike Falcon posture integration, which synchronizes Zero Trust Assessment scores from CrowdStrike to device posture attributes in Tailscale.
Device Identity Collection, which collects identifiers such as serial numbers and MAC addresses, used to match devices in Tailscale to devices in CrowdStrike.
Posture conditions in access rules, which lets you configure access restrictions based on device attributes.

This guide explains how to enable Device Identity collection for your Tailscale network (tailnet) and configure CrowdStrike Falcon posture integration.

What is CrowdStrike Falcon posture integration?

The CrowdStrike Falcon integration syncs data between Falcon and Tailscale on a recurring schedule. During each sync, Tailscale performs the following actions:

Fetches a list of hosts and their ZTA score from your Falcon account.
Matches Falcon hosts to devices in your tailnet based on serial numbers.
Writes the Falcon data to a device posture attribute on each matched device.

The integration writes the following device posture attribute to matched devices:

Attribute key	Description	Allowed values
`falcon:ztaScore`	Falcon ZTA score for the device	`number`

Prerequisites

Device Identity Collection is enabled, and devices in your tailnet are reporting identifiers
CrowdStrike Falcon API credentials

Create CrowdStrike Falcon API credentials

To authenticate your CrowdStrike Falcon account with Tailscale, you'll need to create a CrowdStrike Falcon API client. The Falcon integration uses these to fetch a list of hosts and their ZTA score from Falcon.

To create a CrowdStrike Falcon API client:

In Falcon, open Support and resources and then API clients and keys.
Select Create API client.
Add a name. For the Hosts scope add Read, and for the Zero Trust scope add Read.
Select Create, then make sure to copy the displayed Client ID and Client Secret. These will be only displayed once.

Also make a note of the Base URL (for example, https://api.us-2.crowdstrike.com).

Configure CrowdStrike Falcon posture integration

To configure Tailscale to fetch the ZTA score for hosts from CrowdStrike Falcon:

Open the Device management page of the Tailscale admin console.
Under the Device Posture Integrations section, locate the CrowdStrike Falcon integration, then select Connect.
Select your CrowdStrike Cloud Region (the Base URL from the API client).
Enter your Client ID and Client Secret.
Select Connect to CrowdStrike Falcon.

Check the integration status

After you set up the CrowdStrike Falcon integration, check to ensure the integration has run successfully. You can do so by visiting the Device Posture Integrations section of the Device management page. This page shows the configured integrations and their statuses under the Integrations section. For the CrowdStrike Falcon integration, it should have the time of the most recent sync, the number of synced devices, and any errors that occurred while synchronizing.

Integrations: CrowdStrike Falcon: Last sync 4 minutes ago, 1 match between 2 Tailscale devices with identifies and 3 CrowdStrike Falcon hosts.

Check node attributes

After you configure CrowdStrike Falcon integration, you can confirm that Tailscale is writing the new attribute for your Falcon hosts on the Machines page of the admin console.

Open the Machines page of the Tailscale admin console.
Select a device to inspect.
The attributes for the device are in the Machine Details section. This should include the falcon:ztaScore attribute.

Attributes. falcon:ztaScore: 64. node:os: linux. node:osVersion: 5.19.0-46-generic. node:tsReleaseTrack: stable. node:tsVersion: 1.53.20.

You can also check device attributes using the Tailscale API.

Adjust Tailscale access rules

After you configure CrowdStrike Falcon posture integration, and your devices have device posture attributes that reflect their signals as reported by CrowdStrike Falcon, you can use those device posture attributes as part of your posture rules.

For example, to only permit access to tag:production from devices that have a CrowdStrike ZTA score of 70 or higher, you can create a new posture and use it as part of a corresponding access rule:

"postures": {
  "posture:trusted": ["falcon:ztaScore >= 70"],
},
"grants": [
  {
    "src": ["autogroup:member"],
    "dst": ["tag:production"],
    "ip": ["*"],
    "srcPosture": ["posture:trusted"]
  }
]

You can use the visual policy editor to manage your tailnet policy file. Refer to the visual editor reference for guidance on using the visual editor.

Schedule

For each configured integration, Tailscale will aim to sync device posture attributes every 15 minutes, with a few exceptions:

Adding a new integration, or changing configuration of an existing one, will trigger an out-of-schedule sync.
If an integration fails due to authentication error (usually caused by invalid credentials), it will be paused for up to 24 hours.

Audit log events

The following audit log events are added for device posture.

Target	Action	Description
Integration	Create posture integration	A new posture integration was created
Integration	Update posture integration	A posture integration was updated
Integration	Removed posture integration	A posture integration was removed
Node	Update node attribute	Device posture attributes for a node were changed