How to List Firewall Settings Across All Macs
Using Kolide, you can easily view and query Mac Firewall Settings across your fleet.
Introduction
The Application Firewall (often abbreviated ALF) is a security feature built-into macOS that prevents unauthorized and untrusted apps from accepting network connections from the internet. Unless the Mac is using a third-party software firewall, the macOS ALF should be enabled.
You can read more about the macOS Application Firewall on Apple's support site
What Mac Firewall Setting Data Can Kolide Collect?
Kolide's endpoint agent bundles in osquery to efficiently collect Mac Firewall Settings from Macs in your fleet. Once collected, Kolide will parse, clean up, and centrally store this data in Inventory for your team to view, query, or export via API.
Kolide meticulously documents every piece of data returned so you can understand the results.
Mac Firewall Settings Schema
| Column | Type | Description | |
|---|---|---|---|
| id | Primary Key |
Unique identifier for the object |
|
| device_id | Foreign Key |
Device associated with the entry |
|
| device_name | Text |
Display name of the device associated with the entry |
|
| allow_signed_enabled | Boolean |
|
|
| enabled | Boolean |
|
|
| firewall_unload | Boolean |
|
|
| global_state | Enum::Integer |
Describes the current state of the firewall Can be one of the following:
|
|
| logging_enabled | Boolean |
|
|
| logging_option | Enum::Integer |
Logging verbosity options for Can be one of the following:
|
|
| stealth_enabled | Boolean |
|
|
| firewall_version | Text |
The text representation of the version |
|
| firewall_version_major | Bigint |
|
|
| firewall_version_minor | Bigint |
|
|
| firewall_version_patch | Bigint |
|
|
| firewall_version_subpatch | Bigint |
|
|
| firewall_version_pre | Text |
|
|
| firewall_version_build | Text |
|
|
| collected_at | Timestamp |
Time the row of data was first collected in the database |
|
| updated_at | Timestamp |
Time the row of data was last changed in the database |
|
What Can You Do With This Information?
Kolide enables you to write your own queries against the data the agent collects. This allows you to build your own reports and API endpoints. For example, you can:
SELECT
enabled,
device_name,
global_state,
stealth_enabled
FROM mac_application_layer_firewalls
WHERE enabled = 'false'| enabled | device_name | global_state | stealth_enabled |
|---|---|---|---|
| false | Johns-MacBook-Pro | 0 | false |
| false | Daves-MacBook-Pro | 0 | false |
| false | ashleys-mac-mini | 0 | false |
| false | donut | 0 | false |
| false | Conference-Room-MacBook-Air | 0 | false |
SELECT
enabled,
device_name,
global_state,
stealth_enabled
FROM mac_application_layer_firewalls
WHERE stealth_enabled = '1'| enabled | device_name | global_state | stealth_enabled |
|---|---|---|---|
| true | Daves-MacBook-Pro-2 | 1 | true |
| true | Franks-MacBook-Pro-2 | 1 | true |
| true | holden | 1 | true |
| true | imaging-parent | 1 | true |
| true | Laptop-2 | 1 | true |
Why Should I Collect Mac Firewall Settings?
Knowing the state of the built-in Firewall can help paint a broader picture of the computer's overall security and adherence to compliance standards.
End-User Privacy Consideration
Kolide practices Honest Security. We believe that data should be collected from end-user devices transparently and with privacy in mind.
When you use Kolide to list Mac Firewall Setting data from end-user devices, Kolide gives the people using those devices insight into exactly what data is collected, the privacy implications, and who on the IT team can see the data. This all happens in our end-user privacy center which can be accessed directly by employees.
