Using Kolide, you can easily view and query Mac Firewall Settings across your fleet.
Introduction
The Application Firewall (often abbreviated ALF) is a security featurebuilt-into macOS that prevents unauthorized and untrusted apps from acceptingnetwork connections from the internet. Unless the Mac is using a third-partysoftware firewall, the macOS ALF should be enabled.
You can read more about the macOS Application Firewall onApple's support site
What Mac Firewall Setting Data Can Kolide Collect?
Kolide's endpoint agent bundles in osquery to efficiently collect Mac Firewall Settings from Macs in your fleet. Once collected, Kolide will parse, clean up, and centrally store this data in Inventory for your team to view, query, or export via API.
Kolide meticulously documents every piece of data returned so you can understand the results.
Mac Firewall Settings Schema
| Column | Type | Description | |
|---|---|---|---|
| id | Primary Key | Unique identifier for the object | |
| device_id | Foreign Key | Device associated with the entry | |
| device_name | Text | Display name of the device associated with the entry | |
| allow_signed_enabled | Boolean |
| |
| enabled | Boolean |
| |
| firewall_unload | Boolean |
| |
| global_state | Enum::Integer | Describes the current state of the firewall Can be one of the following:
| |
| logging_enabled | Boolean |
| |
| logging_option | Enum::Integer | Logging verbosity options for Can be one of the following:
| |
| stealth_enabled | Boolean |
| |
| firewall_version | Text | The text representation of the version | |
| firewall_version_major | Bigint |
| |
| firewall_version_minor | Bigint |
| |
| firewall_version_patch | Bigint |
| |
| firewall_version_subpatch | Bigint |
| |
| firewall_version_pre | Text |
| |
| firewall_version_build | Text |
| |
| collected_at | Timestamp | Time the row of data was first collected in the database | |
| updated_at | Timestamp | Time the row of data was last changed in the database |
What Can You Do With This Information?
Kolide enables you to write your own queries against the data the agent collects. This allows you to build your own reports and API endpoints. For example, you can:
Find devices which do not have the built-in macOS firewall enabled
Show Query
Determine which devices have the Firewall Stealth Mode enabled
Show Query
Find devices which do not have the built-in macOS firewall enabled
Kolide SQL
SELECT enabled, device_name, global_state, stealth_enabled FROM mac_application_layer_firewalls WHERE enabled = 'false'Example Results
| enabled | device_name | global_state | stealth_enabled |
|---|---|---|---|
| false | Johns-MacBook-Pro | 0 | false |
| false | Daves-MacBook-Pro | 0 | false |
| false | ashleys-mac-mini | 0 | false |
| false | donut | 0 | false |
| false | Conference-Room-MacBook-Air | 0 | false |
Determine which devices have the Firewall Stealth Mode enabled
Kolide SQL
SELECT enabled, device_name, global_state, stealth_enabled FROM mac_application_layer_firewalls WHERE stealth_enabled = '1'Example Results
| enabled | device_name | global_state | stealth_enabled |
|---|---|---|---|
| true | Daves-MacBook-Pro-2 | 1 | true |
| true | Franks-MacBook-Pro-2 | 1 | true |
| true | holden | 1 | true |
| true | imaging-parent | 1 | true |
| true | Laptop-2 | 1 | true |
Why Should I Collect Mac Firewall Settings?
Knowing the state of the built-in Firewall can help paint a broaderpicture of the computer's overall security and adherence to compliancestandards.
End-User Privacy Consideration
Kolide practices Honest Security. We believe that data should be collected from end-user devices transparently and with privacy in mind.
When you use Kolide to list Mac Firewall Setting data from end-user devices, Kolide gives the people using those devices insight into exactly what data is collected, the privacy implications, and who on the IT team can see the data. This all happens in our end-user privacy center which can be accessed directly by employees.
