.. _mac-firewall: Control macOS Firewall ================================== - Allow or block traffic based on rules. - Control network traffic using rules such as App BundleID, App Path, protocol, port, remote IP, etc. Configure macOS Firewall Control Options ---------------------------------------- #. **Rule Selection**: You can select a general rule and an Internet Kill Switch rule. #. **General Rule**: Allows all Internet except for the connection blocking rule. It operates in BlackList mode. #. **Internet Kill Switch**: Blocks all Internet except for the connection allowance rule. It operates in WhiteList mode. #. **Connection Allow/Block Rule**: Select the conditions of the rule you want to control using direction, app path, app bundle ID, protocol, remote IP, port, etc. #. **Notification Message**: Displays a pop-up message to the user when traffic is blocked due to a rule. #. **Prevent Duplicate Message Notification**: Does not display duplicate notification messages when multiple traffics occur at short intervals. #. **Prevent Duplicate Message Notification Time**: Does not display duplicate notification messages for a specified period of time. Add Agent Action to a Policy ---------------------------- #. Go to **Policy** in the top panel. #. Go to **Policy > Node Policy > Agent Action** in the left Policy panel. #. Find and click **Control macOS Firewall** in the Agent Action Window. #. Add **Conditions** and **Agent Actions**. #. Go to **Policy > Node Policy** in the left Policy panel. #. Find and Click the **Node policy** to configure the network blocking policy. #. Find **Agent Action** section. Click **Assign**. #. Locate **Control macOS Firewall** and move to **Selected** column. #. Click **Add**. #. Click **Apply** in the top right. Click Close. Configure Network Blocking Policies in Enforcement Policy --------------------------------------------------------- **Step 1. Create Agent Action For Enforcement Policy** #. Go to **Policy** in the top panel. #. Go to **Enforcement Policy > Agent Action** in the left panel. #. Go to **Tasks > Create**. | Under **General** #. For **ID**, type unique name. #. For **Description**.(*Brief description of what this Node Group is for*). #. Find **Agent Action** section and configure the following options: - **OS Type** (*macOS*) - **Condition** (*Set the operating conditions*) - **Plugin** (*Network Control*) - **Settings** (*Set user notifications and custom rules*) - **Language** - **OS Edition** #. Click **Create** #. Click **Apply** in top right corner. .. note:: Using the agent action in enforcement policy is an optional usage of the agent action, and not actually required. **Step 2. Create Enforcement Policy** #. Go to **Policy** in the top panel. #. Go to **Policy > Enforcement Policy** in the left Policy panel. #. Click **Tasks > Create**. #. **Action** tab click **Next** #. **General** tab create an **ID** and enter brief **Description** to identify what the Policy does(*Prioity stays as default. Status should be Enabled*) Click **Next**. #. **Node Group** tab select the **Node Group** that was created, move to **Selected** section and Click **Next**. #. **Permission** tab select **Available Permission** and move to **Selected** and click **Next** #. **Redirection Action** tab is optiuonal to set **CWP** and **Switch Block options**. Click **Next**. #. **Agent Action** tab is **optional** to add **Agent Action**. Click **Finish**. Internet Kill Switch --------------------- This feature automatically blocks general internet traffic on the endpoint when the VPN tunnel is abnormal or disconnected, preventing data/IP leaks. - Ensures forced VPN connection when used with the Always-On option of the ZTNA Connection Manager action. For instructions on using the ZTNA Connection Manager, refer to the :doc:`../system/ztna_client` document. Configuration Method ~~~~~~~~~~~~~~~~~~~~ Assign the minimum policy required to connect to the VPN. When the Internet Kill Switch setting is On, all internet traffic is blocked, and it operates in a WhiteList manner. 1. Go to **Policy** in the top menu. 2. Go to **Policy > Node Policy** in the left policy menu. 3. Click the Node Policy to which you want to apply the Internet Kill Switch. 4. In the **Agent Action** section, assign the **Control macOS Firewall** node action. 5. Enable the **Internet Kill Switch** option. When using ZTNA-Client, assign the minimum policy as follows. .. list-table:: :header-rows: 1 :widths: 7 7 7 16 20 * - Direction - Application - Remote IP - Protocol * - Outbound - Any - ZTNA Gateway IP or Domain - TCP, Custom Port: 1194