Control macOS Firewall

• Allow or block traffic based on rules.

• Control network traffic using rules such as App BundleID, App Path, protocol, port, remote IP, etc.

Configure macOS Firewall Control Options

1. Rule Selection: You can select a general rule and an Internet Kill Switch rule.

2. General Rule: Allows all Internet except for the connection blocking rule. It operates in BlackList mode.

3. Internet Kill Switch: Blocks all Internet except for the connection allowance rule. It operates in WhiteList mode.

4. Connection Allow/Block Rule: Select the conditions of the rule you want to control using direction, app path, app bundle ID, protocol, remote IP, port, etc.

5. Notification Message: Displays a pop-up message to the user when traffic is blocked due to a rule.

6. Prevent Duplicate Message Notification: Does not display duplicate notification messages when multiple traffics occur at short intervals.

7. Prevent Duplicate Message Notification Time: Does not display duplicate notification messages for a specified period of time.

Add Agent Action to a Policy

1. Go to Policy in the top panel.

2. Go to Policy > Node Policy > Agent Action in the left Policy panel.

3. Find and click Control macOS Firewall in the Agent Action Window.

4. Add Conditions and Agent Actions.

5. Go to Policy > Node Policy in the left Policy panel.

6. Find and Click the Node policy to configure the network blocking policy.

7. Find Agent Action section. Click Assign.

8. Locate Control macOS Firewall and move to Selected column.

9. Click Add.

10. Click Apply in the top right. Click Close.

Configure Network Blocking Policies in Enforcement Policy

Step 1. Create Agent Action For Enforcement Policy

1. Go to Policy in the top panel.

2. Go to Enforcement Policy > Agent Action in the left panel.

3. Go to Tasks > Create.

Under General

1. For ID, type unique name.

2. For Description.(Brief description of what this Node Group is for).

3. Find Agent Action section and configure the following options:

   • OS Type (macOS)

   • Condition (Set the operating conditions)

   • Plugin (Network Control)

   • Settings (Set user notifications and custom rules)

   • Language

   • OS Edition

4. Click Create

5. Click Apply in top right corner.

Note

Using the agent action in enforcement policy is an optional usage of the agent action, and not actually required.

Step 2. Create Enforcement Policy

1. Go to Policy in the top panel.

2. Go to Policy > Enforcement Policy in the left Policy panel.

3. Click Tasks > Create.

4. Action tab click Next

5. General tab create an ID and enter brief Description to identify what the Policy does(Prioity stays as default. Status should be Enabled) Click Next.

6. Node Group tab select the Node Group that was created, move to Selected section and Click Next.

7. Permission tab select Available Permission and move to Selected and click Next

8. Redirection Action tab is optiuonal to set CWP and Switch Block options. Click Next.

9. Agent Action tab is optional to add Agent Action. Click Finish.

Internet Kill Switch

This feature automatically blocks general internet traffic on the endpoint when the VPN tunnel is abnormal or disconnected, preventing data/IP leaks.

• Ensures forced VPN connection when used with the Always-On option of the ZTNA Connection Manager action.

For instructions on using the ZTNA Connection Manager, refer to the ZTNA-Client document.

Configuration Method

Assign the minimum policy required to connect to the VPN. When the Internet Kill Switch setting is On, all internet traffic is blocked, and it operates in a WhiteList manner.

1. Go to Policy in the top menu.

2. Go to Policy > Node Policy in the left policy menu.

3. Click the Node Policy to which you want to apply the Internet Kill Switch.

4. In the Agent Action section, assign the Control macOS Firewall node action.

5. Enable the Internet Kill Switch option.

When using ZTNA-Client, assign the minimum policy as follows.