.. _mac-firewall: Control macOS Firewall ================================== - Allow or block traffic based on rules. - Control network traffic using rules such as App BundleID, App Path, protocol, port, remote IP, etc. Configure macOS Firewall Control Options ---------------------------------------- #. **Rule Selection**: You can select a general rule and an Internet Kill Switch rule. #. **General Rule**: Allows all Internet except for the connection blocking rule. It operates in BlackList mode. #. **Internet Kill Switch**: Blocks all Internet except for the connection allowance rule. It operates in WhiteList mode. #. **Connection Allow/Block Rule**: Select the conditions of the rule you want to control using direction, app path, app bundle ID, protocol, remote IP, port, etc. #. **Notification Message**: Displays a pop-up message to the user when traffic is blocked due to a rule. #. **Prevent Duplicate Message Notification**: Does not display duplicate notification messages when multiple traffics occur at short intervals. #. **Prevent Duplicate Message Notification Time**: Does not display duplicate notification messages for a specified period of time. Internet Kill Switch --------------------- This feature automatically blocks general internet traffic on the endpoint when the VPN tunnel is abnormal or disconnected, preventing data/IP leaks. - Ensures forced VPN connection when used with the Always-On option of the ZTNA Connection Manager action. For instructions on using the ZTNA Connection Manager, refer to the :doc:`../system/ztna_client` document. Configuration Method ~~~~~~~~~~~~~~~~~~~~ Assign the minimum policy required to connect to the VPN. When the Internet Kill Switch setting is On, all internet traffic is blocked, and it operates in a WhiteList manner. 1. Go to **Policy** in the top menu. 2. Go to **Policy > Node Policy** in the left policy menu. 3. Click the Node Policy to which you want to apply the Internet Kill Switch. 4. In the **Agent Action** section, assign the **Control macOS Firewall** node action. 5. Enable the **Internet Kill Switch** option. When using ZTNA-Client, assign the minimum policy as follows. .. list-table:: :header-rows: 1 :widths: 7 7 7 16 20 * - Direction - Application - Remote IP - Protocol * - Outbound - Any - ZTNA Gateway IP or Domain - TCP, Custom Port: 1194