Mac Native Firewall
Mac Native Firewall
Apple devices running macOS have built in firewall mechanisms to allow or block incoming or outgoing traffic. Various MDM tools allow deploying configuration policies that can enable or disable firewalls and also deploy firewall rules. This document lists the configuration requirements to ensure Netskope Client and Mac Native Firewall operate smoothly.
Environment
This document was created using the following components:
-
Netskope Client 117.0.0
-
macOS 12.0 (Montorey)
Interoperability Configuration Requirements
Netskope recommends the following configurations to ensure that Netskope Client can steer traffic directly to Netskope cloud.
Configuring Mac Native Firewall
When configuring policies for Client deployment, ensure that you add options in your MDM tool to enable firewall and open ports 80 and 443.
Enable Firewall
The following references can provide MDM specific configuration guidelines to enable or disable firewalls in a macOS device:
Verifying Interoperability
Netskope Client
Refer to the list of validated use cases that you can use to verify Client operations.
Mac Firewall
Netskope Client is able to bypass exception and tunnel traffic as specified in the steering configuration.
To validate Mac Firewall, enable firewall on your macOS machine from System Settings > Network > Firewall.

After enabling the firewall, no traffic is allowed and gets blocked. Perform the following steps to block port 443:
-
Open /etc/pf.conf using vim editor.
-
Add the following rule at the end of pf.conf file – to block 443 port:
block in proto tcp from any to any port 443
block out proto tcp from any to any port 443
-
Run below command to enable filter
sudo pfctl -e -f /etc/pf.conf
-
The rule to block is now set and blocks any website traffic.
tail -f /Library/Logs/Netskope/nsdebuglog.log