Mac Native Firewall

Mac Native Firewall

Apple devices running macOS have built in firewall mechanisms to allow or block incoming or outgoing traffic. Various MDM tools allow deploying configuration policies that can enable or disable firewalls and also deploy firewall rules. This document lists the configuration requirements to ensure Netskope Client and Mac Native Firewall operate smoothly.

Environment

This document was created using the following components:

  • Netskope Client 111.0.0

  • macOS 12.0 (Montorey) 

Interoperability Configuration Requirements

Netskope recommends the following configurations to ensure that Netskope Client can steer traffic directly to Netskope cloud.

Configuring Mac Native Firewall

When configuring policies for Client deployment, ensure that you add options in your MDM tool to enable firewall and open ports 80 and 443. 

To deploy Netskope Client in a Virtual Machine (VM), ensure that the Client in the host machine is disabled.
Enable Firewall

The following references can  provide MDM specific configuration guidelines to enable or disable firewalls in a macOS device:

Verifying Interoperability

Netskope Client

Refer to the list of validated use cases that you can use to verify Client operations.

Mac Firewall

Netskope Client is able to bypass exception and tunnel traffic as specified in the steering configuration.

To validate Mac Firewall, enable firewall on your macOS machine from System Settings > Network > Firewall.

After enabling the firewall, no traffic is allowed and gets blocked. Perform the following steps to block port 443:

  1. Open /etc/pf.conf using vim editor.

  2. Add the following rule at the end of pf.conf file – to block 443 port:

    block in proto tcp from any to any port 443

    block out proto tcp from any to any port 443

  3. Run below command to enable filter

    sudo pfctl -e -f /etc/pf.conf

  4. The rule to block is now set and blocks any website traffic.

    tail -f /Library/Logs/Netskope/nsdebuglog.log

Share this Doc

Mac Native Firewall

Or copy link

In this topic ...