Announcing 1Password®
Extended Access Management
Kolide Device Trust is now part of 1Password® Extended Access Management. Check out the blog post by former Kolide CEO Jason Meller to learn about the next evolution in user-first security.
View Other Properties

Contents

  1. Introduction
  2. What Mac Firewall Setting Data Can Kolide Collect?
  3. Mac Firewall Settings Schema
  4. What Can You Do With This Information?
  5. Why Should I Collect Mac Firewall Settings?
  6. End-User Privacy Consideration
View Other Properties

How to List Firewall Settings Across All Macs

Using Kolide, you can easily view and query Mac Firewall Settings across your fleet.

Introduction

The Application Firewall (often abbreviated ALF) is a security feature built-into macOS that prevents unauthorized and untrusted apps from accepting network connections from the internet. Unless the Mac is using a third-party software firewall, the macOS ALF should be enabled.

You can read more about the macOS Application Firewall on Apple's support site

What Mac Firewall Setting Data Can Kolide Collect?

Kolide's endpoint agent bundles in osquery to efficiently collect Mac Firewall Settings from Macs in your fleet. Once collected, Kolide will parse, clean up, and centrally store this data in Inventory for your team to view, query, or export via API.

Kolide meticulously documents every piece of data returned so you can understand the results.

Mac Firewall Settings Schema

Column Type Description
id Primary Key

Unique identifier for the object

device_id Foreign Key

Device associated with the entry

device_name Text

Display name of the device associated with the entry

allow_signed_enabled Boolean

true if allow signed mode is enabled else false

enabled Boolean

true if the firewall is enabled, else false

firewall_unload Boolean

true if firewall unloading enabled else false

global_state Enum::Integer

Describes the current state of the firewall

Can be one of the following:

  • 0 - The firewall is disabled
  • 1 - The firewall is enabled, but is configured to allow some traffic through
  • 2 - The firewall is configured to block all incoming connections
logging_enabled Boolean

true If logging mode is enabled else false

logging_option Enum::Integer

Logging verbosity options for /var/log/appfirewall.log

Can be one of the following:

  • 0 - Throttled
  • 1 - Brief
  • 2 - Detailed
stealth_enabled Boolean

true If stealth mode is enabled else false

firewall_version Text

The text representation of the version

firewall_version_major Bigint

firewall_version's semver major version (ex: 4.2.1 would yield 4)

firewall_version_minor Bigint

firewall_version's semver minor version (ex: 4.2.1 would yield 2)

firewall_version_patch Bigint

firewall_version's semver patch version (ex: 4.2.1 would yield 1)

firewall_version_subpatch Bigint

firewall_version's numeric status fourth position number (ex: 4.2.1.6 would yield 6)

firewall_version_pre Text

firewall_version's semver pre-release version (ex: 1.2.3-prerelease+build would yield pre-release)

firewall_version_build Text

firewall_version's semver build version (ex: 1.2.3-prerelease+build would yield build)

collected_at Timestamp

Time the row of data was first collected in the database

updated_at Timestamp

Time the row of data was last changed in the database

What Can You Do With This Information?

Kolide enables you to write your own queries against the data the agent collects. This allows you to build your own reports and API endpoints. For example, you can:

Find devices which do not have the built-in macOS firewall enabled
Kolide SQL
SELECT 
  enabled, 
  device_name, 
  global_state, 
  stealth_enabled 
FROM mac_application_layer_firewalls 
WHERE enabled = 'false'
Example Results
enabled device_name global_state stealth_enabled
false Johns-MacBook-Pro 0 false
false Daves-MacBook-Pro 0 false
false ashleys-mac-mini 0 false
false donut 0 false
false Conference-Room-MacBook-Air 0 false
Determine which devices have the Firewall Stealth Mode enabled
Kolide SQL
SELECT 
  enabled, 
  device_name, 
  global_state, 
  stealth_enabled 
FROM mac_application_layer_firewalls 
WHERE stealth_enabled = '1'
Example Results
enabled device_name global_state stealth_enabled
true Daves-MacBook-Pro-2 1 true
true Franks-MacBook-Pro-2 1 true
true holden 1 true
true imaging-parent 1 true
true Laptop-2 1 true

Why Should I Collect Mac Firewall Settings?

Knowing the state of the built-in Firewall can help paint a broader picture of the computer's overall security and adherence to compliance standards.

End-User Privacy Consideration

Kolide practices Honest Security. We believe that data should be collected from end-user devices transparently and with privacy in mind.

When you use Kolide to list Mac Firewall Setting data from end-user devices, Kolide gives the people using those devices insight into exactly what data is collected, the privacy implications, and who on the IT team can see the data. This all happens in our end-user privacy center which can be accessed directly by employees.

Share this story:

Related Device Properties:

New
Windows Update Settings
updates, operating-system, security
New
Windows Pending Updates
updates, operating-system, security
New
Mac SIP Settings
security, integrity, boot-security, operating-system, hardware
View full list of Kolide's Device Properties
Book A Demo
Book A Demo