Host Firewall for macOS
Control communications on your endpoints based on the network location of your device by using the Cortex® XDR™ host firewall.
The Cortex XDR host firewall enables you to control communications on your endpoints. To use the host firewall, you set rules that allow or block the traffic on the devices and apply them to your endpoints using Cortex XDR host firewall policy rules. Additionally, you can configure different sets of rules based on the current location of your endpoints - within or outside your organization network. The Cortex XDR host firewall rules leverage the operating system firewall APIs and enforce these rules on your endpoints, but not your Windows or Mac firewall settings.
In Cortex XDR 3.0, no change was made to the Host Firewall Configuration or operation on macOS endpoints. All existing policies configured in Cortex XDR 2.9 still apply and will continue to work as expected with Cortex XDR agent 7.2 or a later release. Enforcement events triggered by macOS endpoints are not included in the Host Firewall Events table.
To configure the Cortex XDR host firewall in your network, follow this high-level workflow:
Enable Network Location Configuration
If you want to apply location based host firewall rules, you must first enable network location configuration in your Agent Settings Profile. On every heartbeat, and if the Cortex XDR agent detects a network change on the endpoint, the agent triggers the device location test and re-calculates the policy according to the new location.
Add a New Host Firewall Profile
Configure host firewall profiles that contain one or more rules groups. The groups are enforced according to their order of appearance within the profile, from top to bottom (and within each group, the rules are also enforced from top to bottom). You can also configure profiles based on the device location within your internal network. When you edit, re-prioritize, disable, or delete a rules group from a profile, the change takes effect on the next heartbeat in all policies where this profile is included.
Rules created on macOS 10 and Cortex XDR agent 7.5 and prior are managed only in the Legacy Host Firewall Rules and do not appear in the Rule Groups tables.
- Log in to Cortex XDR.Go toand selectEndpointsPolicy ManagementExtensions ProfilesProfiles. Select the+ New ProfilePlatformand clickHost FirewallNext
- Fill-in theGeneral Informationfor the new profile.Assign aProfile Nameand optional description to the profile.
- Define yourReport Settings.When the profile operates in report mode, Cortex XDR overrides all rules set toBlocktraffic. Instead, the traffic is allowed to go through, and the enforcement event is reported asOverride Block. You can configure a profile in report mode if you need for example to test new block rules before you actually apply them.
- Configure Internal and External Rule Groups.To apply location based host firewall rules, you must first enable network location configuration in your Agent Settings Profile. When enabled, Cortex XDR enforces the host firewall rules based on the current location of the device within the internal organization network (Internal Rules), enabling you for example to enforce more strict rules when the device is outside the office and in a public place (External Rules). If you disable the Location Based option, your policy will apply the internal set of rules only, and that will be applied to the device regardless of its location.Create a New Rule or add a rules group to theInternal/External Groups:
- Click+Add Group.
- Select one or more groups, and clickAdd.To quickly apply the exact same rules in both cases, selectAdd as external/internalrules groups as well.
- Review the rule group field details.The groups are listed according to the order of enforcement from top to bottom. To change this order, click on the group priority number and drag the group to the desired row.FieldDescriptionApplicable Rules CountDisplays the number of rules in the specific group that are associated with the platform profile.Created byDisplays the email address of the user that created the rule.Creation TimeDate and time of when the rule was created.DescriptionDescription of the rule, if available.Group IDUnique rules group ID.Group NameName of the group rules group.ModeDisplays whether the rules group is enabled or not.Modified byDisplays the email address of the last user that made changes to the group.Modification TimeDate and time of when the group was modified.
- (Optional) SelectView Rulesto view a list of all the rule details within the rules group. The table is filtered according to the rules associated with the platform profile you are creating.Anytype protocol and specific ports cannot be edited. If saved as a new rule, the specific ports previously defined are removed from the cloned rule.
- AlloworBlocktheDefault Action for Inbound/Outbound Trafficin the profile if you want to allow all network connections that have not been matched to any other rule in the profile.
- (Optional) Manage Legacy Host Firewall Rules.Mange Host Firewall Rules created on macOS 10 and Cortex XDR agent 7.5 and prior.
- EnableManage Host Firewallto allow Cortex XDR to manage the host firewall on your Mac endpoints.
- Configure the host firewallInternalandExternalsettings.The host firewall settings allow or block inbound communication on your Mac endpoints.EnableorDisablethe following actions:
If the profile is location based, you can define both internal and external settings.
- Stealth Mode—Hide your mac endpoint from all TCP and UDP networks by enabling the Apple Stealth mode on your endpoint.
- Block All Incoming Connections—Select where to block all incoming communications on the endpoint or not.
- Application Exclusions—Allow or block specific programs running on the endpoint using aBundle ID.
- Save your profile.When you’re done,Createyour host firewall profile.
Apply Host Firewall Profiles to Your Endpoints
After you defined the required host firewall profiles, you must configure the Protection Policies and enforce them on your endpoints. Cortex XDR applies Protection policies on endpoints from top to bottom, as you’ve ordered them on the page. The first policy that matches the endpoint is applied. If no policies match, the default policy that enables all communication to and form the endpoint is applied.
- Log in to Cortex XDR.Go to.EndpointsPolicy ManagementExtensions Policy Rules+New Policy
- Configure settings for the host firewall policy.
Alternatively, you can associate the host firewall profile to an existing policy. Right-click the policy and selectEdit. Select theHost Firewallprofile and clickNext. If needed, you can edit other settings in the rule (such as target endpoints, description, etc.) When you’re done, clickDone
- Assign policy name, optional description, and operating system.
- Assign the host firewall profile you want to use in this rule.
- Select the target endpoints on which to enforce the policy.Use filters or manual endpoint selection to define the exact target endpoints of the policy rules.
- Configure policy hierarchy.Drag and drop the policies in the desired order of execution.
- Savethe policy hierarchy.After the policy is saved and applied to the agents, Cortex XDR enforces the host firewall policies on your environment.
Monitor the Host Firewall Activity on your Endpoint
To view only the communication events on the endpoint to which the Cortex XDR host firewall rules were applied, you can run the
Cytool firewall showcommand.
Additionally, to monitor the communication on your macOS endpoint, you can use the following operating system utilities: From the endpoint
, you can view the list of blocked and allowed applications in the firewall. The Cortex XDR host firewall blocks only incoming communications on Mac endpoints, still allowing outbound communication initiated from the endpoint.
Security and Privacy
Recommended For You
Recommended videos not found.