Host Firewall for macOS

Control communications on your endpoints based on the network location of your device by using the Cortex® XDR™ host firewall.
The Cortex XDR host firewall enables you to control communications on your endpoints. To use the host firewall, you set rules that allow or block the traffic on the devices and apply them to your endpoints using Cortex XDR host firewall policy rules. Additionally, you can configure different sets of rules based on the current location of your endpoints - within or outside your organization network. The Cortex XDR host firewall rules leverage the operating system firewall APIs and enforce these rules on your endpoints, but not your Windows or Mac firewall settings.
In Cortex XDR 3.0, no change was made to the Host Firewall Configuration or operation on macOS endpoints. All existing policies configured in Cortex XDR 2.9 still apply and will continue to work as expected with Cortex XDR agent 7.2 or a later release. Enforcement events triggered by macOS endpoints are not included in the Host Firewall Events table.
To configure the Cortex XDR host firewall in your network, follow this high-level workflow:

Enable Network Location Configuration

If you want to apply location based host firewall rules, you must first enable network location configuration in your Agent Settings Profile. On every heartbeat, and if the Cortex XDR agent detects a network change on the endpoint, the agent triggers the device location test and re-calculates the policy according to the new location.

Add a New Host Firewall Profile

Configure host firewall profiles that contain one or more rules groups. The groups are enforced according to their order of appearance within the profile, from top to bottom (and within each group, the rules are also enforced from top to bottom). You can also configure profiles based on the device location within your internal network. When you edit, re-prioritize, disable, or delete a rules group from a profile, the change takes effect on the next heartbeat in all policies where this profile is included.
Rules created on macOS 10 and Cortex XDR agent 7.5 and prior are managed only in the Legacy Host Firewall Rules and do not appear in the Rule Groups tables.
  1. Log in to Cortex XDR.
    Go to
    Policy Management
    Extensions Profiles
    and select
    + New Profile
    . Select the
    and click
    Host Firewall
  2. Fill-in the
    General Information
    for the new profile.
    Assign a
    Profile Name
    and optional description to the profile.
  3. Define your
    Report Settings
    When the profile operates in report mode, Cortex XDR overrides all rules set to
    traffic. Instead, the traffic is allowed to go through, and the enforcement event is reported as
    Override Block
    . You can configure a profile in report mode if you need for example to test new block rules before you actually apply them.
  4. Configure Internal and External Rule Groups.
    To apply location based host firewall rules, you must first enable network location configuration in your Agent Settings Profile. When enabled, Cortex XDR enforces the host firewall rules based on the current location of the device within the internal organization network (
    Internal Rules
    ), enabling you for example to enforce more strict rules when the device is outside the office and in a public place (
    External Rules
    ). If you disable the Location Based option, your policy will apply the internal set of rules only, and that will be applied to the device regardless of its location.
    Create a New Rule or add a rules group to the
    Internal/External Groups
    1. Click
      +Add Group
    2. Select one or more groups, and click
      To quickly apply the exact same rules in both cases, select
      Add as external/internal
      rules groups as well.
    3. Review the rule group field details.
      The groups are listed according to the order of enforcement from top to bottom. To change this order, click on the group priority number and drag the group to the desired row.
      Applicable Rules Count
      Displays the number of rules in the specific group that are associated with the platform profile.
      Created by
      Displays the email address of the user that created the rule.
      Creation Time
      Date and time of when the rule was created.
      Description of the rule, if available.
      Group ID
      Unique rules group ID.
      Group Name
      Name of the group rules group.
      Displays whether the rules group is enabled or not.
      Modified by
      Displays the email address of the last user that made changes to the group.
      Modification Time
      Date and time of when the group was modified.
    4. (
      ) Select
      View Rules
      to view a list of all the rule details within the rules group. The table is filtered according to the rules associated with the platform profile you are creating.
      type protocol and specific ports cannot be edited. If saved as a new rule, the specific ports previously defined are removed from the cloned rule.
    5. Allow
      Default Action for Inbound/Outbound Traffic
      in the profile if you want to allow all network connections that have not been matched to any other rule in the profile.
  5. (
    ) Manage Legacy Host Firewall Rules.
    Mange Host Firewall Rules created on macOS 10 and Cortex XDR agent 7.5 and prior.
    1. Enable
      Manage Host Firewall
      to allow Cortex XDR to manage the host firewall on your Mac endpoints.
    2. Configure the host firewall
      The host firewall settings allow or block inbound communication on your Mac endpoints.
      the following actions:
      • Stealth Mode
        —Hide your mac endpoint from all TCP and UDP networks by enabling the Apple Stealth mode on your endpoint.
      • Block All Incoming Connections
        —Select where to block all incoming communications on the endpoint or not.
      • Application Exclusions
        —Allow or block specific programs running on the endpoint using a
        Bundle ID
      If the profile is location based, you can define both internal and external settings.
  6. Save your profile.
    When you’re done,
    your host firewall profile.

Apply Host Firewall Profiles to Your Endpoints

After you defined the required host firewall profiles, you must configure the Protection Policies and enforce them on your endpoints. Cortex XDR applies Protection policies on endpoints from top to bottom, as you’ve ordered them on the page. The first policy that matches the endpoint is applied. If no policies match, the default policy that enables all communication to and form the endpoint is applied.
  1. Log in to Cortex XDR.
    Go to
    Policy Management
    Extensions Policy Rules
    +New Policy
  2. Configure settings for the host firewall policy.
    1. Assign policy name, optional description, and operating system.
    2. Assign the host firewall profile you want to use in this rule.
    3. Click
    4. Select the target endpoints on which to enforce the policy.
      Use filters or manual endpoint selection to define the exact target endpoints of the policy rules.
    5. Click
    Alternatively, you can associate the host firewall profile to an existing policy. Right-click the policy and select
    . Select the
    Host Firewall
    profile and click
    . If needed, you can edit other settings in the rule (such as target endpoints, description, etc.) When you’re done, click
  3. Configure policy hierarchy.
    Drag and drop the policies in the desired order of execution.
  4. Save
    the policy hierarchy.
    After the policy is saved and applied to the agents, Cortex XDR enforces the host firewall policies on your environment.

Monitor the Host Firewall Activity on your Endpoint

To view only the communication events on the endpoint to which the Cortex XDR host firewall rules were applied, you can run the
Cytool firewall show
Additionally, to monitor the communication on your macOS endpoint, you can use the following operating system utilities: From the endpoint
System Preferences
Security and Privacy
Firewall options
, you can view the list of blocked and allowed applications in the firewall. The Cortex XDR host firewall blocks only incoming communications on Mac endpoints, still allowing outbound communication initiated from the endpoint.

Recommended For You