I find it most useful to enable FileVault but having firewall turned on would be good extra protection.

Great quetion.
I too would be interested in this topic. Defense in depth is or should be a must, no matter what OS is running. But what would it break would be good to know. Also good to know would be how to enable it using jamf pro so we do not need to visit 1000+ devices.

We use two scripts to configure the in-built application firewall. The first enables it and sets the relevant options: https://github.com/UoE-macOS/jss/blob/master/coreconfig-application-firewall.sh
The second adds exceptions for apps which require access: https://github.com/UoE-macOS/jss/blob/master/coreconfig-application-firewall-add-exception.sh
In our environment there are three main applications which need access Maple, Matlab and SPSS, these all use network based licensing so this isn't necessarily a surprise.

question to me is why would you not turn it on and enforce it being on? I always report on it using an EA and make sure it gets turned back on if somehow it goes off.
I have found profiles don't always turn it turn it on so a script is required initially but a profile stops it going off in my experience.

@dsavageED Can these scripts be pushed to clients using Jamf Now?

I've found that you can't allow the user to set their own exclusions if the firewall is set to on in a Jamf Configuration Profile.  We have a number of unsigned apps made by inhouse development which poses a challenge with firewall.

Can some share some guide on how to enable firewall on all Mac's using policies. step by step instructions would help.

Following this for a good way to configure firewalls via config profile.