Creating Custom Analytics for Firewall

Grisha
New Contributor

Hi,

We would like to create custom analyses for firewall monitoring. When users turn off the firewall (System Preferences → Network → Firewall), Jamf Protect should trigger an alert. We have already built a custom analysis for the firewall:

$event.type IN {0, 3, 4} AND$event.path == "/Library/Preferences/com.apple.alf.plist" AND$event.file.contentsAsDict.globalstate != "1"


After the update to macOS 15 Sequoia, the plist file no longer exists, which is why we are trying to create a new custom analysis:

$event.type IN {0, 3, 4} AND$event.path == "/Library/Preferences/com.apple.networkextension.plist" 
$event.file.contentsAsDict.com.apple.ALF.ApplicationFirewall.Enabled != "1"


I searched on GitHub https://github.com/jamf/jamfprotect  but couldn’t find any relevant information.

The plist file contains several dictionaries, but we are only interested in the firewall section. Unfortunately, the analysis does not work. We suspect that the issue lies in the syntax. Could you please help us build this custom analysis correctly or provide tips on how we can check it via the terminal?

Thank you in advance!

5 REPLIES 5

ThijsX
Valued Contributor
Valued Contributor

Hey @Grisha 

Thanks for posting this question!

Indeed there's a space and a operator missing in the syntax.

$event.type IN {0, 3, 4} AND
$event.path == "/Library/Preferences/com.apple.networkextension.plist" AND
$event.file.contentsAsDict.com.apple.ALF.ApplicationFirewall.Enabled != "1"

You could try the following?

 
$event.type IN {0, 3, 4} AND
$event.path == "/Library/Preferences/com.apple.networkextension.plist" AND
$event.file.contentsAsDict.com.apple.ALF.ApplicationFirewall[0].Enabled != "1"

If this does not work out, i can try to replicate it early next week?
 
 

Grisha
New Contributor

Thank you very much for your help. Unfortunately, it doesn’t work. I believe the problem is that the plist file contains a total of 4 or 5 keys named "Enabled," which makes it difficult to match properly. I look forward to your response.

 

Shyamsundar
Contributor III

On macOS Sequoia, a modification has been implemented in the Firewall management system. To ascertain the current Firewall status, kindly utilize the following command:

/usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate | awk '{print $3}' |sed 's/\.$//'

 

Thank you very much! Unfortunately, I cannot use the command in Custom Analytics. In Custom Analytics, I can only use predicates (https://learn.jamf.com/en-US/bundle/jamf-protect-documentation/page/Creating_Analytics.html). We want to monitor the firewall through Jamf Protect.

JL85
New Contributor III

Here is the document i got from MAC admin. This is how to help you to capture and write the needed custom analytic.

https://trusted.jamf.com/docs/tailored-event-monitoring-on-macos