Skip to main content
Question

Creating Custom Analytics for Firewall

G
Forum|alt.badge.img+3
  • Grisha
  • New Contributor
  • 6 replies

Hi,

We would like to create custom analyses for firewall monitoring. When users turn off the firewall (System Preferences → Network → Firewall), Jamf Protect should trigger an alert. We have already built a custom analysis for the firewall:

$event.type IN {0, 3, 4} AND$event.path == "/Library/Preferences/com.apple.alf.plist" AND$event.file.contentsAsDict.globalstate != "1"


After the update to macOS 15 Sequoia, the plist file no longer exists, which is why we are trying to create a new custom analysis:

$event.type IN {0, 3, 4} AND$event.path == "/Library/Preferences/com.apple.networkextension.plist" 
$event.file.contentsAsDict.com.apple.ALF.ApplicationFirewall.Enabled != "1"


I searched on GitHub https://github.com/jamf/jamfprotect  but couldn’t find any relevant information.

The plist file contains several dictionaries, but we are only interested in the firewall section. Unfortunately, the analysis does not work. We suspect that the issue lies in the syntax. Could you please help us build this custom analysis correctly or provide tips on how we can check it via the terminal?

Thank you in advance!

    5 replies

    ThijsX
    Forum|alt.badge.img+19
    • ThijsX
    • Employee
    • 369 replies
    • October 25, 2024

    Hey @Grisha 

    Thanks for posting this question!

    Indeed there's a space and a operator missing in the syntax.

    $event.type IN {0, 3, 4} AND
$event.path == "/Library/Preferences/com.apple.networkextension.plist" AND
$event.file.contentsAsDict.com.apple.ALF.ApplicationFirewall.Enabled != "1"

    You could try the following?

     
    $event.type IN {0, 3, 4} AND
$event.path == "/Library/Preferences/com.apple.networkextension.plist" AND
$event.file.contentsAsDict.com.apple.ALF.ApplicationFirewall[0].Enabled != "1"

    If this does not work out, i can try to replicate it early next week?
     
     
    G
    Forum|alt.badge.img+3
    • Grisha
    • Author
    • New Contributor
    • 6 replies
    • October 25, 2024
    ThijsX wrote:

    Hey @Grisha 

    Thanks for posting this question!

    Indeed there's a space and a operator missing in the syntax.

    $event.type IN {0, 3, 4} AND
$event.path == "/Library/Preferences/com.apple.networkextension.plist" AND
$event.file.contentsAsDict.com.apple.ALF.ApplicationFirewall.Enabled != "1"

    You could try the following?

     
    $event.type IN {0, 3, 4} AND
$event.path == "/Library/Preferences/com.apple.networkextension.plist" AND
$event.file.contentsAsDict.com.apple.ALF.ApplicationFirewall[0].Enabled != "1"

    If this does not work out, i can try to replicate it early next week?
     
     

    Thank you very much for your help. Unfortunately, it doesn’t work. I believe the problem is that the plist file contains a total of 4 or 5 keys named "Enabled," which makes it difficult to match properly. I look forward to your response.

     

    Shyamsundar
    Forum|alt.badge.img+13
    • Shyamsundar
    • Jamf Heroes
    • 287 replies
    • October 26, 2024

    On macOS Sequoia, a modification has been implemented in the Firewall management system. To ascertain the current Firewall status, kindly utilize the following command:

    /usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate | awk '{print $3}' |sed 's/\\.$//'

     

    G
    Forum|alt.badge.img+3
    • Grisha
    • Author
    • New Contributor
    • 6 replies
    • October 26, 2024
    Shyamsundar wrote:

    On macOS Sequoia, a modification has been implemented in the Firewall management system. To ascertain the current Firewall status, kindly utilize the following command:

    /usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate | awk '{print $3}' |sed 's/\\.$//'

     


    Thank you very much! Unfortunately, I cannot use the command in Custom Analytics. In Custom Analytics, I can only use predicates (https://learn.jamf.com/en-US/bundle/jamf-protect-documentation/page/Creating_Analytics.html). We want to monitor the firewall through Jamf Protect.

    J
    Forum|alt.badge.img+4
    • JL85
    • Contributor
    • 15 replies
    • November 18, 2024

    Here is the document i got from MAC admin. This is how to help you to capture and write the needed custom analytic.

    https://trusted.jamf.com/docs/tailored-event-monitoring-on-macos

    Reply


    Most helpful members this week

    Terms & ConditionsCookie settingsAccessibility statement

    Cookie policy

    We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

     
    Cookie settings