Network Control and macOS

EDR Network Control on macOS is a state-less Firewall. The firewall is located at the socket level (application level) in the kernel space. Network Control monitors these network protocols: TCP, UDP, and ICMP.

Incoming ICMP packets are handled directly in the kernel IP stack and are not monitored by EDR Network Control

If one of the firewalls blocks a packet, it is blocked. To create an Allow rule, make sure there is no rule (in the EDR Policy or macOS) that can block that packet.

If an endpoint is in Network Quarantine (Disconnected from Network), the Agent can communicate only with the Management Console, only through the sentineld process - therefore, endpoints in Network Quarantine cannot apply firewall rules.

To allow communication between Agent and the Management Console, these connections are always allowed:

  • For /usr/libexec/configd and /usr/libexec/bootpd processes (DHCP):
    • TCP/IPv4 over port 67
    • TCP/IPv4 over port 68
    • TCP/IPv6 over port 547
    • TCP/IPv6 over port 546
  • For /usr/sbin/mDNSResponder and /usr/libexec/discoveryd processes(DNS):
    • TPC+UDP/IPv4+IPv6 over port 53
    • TPC+UDP/IPv4+IPv6 over port 5353