Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Reevsie147
Contributor

Endpoint Security client on Mac OS doesn't drop encrypted traffic as per restricted firewall policy

Hi All,

Have already had a TAC case open for a while on this one but figured I would ask here in case anyone had come across anything similar.

Within the Endpoint Security server I have defined a compliance policy to put clients into restricted state if certain conditions aren't met. If non-compliant state is triggered, a restricted firewall policy is enforced which blocks access to internal networks over the VPN whilst allowing access to certain internal resources for remediation purposes (AV Updates, patch servers etc).

These firewall rules seem to work perfectly on Windows hosts and when the non-compliant state is triggered, the EPS firewall blocks connections as defined by the policy.

On Mac OS however, the locaally enforced firewall policy seems to completely ignore any encrypted (remote access) traffic and allows it all through to the internal networks. I have tried with both E84.30 and E84.70 clients but neither seem to work as intended.

Has anyone else had a similar issue and found a solution/workaround for this? I can't imagine this is intended behaviour and it's causing quite a headache as we can't really roll anything out unless it works the same for both Windows and Mac OS as we have quite a mixture of clients within the business.

Any help would be greatly appreciated, thanks.

0 Kudos
10 Replies
PhoneBoy
Admin
Admin

Is the desktop firewall working in general?
Probably best to engage TAC here.

0 Kudos
Reevsie147
Contributor

Hey @PhoneBoy,

Yes the desktop firewall does indeed function, in that it drops any unencrypted connections as intended. Is just seems to ignore any encrypted (Client VPN) traffic destined for the same addresses and allows them right through, which obviously isn't ideal!

I have demoed my issues on a zoom session with TAC and am awaiting a response to my ticket, it's just seems odd that I'm the only person that's experienced this issue, as at face value it seems like quite a big "hole".

I've actually done some further testing since the first post and tried both E84.30 and E84.70 Mac OS clients on both Catalina and Big Sur but the issue is the same across all combinations alas.

0 Kudos
the_rock
Legend
Legend

Cant say I had ever experienced that exact issue with Mac before...just wondering, do logs show you anything interesting at all that may point to a possible cause? What was TAC response? I assume this never worked with mac's before?

0 Kudos
Reevsie147
Contributor

Hey @the_rock. Unfortunately this is the first time I've tried enforcing a restricted policy on Mac OS so I can't speak as to whether it's always been an issue. All my preliminary testing was on Windows which behaves as I would expect.

I can't see anything obvious in the logs and haven't had a response from TAC as yet.

I'm only guessing here, but it almost seems as if the EPS firewall isn't actually filtering any traffic that passes through the VPN network adapter and only applying the filter to the physical NIC/s. As I mentioned in an earlier post, if I send traffic to a "restricted" IP with the VPN disconnected it is clearly blocked by the local firewall, but when the VPN is connected, it just passes through to that same IP.

0 Kudos
the_rock
Legend
Legend

I know Im not an Apple expert, but something came to my mind. I recall once when I was helping a customer with mac machine and we had an issue with vpn endpoint client and ended up calling Apple support, guy had us open console via utilities on macbook and then we were watching logs come up while replicating the issue. Not sure if thats something you could try...it might give some insight.

0 Kudos
Reevsie147
Contributor

Hey @the_rock , I haven't tried looking at the console logs as yet. I'll give it a shot. Thanks for the suggestion!

0 Kudos
the_rock
Legend
Legend

Sorry, I know its not the best suggestion, but something to try.

0 Kudos
Reevsie147
Contributor

Just by way of an update here for anyone else having this issue. The latest response on my TAC ticket states that the endpoint firewall on MacOS simply does not filter any encrypted traffic whatsoever.

It works as expected on Windows, but if you want to block any traffic to your Corporate resources over VPN on MacOS (in my case because the endpoint has become non-compliant) then it simply doesn't seem to be an option.

This seems really odd to me, as in my opinion, that's one of the main use cases for the endpoint compliance blade combined with the desktop firewall.

0 Kudos
PhoneBoy
Admin
Admin

Can you send me the SR in a PM?
It's entirely possible MacOS doesn't provide a mechanism for us to filter encrypted traffic, but that's merely a guess.

0 Kudos
Reevsie147
Contributor

Thanks @PhoneBoy , have done so. Much appreciated!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events