This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Global Protect HIP Does Detect Firewall with New Apple MacOS Sequoia

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Global Protect HIP Does Detect Firewall with New Apple MacOS Sequoia

Salathiwe
L2 Linker

‎06-26-2024 01:58 AM

Can you please provide some advise on this:
Our client has an issue with the new Apple MACOS Sequoia 
 The new Apple MacOS Sequoia seems to have changed some behaviour in how they check the local firewall. Currently Global Protect HIP does not detect if the local firewall is enabled.
I have attached the information above.
 

image.png

 

Apple Firewall:

 

image.png

 

Global Protect HIP:

 

image.png

P.S
8 people had this problem.
(2)
7 REPLIES 7

abandey
L3 Networker

‎06-26-2024 03:52 PM

Can you check what report is generated by the GP and then what is being sent to the firewall?

Take any user using that MAC version, and generate a dump report on the firewall CLI. Compare that with the previous MAC OS version, and notice the difference between the report generated and the report sent.

As such, I am not seeing anything reported yet, so once you have done the comparison and are convinced that this might be a bug, open a case and attach the collected logs and reports there. 

Below are a few KB articles that you can follow:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClshCAC

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000boP1CAI



BPry
Cyber Elite
Cyber Elite

‎06-26-2024 04:17 PM - edited ‎06-26-2024 04:19 PM

@Salathiwe,

Keep in mind that Sequoia is in beta and GlobalProtect isn't officially supported on this version of macOS yet. PAN will need to make some changes to facilitate this change, but if you open a support ticket you'll likely end up with the same response that I just gave you. For stuff like this, reaching out to your account team is what I personally find more useful so they can work internally to make sure engineers are aware of the issue without filtering through layers of support to just be told that betas aren't fully supported.

 

Should likely add, this is reproducible and isn't limited to you. 

BarbarThomas
L1 Bithead
In response to abandey

‎07-23-2024 12:43 AM

Thanks for the article links, I will check them.

0 Likes Likes

jeffster
L0 Member
In response to BarbarThomas

‎07-23-2024 06:57 AM

FWIW I was able to manually work around the firewall check but I haven't been able to figure out a way to work around the packet filter check. For the firewall, if you have an old copy of the alf plist file (/Library/Preferences/com.apple.alf.plist) you can manually set the global state flag as that is what global protect looks for it appears. I would love to figure out how to get around the packet filter but so far no luck. 

0 Likes Likes

J.Mahlman
L0 Member

‎08-06-2024 05:14 AM

The check should be `/usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate`.

0 Likes Likes

dfaust_92
L0 Member

‎09-17-2024 06:41 AM

Hi do you have any updates ? 

0 Likes Likes

Salathiwe
L2 Linker
In response to dfaust_92

‎09-17-2024 06:47 AM

Not on my end

P.S
0 Likes Likes
  • 4412 Views
  • 7 replies
  • 3 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks