Enable Firewall Logging

What the firewall logging enabler does

This Automox Worklet™ enables logging for the built-in macOS Application Firewall. When activated, the Worklet begins recording all incoming and outgoing network connections that the firewall evaluates on your endpoint.

The Worklet uses the socketfilterfw utility to query the current logging status and enable logging if it is disabled. Firewall logs are written to the system log files, making them available for review and analysis through macOS system utilities.

Why enable firewall logging on macOS endpoints

Without firewall logging enabled, security incidents go undetected until damage occurs. Attackers probe your endpoints for open ports and vulnerable services, but you have no visibility into these reconnaissance attempts. When compromise happens, forensic investigation becomes impossible without historical network activity records. Network troubleshooting relies on user reports rather than objective firewall decision logs.

This Automox Worklet activates firewall logging to provide detailed connection records. You gain visibility into unauthorized access attempts, track which applications communicate on the network, and detect anomalous behavior indicating security incidents. The logging helps meet compliance requirements from PCI-DSS, HIPAA, and SOC 2, which mandate network traffic auditing. You can troubleshoot connectivity issues by examining actual firewall decisions instead of guessing from user descriptions.

How firewall logging activation works

1. Evaluation phase: The Worklet queries the macOS firewall using /usr/libexec/ApplicationFirewall/socketfilterfw --getloggingmode to check whether logging is currently enabled. If logging is already active, the Worklet exits with a success status.

2. Remediation phase: If logging is disabled, the Worklet executes /usr/libexec/ApplicationFirewall/socketfilterfw --setloggingmode on to activate firewall logging immediately.

Firewall logging activation requirements

• macOS 10.14 or later

• Both workstations and servers are supported

• Requires admin-level execution privileges

• macOS Application Firewall must be installed and available

Expected state after firewall logging activation

After completion, the macOS firewall records all network connection attempts in system logs. Firewall events appear with details about source and destination addresses, ports, protocol types, and whether connections were accepted or blocked. The logging operates continuously without user-visible changes or performance degradation.

Verify logging is active by opening Console.app and filtering for "socketfilterfw" entries, or run log show --predicate 'process == "socketfilterfw"' --last 1h in Terminal to view recent firewall decisions. Check the current status with /usr/libexec/ApplicationFirewall/socketfilterfw --getloggingmode, which returns "Log mode is on" when active. Logs persist until explicitly disabled and provide ongoing visibility for security monitoring and incident investigation.

How to validate enable firewall logging changes

1. Run this Worklet on a pilot macOS endpoint and review evaluation output for enable firewall logging.

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as exit, else.

4. Validate remediation effects from script operations such as /usr/libexec/ApplicationFirewall/socketfilterfw, else, exit, then rerun evaluation for compliance.

For technical validation, compare endpoint state to the Worklet evaluation logic and remediation flow for enable firewall logging. This supports repeatable security workflows, faster change control review, and auditable compliance evidence.

Useful script references for this Worklet include evaluation operations such as exit, else and remediation operations such as /usr/libexec/ApplicationFirewall/socketfilterfw, else, exit. Use these indicators to verify that endpoint changes match intended policy outcomes.