Activate macOS firewall logging to monitor and audit network traffic on your endpoints
This Automox Worklet™ enables logging for the built-in macOS Application Firewall. When activated, the Worklet begins recording all incoming and outgoing network connections that the firewall evaluates on your endpoint.
The Worklet uses the socketfilterfw utility to query the current logging status and enable logging if it is disabled. Firewall logs are written to the system log files, making them available for review and analysis through macOS system utilities.
Without firewall logging enabled, security incidents go undetected until damage occurs. Attackers probe your endpoints for open ports and vulnerable services, but you have no visibility into these reconnaissance attempts. When compromise happens, forensic investigation becomes impossible without historical network activity records. Network troubleshooting relies on user reports rather than objective firewall decision logs.
This Automox Worklet activates firewall logging to provide detailed connection records. You gain visibility into unauthorized access attempts, track which applications communicate on the network, and detect anomalous behavior indicating security incidents. The logging helps meet compliance requirements from PCI-DSS, HIPAA, and SOC 2, which mandate network traffic auditing. You can troubleshoot connectivity issues by examining actual firewall decisions instead of guessing from user descriptions.
Evaluation phase: The Worklet queries the macOS firewall using /usr/libexec/ApplicationFirewall/socketfilterfw --getloggingmode to check whether logging is currently enabled. If logging is already active, the Worklet exits with a success status.
Remediation phase: If logging is disabled, the Worklet executes /usr/libexec/ApplicationFirewall/socketfilterfw --setloggingmode on to activate firewall logging immediately.
macOS 10.14 or later
Both workstations and servers are supported
Requires admin-level execution privileges
macOS Application Firewall must be installed and available
After completion, the macOS firewall records all network connection attempts in system logs. Firewall events appear with details about source and destination addresses, ports, protocol types, and whether connections were accepted or blocked. The logging operates continuously without user-visible changes or performance degradation.
Verify logging is active by opening Console.app and filtering for "socketfilterfw" entries, or run log show --predicate 'process == "socketfilterfw"' --last 1h in Terminal to view recent firewall decisions. Check the current status with /usr/libexec/ApplicationFirewall/socketfilterfw --getloggingmode, which returns "Log mode is on" when active. Logs persist until explicitly disabled and provide ongoing visibility for security monitoring and incident investigation.
Run this Worklet on a pilot macOS endpoint and review evaluation output for enable firewall logging.
Confirm Automox activity logs show successful completion and exit code 0.
Verify endpoint state using checks aligned to evaluation script logic, such as exit, else.
Validate remediation effects from script operations such as /usr/libexec/ApplicationFirewall/socketfilterfw, else, exit, then rerun evaluation for compliance.
For technical validation, compare endpoint state to the Worklet evaluation logic and remediation flow for enable firewall logging. This supports repeatable security workflows, faster change control review, and auditable compliance evidence.
Useful script references for this Worklet include evaluation operations such as exit, else and remediation operations such as /usr/libexec/ApplicationFirewall/socketfilterfw, else, exit. Use these indicators to verify that endpoint changes match intended policy outcomes.


By submitting this form you agree to our Master Services Agreement and Privacy Policy.
Already have an account? Log in
Consider Worklets your easy button
A Worklet is an automation script, written in Bash or PowerShell, designed for seamless execution on endpoints – at scale – within the Automox platform. Worklet automation scripts perform configuration, remediation, and the installation or removal of applications and settings across Windows, macOS, and Linux.

AUTOMOX + WORKLETS™
Uncover new possibilities with simple, powerful automation.
By submitting this form you agree to our Master Services Agreement and Privacy Policy