The Firewall module filters incoming and outgoing network traffic, to allow or block traffic as defined in the rules. Each rule defines a set of conditions that the network traffic must meet and executes the rule's associated action.

Stateful filtering and packet inspection identify data packets for different types of connections and hold the connection attributes in memory until the end of the session. When the first data packet of a new session arrives, Firewall matches the packet against the rules list. If the data packet matches an existing allow rule, a new entry is added to the state table and the traffic is allowed, and its subsequent packets are allowed without further verification for that session. When the session is completed or timed out, the entry is removed from the table.

If the data packet does not match existing rules, firewall blocks the network traffic.

You can run Firewall protection in two ways:

  • Regular mode — When the network packet adheres to a rule’s condition, the associated action defined in the rule is executed. If no matching rule is found, the network packet is blocked.
  • Adaptive mode — When the network packet matches a rule’s conditions, the associated action defined in the rule is executed. If no matching rule is found, the packet is allowed and a rule is created to allow similar packets later.

Controlled network access protection permits the Mac to access only authorized networks, minimizing the risk from network threats.

This diagram provides the high level view of how Firewall protects your Mac.

  1. Firewall monitors the network activity.
  2. Firewall analyzes the incoming and outgoing traffic according to the rules configured in the policy.
  3. The administrator configures firewall rules in McAfee ePO and enforces the policy to the client system. The user performs a task that initiates network activity and generates traffic.
  4. Firewall scans all incoming and outgoing traffic and compares packets to configured rules. If the traffic matches a rule, Firewall blocks or allows it, based on the rule criteria. Firewall logs the details, then generates and sends an event to McAfee ePO.