Back to Resources

Level Verified

macOS Monitor - Firewall Script

Created by

Level

Type

Script

Category

Security

Platforms
WindowsApple iOSLinux
Import into Level
Copy link

Problem Overview

A disabled firewall on macOS can leave endpoints vulnerable to unauthorized network access and malicious traffic, especially when devices operate outside secure corporate environments. Detecting this issue proactively helps maintain a stronger security posture and reduces the chance of breaches.

Description

This script uses the built-in socketfilterfw command to retrieve the firewall’s status on a macOS endpoint. If it’s enabled, the script reports success, and if it’s disabled, it raises an alert for immediate attention. You can set it up as a script-based monitor in Level so that you’re notified whenever the firewall is found to be off.

You can also integrate it into a scheduled Automation in Level, running periodic checks to enforce consistent security standards across your macOS fleet, ensuring no device remains unprotected.

Script

1#!/bin/bash
2
3# This resource is provided as a convenience for Level users. We cannot 
4# guarantee it will work in all environments. Please test before deploying 
5# to your production environment. We welcome contributions to our community 
6# library
7
8# Level Library
9# https://level.io/library/script-macos-monitor-firewall
10
11# Get the status of the firewall
12FIREWALL_STATUS=$(sudo /usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate)
13
14# Check if the firewall is enabled
15if [[ "$FIREWALL_STATUS" == *"Firewall is enabled"* ]]; then
16  echo "SUCCESS: Firewall is enabled."
17  exit 0
18else
19  echo "ALERT: Firewall is disabled."
20  exit 1
21fi

Use Cases

  • Monitoring critical workstations or servers for disabled firewalls
  • Ensuring compliance with organizational security requirements
  • Detecting user-initiated or accidental firewall disablement
  • Proactively safeguarding remote or mobile macOS devices

Recommendations

  • Test the script on a sample device to confirm firewall checks work as intended
  • Use a script-based monitor in Level to receive real-time notifications
  • Schedule periodic scans with a Level Automation for comprehensive coverage
  • Consider automatic remediation if the firewall is disabled, such as re-enabling it via a separate script
  • Keep logs of alerts to spot trends or repeated disablement

FAQ

  • How do I integrate this script in Level?
    Import it as a resource, then configure a script-based monitor or an Automation schedule to run it.
  • Does this script turn the firewall on if it’s disabled?
    No, it only reports status. Pair it with a remediation action if you want to enable the firewall automatically.
  • What permissions are required?
    It runs with System or Root permissions under Level, ensuring it can query the firewall’s status without restrictions.
  • Does the script work on older macOS versions?
    socketfilterfw is present in most modern macOS versions. Test in your specific environment to confirm compatibility.
  • Can I customize the alert message?
    Yes, edit the echo statements within the script to suit your logging or notification preferences.

Included with this Script:

Below is a list of what you can expect to find when importing this Script.

Script details:

The following data and settings will be imported with your script.

Script Name

macOS Monitor - Firewall

Description

This script checks the status of the macOS firewall by querying its global state and outputs a success message if the firewall is enabled or an alert if it is disabled, ensuring system security is maintained.

Language

Bash

Timeout (In Seconds)

100

Run As

Local system

Import into Level

Related resources

Explore more automations, scripts, and policies to further enhance your IT operations.

View all resources

Start automating thousands of your devices with Level

Start your 14-day free trial today.

Book a demoGet started for free

© 2025 Level Software, Inc.