The FortiDLP agent makes use of both a Network extension and an Endpoint Security (EPS) extension on macOS. Fortinet Support and users understand there is always the possibility of potential incompatibilities when running multiple Network extensions concurrently.

Whilst every effort is taken to try and reproduce these by the Fortinet team, there are times when these have not generally been reproducible, nor have a set of steps been reliable enough to be able to raise the issue with Apple for further investigation.

Until FortiDLP can reliably reproduce a scenario internally and identify either a root cause in the FortiDLP product or a potential issue with macOS itself, one of the potential workarounds is to disable some or all of the Network extension components.

It should be noted that this is not a tested or supported scenario by Fortinet, and is undertaken at the user's risk. This article aims to outline the currently known impact(s) to the FortiDLP Agent functionality on macOS, but no guarantee can be made to the exhaustiveness of this list.

Socket Filter/FilterSockets .

Example setting in Jamf:

If this setting is disabled, some known consequences include:

• No network or connection events were reported in the FortiDLP platform for the affected agent(s).
• Policies that rely on network activity events, will no longer function correctly. These include:
• Sensitive file transferred to a remote destination.
• Unauthorized TCP connection made.
• Connection made using rsync.
• Periodic outgoing TCP connection detected.
• TCP connection with high bandwidth.
• Connection made to remote destination using file transfer utility.
• The Outlook integration will no longer function.
• Isolate functionality can still be enabled via an operator action or policy detection action, but this can result in all network connectivity being lost for the agent to the platform, meaning de-isolate is no longer possible, and the agent must be removed to restore network connectivity

Network Filter/FilterPackets.

Example setting in Jamf:

If this setting is disabled, some of the known consequences include:

• Network isolation functionality is no longer possible.
• Policies that rely on DNS activity events, will no longer function correctly. These are:
• DNS exfiltration.
• A new DNS server was used.

Allowing only the EPS extension to run or disabling both the Network and Socket Filters.

Example setting in Jamf:

If the whole extension or both filters are disabled, all of the above limitations will apply, except that the risk of isolating the network for the agent will be superseded by the Network Filter blocking isolate functionality.