Once the VPN connection is being established, the access rules are passed to the client via a CSTP handshake during the setup. The agent takes a snapshot of the existing firewall rules and applies the received rules to the firewall available on the operating system.
Rules applied differently on Windows & Mac operationg systems
The rules obtained from ASA will be applied to the Windows Firewall present on the Windows Operating Systems. For older operating systems on which AnyConnect gets installed (Windows 2000 and XP pre-SP2), the firewall feature will softly fail, logging an error message that the OS is not supported for this feature.
The rules obtained from ASA will be applied to ipfw, the legacy firewall present in MAC. The native application firewall present on OSX 10.5 and OSX 10.6 do not have any APIs that can be utilized . However, we can configure ipfw. So, there is no necessity for us to disable the application firewall.