Firewalls are the first of the five technical controls in the Cyber Essentials scheme, and for good reason — they form the frontline defence between your organisation's network and the hostile internet beyond. During a Cyber Essentials Plus assessment, your firewall configuration is one of the first things the assessor will examine, and misconfigured or poorly managed firewalls are one of the most common causes of assessment failures.
This guide provides a comprehensive look at the firewall requirements for Cyber Essentials Plus, covering both boundary firewalls and host-based firewalls, the specific configurations required, common pitfalls, and how to ensure your firewall setup passes the independent technical audit.
Understanding the Two Types of Firewalls Required
Cyber Essentials requires two layers of firewall protection, creating a “defence in depth” approach:
Boundary Firewalls
- Protects the network perimeter
- Controls traffic between your network and the internet
- Hardware appliance or virtual appliance
- Examples: Sophos XG, Fortinet, pfSense, Cisco ASA
- Managed centrally by IT team
Host-Based Firewalls
- Protects each individual device
- Controls traffic to and from that specific endpoint
- Software built into the operating system
- Examples: Windows Firewall, macOS Firewall, iptables
- Configured per device or via Group Policy
Both layers are required. Having a robust boundary firewall does not exempt you from the need for host-based firewalls on individual devices, and vice versa. This is especially important in the context of remote working, where devices may connect to networks outside the protection of your boundary firewall.
Core Firewall Requirements
The Cyber Essentials standard sets out specific requirements for how firewalls must be configured. Here is what the assessor will be looking for:
1. Default Deny for Inbound Traffic
This is the single most important firewall requirement in the Cyber Essentials standard. All inbound connections must be blocked by default, with explicit rules created only for traffic that has a legitimate, documented business need.
In practical terms, this means:
No unnecessary open ports. If a port is open on your firewall, there must be a documented business reason for it. Common legitimate exceptions include port 443 (HTTPS) for web servers and port 25/587 for mail servers. But even these should only be open if you actually run those services.
No “allow all” rules. Any rule that permits all inbound traffic on any port from any source is a critical finding that will fail the assessment.
Specific source restrictions where possible. Where inbound access is needed (for example, for remote management), restricting the source IP addresses adds an additional layer of security.
2. Documented Firewall Rules
Every rule on your boundary firewall should be documented, including:
| Rule Element | Description | Example |
|---|---|---|
| Source | Where the traffic is coming from | Any / 10.0.0.0/24 / specific IP |
| Destination | Where the traffic is going | Web server IP / Mail server IP |
| Port/Protocol | Which port and protocol are allowed | TCP 443 (HTTPS) / TCP 25 (SMTP) |
| Action | Allow or deny | Allow |
| Business Justification | Why this rule exists | Public website requires HTTPS access |
3. No Administrative Interface Exposed to the Internet
The management interface of your firewall (and any other network equipment) must not be accessible from the internet. If the admin console of your firewall can be reached from an external IP address, this is a critical finding.
Similarly, management protocols such as SSH, Telnet, SNMP, and HTTP/HTTPS admin interfaces on routers, switches, and access points should only be accessible from your internal network or specific management subnets.
4. Changed Default Passwords
The default administrator password on your firewall must be changed to a strong, unique password. This applies to all network equipment — routers, switches, wireless access points, and any other devices with management interfaces. Default passwords are publicly documented and are among the first things an attacker will try.
5. Host-Based Firewalls Enabled and Configured
Every device in scope must have its host-based (software) firewall enabled. For most organisations, this means:
Windows: Windows Defender Firewall must be enabled for all network profiles (Domain, Private, and Public). The firewall should be configured to block inbound connections by default.
macOS: The built-in macOS firewall should be enabled via System Settings > Network > Firewall.
Linux: iptables, nftables, or firewalld should be configured and active.
How Firewalls Are Tested in CE+
During the Cyber Essentials Plus assessment, the assessor will test your firewall configuration in two main ways:
External Vulnerability Scan
The assessor runs a comprehensive vulnerability scan against all your internet-facing IP addresses. This scan will:
Identify open ports: Every open port is noted. The assessor will ask you to justify each one. Ports that are open without a legitimate business need will be flagged.
Detect services running on open ports: The scan identifies which software is listening on each port and its version. Outdated or vulnerable services will be flagged.
Check for known vulnerabilities: The scan tests for known vulnerabilities (CVEs) in the services running on your external-facing systems.
Test for misconfigurations: This includes weak SSL/TLS configurations, exposed admin interfaces, and services that should not be publicly accessible.
Internal Device Checks
On a sample of internal devices, the assessor will verify that the host-based firewall is:
Enabled: The firewall must be active on all network profiles.
Configured to block inbound: Unsolicited inbound connections should be blocked by default.
Not overridden by exceptions: There should be no excessive exceptions that undermine the firewall's effectiveness.
Common Firewall Failures in CE+ Assessments
Based on our experience, these are the most frequent firewall-related findings that cause organisations to fail or require remediation:
Most Common Firewall Assessment Failures
Firewalls for Remote Workers
With the rise of remote and hybrid working, the firewall requirements for Cyber Essentials have taken on new importance. When employees work from home or other locations outside your office, their devices leave the protection of your boundary firewall.
This is where host-based firewalls become critical. Every device used by a remote worker must have its software firewall enabled and properly configured, regardless of where it connects to the internet. The host-based firewall provides the same protection on a home Wi-Fi network or coffee shop hotspot as the boundary firewall provides in the office.
Additionally, if your organisation uses a VPN for remote workers, the VPN connection itself needs to be secured, and firewall rules should be applied to VPN traffic just as they are to direct internet traffic.
Cloud Firewalls and Security Groups
If your organisation uses cloud infrastructure (AWS, Azure, Google Cloud), the firewall requirements also apply to your cloud environments. In cloud terminology, firewalls are typically implemented as:
Security Groups (AWS): Virtual firewalls that control inbound and outbound traffic for EC2 instances. The same default-deny principle applies — only open the ports you need.
Network Security Groups (Azure): Similar to AWS security groups, these filter traffic to and from Azure resources within a virtual network.
VPC Firewall Rules (Google Cloud): Rules that control traffic to and from VM instances in your Virtual Private Cloud.
The assessor will treat cloud security groups and firewall rules the same way they treat physical firewall configurations. Open ports, permissive rules, and exposed management interfaces in the cloud are just as much of a finding as they would be on-premises.
Firewall Best Practices for CE+
Beyond the minimum requirements, these best practices will help ensure your firewalls pass the CE+ assessment and provide genuine security:
Regular rule reviews: Review your firewall rules at least quarterly. Remove any rules that are no longer needed. Over time, firewalls accumulate “rule bloat” — old rules that were created for specific projects or temporary needs and never removed.
Logging and monitoring: Enable logging on your boundary firewall and review logs regularly for suspicious activity. While not strictly required for CE+, this demonstrates good practice and supports incident detection.
Segmentation: Where practical, segment your network so that a breach in one area does not give an attacker access to your entire network. Use firewall rules to control traffic between segments.
Firmware updates: Keep your firewall appliance's firmware up to date. Vulnerabilities in firewall software are regularly discovered and patched, and running outdated firmware undermines the protection the firewall provides.
Centralised management: Use Group Policy (Windows) or MDM solutions to centrally manage host-based firewall settings. This ensures consistent configuration across all devices and prevents users from disabling their firewalls.
How Cloudswitched Helps
Firewall configuration is one of the areas where our clients benefit most from our managed CE+ service. We conduct a thorough audit of both your boundary and host-based firewalls, identify any gaps or misconfigurations, and implement the necessary changes to bring your environment into compliance.
Our pre-assessment external vulnerability scan replicates what the CE+ assessor will do, allowing us to identify and resolve any issues before the official assessment takes place. This dramatically increases your chances of passing first time.
Ready to Get Certified?
Cloudswitched handles your entire Cyber Essentials Plus certification end-to-end — including comprehensive firewall auditing and configuration across your entire estate.
View CE+ ServicesYour firewalls are the first line of defence for your organisation. Getting them right is not just a Cyber Essentials requirement — it is a fundamental element of sound cyber security practice. With proper configuration, regular review, and expert support, your firewall setup can pass the CE+ assessment with confidence and provide genuine, lasting protection for your business.
CloudSwitched
Centrally located in London, Shoreditch, we offer a range of IT services and solutions to small/medium sized companies.