Firewalls are the first of the five technical controls in the Cyber Essentials scheme, and for good reason — they form the frontline defence between your organisation's network and the hostile internet beyond. During a Cyber Essentials Plus assessment, your firewall configuration is one of the first things the assessor will examine, and misconfigured or poorly managed firewalls are one of the most common causes of assessment failures.
This guide provides a comprehensive look at the firewall requirements for Cyber Essentials Plus, covering both boundary firewalls and host-based firewalls, the specific configurations required, common pitfalls, and how to ensure your firewall setup passes the independent technical audit.
For UK organisations pursuing Cyber Essentials Plus certification, understanding firewall requirements is not merely an exercise in compliance. A properly configured firewall infrastructure is a genuine security measure that protects your business from the vast majority of commodity cyber attacks. According to the National Cyber Security Centre (NCSC), implementing the five Cyber Essentials controls — starting with firewalls — can prevent up to 80% of common cyber attacks targeting UK businesses.
Understanding the Two Types of Firewalls Required
Cyber Essentials requires two layers of firewall protection, creating a “defence in depth” approach:
Boundary Firewalls
- Protects the network perimeter
- Controls traffic between your network and the internet
- Hardware appliance or virtual appliance
- Examples: Sophos XG, Fortinet, pfSense, Cisco ASA
- Managed centrally by IT team
Host-Based Firewalls
- Protects each individual device
- Controls traffic to and from that specific endpoint
- Software built into the operating system
- Examples: Windows Firewall, macOS Firewall, iptables
- Configured per device or via Group Policy
Both layers are required. Having a robust boundary firewall does not exempt you from the need for host-based firewalls on individual devices, and vice versa. This is especially important in the context of remote working, where devices may connect to networks outside the protection of your boundary firewall.
The dual-layer requirement reflects a fundamental principle of modern cyber security: no single point of defence should be relied upon exclusively. Even the most sophisticated boundary firewall can be bypassed if a device is taken off-premises, connected to a compromised network, or if an attacker gains access through a method that does not cross the network perimeter (such as a USB device or a phishing email). Host-based firewalls provide a second line of defence that travels with the device, ensuring protection regardless of the network environment.
Document every change to your firewall configuration in a change log with the date, the person responsible, the change made, and the business justification. This not only satisfies the CE+ assessor but also provides an invaluable audit trail when troubleshooting network issues or investigating security incidents. Many UK organisations use a simple shared spreadsheet; more mature environments integrate change management into their ITSM tooling.
Core Firewall Requirements
The Cyber Essentials standard sets out specific requirements for how firewalls must be configured. Here is what the assessor will be looking for:
1. Default Deny for Inbound Traffic
This is the single most important firewall requirement in the Cyber Essentials standard. All inbound connections must be blocked by default, with explicit rules created only for traffic that has a legitimate, documented business need.
In practical terms, this means:
No unnecessary open ports. If a port is open on your firewall, there must be a documented business reason for it. Common legitimate exceptions include port 443 (HTTPS) for web servers and port 25/587 for mail servers. But even these should only be open if you actually run those services.
No “allow all” rules. Any rule that permits all inbound traffic on any port from any source is a critical finding that will fail the assessment.
Specific source restrictions where possible. Where inbound access is needed (for example, for remote management), restricting the source IP addresses adds an additional layer of security.
2. Documented Firewall Rules
Every rule on your boundary firewall should be documented, including:
| Rule Element | Description | Example |
|---|---|---|
| Source | Where the traffic is coming from | Any / 10.0.0.0/24 / specific IP |
| Destination | Where the traffic is going | Web server IP / Mail server IP |
| Port/Protocol | Which port and protocol are allowed | TCP 443 (HTTPS) / TCP 25 (SMTP) |
| Action | Allow or deny | Allow |
| Business Justification | Why this rule exists | Public website requires HTTPS access |
Rule documentation is one of the areas where many UK organisations fall short during their initial CE+ assessment. Over time, firewall rule sets accumulate entries that were added for specific projects, temporary access requirements, or troubleshooting purposes and never removed. A quarterly rule review process, where every rule is re-justified or removed, is essential for maintaining a clean and compliant configuration. Aim to keep your rule set as lean as possible — the fewer rules you have, the smaller your attack surface and the easier your audit will be.
Next-Generation Firewall (NGFW)
Traditional Packet-Filtering Firewall
While Cyber Essentials Plus does not mandate next-generation firewalls specifically, the capabilities they provide — particularly deep packet inspection, application awareness, and integrated intrusion prevention — make meeting the standard significantly easier and provide substantially better real-world protection. For UK SMEs, the leading NGFW solutions (Sophos XGS, Fortinet FortiGate, and WatchGuard Firebox) offer models priced from £300–£800 for small office deployments, making them accessible for organisations of almost any size.
3. No Administrative Interface Exposed to the Internet
The management interface of your firewall (and any other network equipment) must not be accessible from the internet. If the admin console of your firewall can be reached from an external IP address, this is a critical finding.
Similarly, management protocols such as SSH, Telnet, SNMP, and HTTP/HTTPS admin interfaces on routers, switches, and access points should only be accessible from your internal network or specific management subnets.
This requirement extends to any web-based management portals that your firewall vendor may provide. Some modern firewall solutions offer cloud-based management dashboards that allow administrators to configure devices remotely via a vendor-hosted portal. While these are generally acceptable (as they use outbound connections from the firewall rather than exposing an inbound management interface), you should verify with your assessor that the specific implementation meets CE+ requirements. The key principle is that no direct inbound connection from the public internet should be able to reach a management interface on any of your network equipment.
4. Changed Default Passwords
The default administrator password on your firewall must be changed to a strong, unique password. This applies to all network equipment — routers, switches, wireless access points, and any other devices with management interfaces. Default passwords are publicly documented and are among the first things an attacker will try.
For the CE+ assessment, the password requirement goes beyond simply changing the default. The replacement password must be sufficiently complex — the NCSC recommends using three random words or a password of at least 12 characters with a mix of character types. If your firewall supports multi-factor authentication for administrative access, enabling it is strongly recommended, though not strictly required for CE+.
5. Host-Based Firewalls Enabled and Configured
Every device in scope must have its host-based (software) firewall enabled. For most organisations, this means:
Windows: Windows Defender Firewall must be enabled for all network profiles (Domain, Private, and Public). The firewall should be configured to block inbound connections by default.
macOS: The built-in macOS firewall should be enabled via System Settings > Network > Firewall.
Linux: iptables, nftables, or firewalld should be configured and active.
Use Group Policy Objects (GPO) in Active Directory to enforce Windows Firewall settings across all domain-joined devices. This ensures consistent configuration and prevents individual users from disabling their firewalls. Create a GPO that enables Windows Firewall for all three profiles (Domain, Private, Public), sets inbound connections to “Block” by default, and prevents local administrators from overriding these settings. This single policy change addresses one of the most common CE+ failure points.
Firewall Compliance Readiness Scorecard
Based on our experience preparing UK organisations for Cyber Essentials Plus assessments, here is how the typical organisation scores across key firewall compliance areas before remediation. Use this as a benchmark to identify where your own environment may need attention:
The lowest-scoring areas — remote worker protection and host-based firewall coverage — are consistently the most challenging for UK organisations, particularly those that transitioned to hybrid working arrangements rapidly during the pandemic. Many businesses invested heavily in boundary firewall infrastructure but neglected the endpoint-level controls that are equally important under the CE+ standard.
How Firewalls Are Tested in CE+
During the Cyber Essentials Plus assessment, the assessor will test your firewall configuration in two main ways:
External Vulnerability Scan
The assessor runs a comprehensive vulnerability scan against all your internet-facing IP addresses. This scan will:
Identify open ports: Every open port is noted. The assessor will ask you to justify each one. Ports that are open without a legitimate business need will be flagged.
Detect services running on open ports: The scan identifies which software is listening on each port and its version. Outdated or vulnerable services will be flagged.
Check for known vulnerabilities: The scan tests for known vulnerabilities (CVEs) in the services running on your external-facing systems.
Test for misconfigurations: This includes weak SSL/TLS configurations, exposed admin interfaces, and services that should not be publicly accessible.
Internal Device Checks
On a sample of internal devices, the assessor will verify that the host-based firewall is:
Enabled: The firewall must be active on all network profiles.
Configured to block inbound: Unsolicited inbound connections should be blocked by default.
Not overridden by exceptions: There should be no excessive exceptions that undermine the firewall's effectiveness.
Common Firewall Failures in CE+ Assessments
Based on our experience, these are the most frequent firewall-related findings that cause organisations to fail or require remediation:
Most Common Firewall Assessment Failures
Firewall Adoption Across UK Businesses
The level of firewall adoption and sophistication varies dramatically across UK businesses of different sizes. While enterprise organisations almost universally have comprehensive firewall infrastructure, smaller businesses often have significant gaps that leave them vulnerable to attack and unable to pass a CE+ assessment without remediation:
These figures refer to comprehensive, properly managed firewall infrastructure — not simply having a consumer-grade router with basic NAT. Many micro businesses and sole traders rely on their ISP-provided router as their only form of network protection, which, while providing basic NAT-based firewall functionality, typically lacks the configurability and logging capabilities needed for a CE+ assessment. If your organisation falls into this category, investing in a dedicated small-business firewall appliance (available from £150–£400) is a necessary step before pursuing certification.
Firewalls for Remote Workers
With the rise of remote and hybrid working, the firewall requirements for Cyber Essentials have taken on new importance. When employees work from home or other locations outside your office, their devices leave the protection of your boundary firewall.
This is where host-based firewalls become critical. Every device used by a remote worker must have its software firewall enabled and properly configured, regardless of where it connects to the internet. The host-based firewall provides the same protection on a home Wi-Fi network or coffee shop hotspot as the boundary firewall provides in the office.
Additionally, if your organisation uses a VPN for remote workers, the VPN connection itself needs to be secured, and firewall rules should be applied to VPN traffic just as they are to direct internet traffic.
UK organisations with remote workers should also consider the security implications of split tunnelling in their VPN configuration. Split tunnelling allows remote devices to access the internet directly for non-corporate traffic while routing only corporate traffic through the VPN. While this reduces bandwidth demands on your VPN infrastructure, it means that the remote device is directly exposed to internet threats without the protection of your boundary firewall for a portion of its traffic. If split tunnelling is enabled, the host-based firewall becomes the sole line of defence for direct internet traffic, making its proper configuration even more critical.
Consider deploying a cloud-managed endpoint protection solution that includes firewall management alongside antivirus. Products such as Microsoft Defender for Business, Sophos Intercept X, and CrowdStrike Falcon allow you to centrally manage host-based firewall policies across all devices, regardless of their location. This provides visibility and control over remote worker firewall settings without requiring each device to be on the corporate network — a significant advantage for CE+ compliance in hybrid working environments.
Cloud Firewalls and Security Groups
If your organisation uses cloud infrastructure (AWS, Azure, Google Cloud), the firewall requirements also apply to your cloud environments. In cloud terminology, firewalls are typically implemented as:
Security Groups (AWS): Virtual firewalls that control inbound and outbound traffic for EC2 instances. The same default-deny principle applies — only open the ports you need.
Network Security Groups (Azure): Similar to AWS security groups, these filter traffic to and from Azure resources within a virtual network.
VPC Firewall Rules (Google Cloud): Rules that control traffic to and from VM instances in your Virtual Private Cloud.
The assessor will treat cloud security groups and firewall rules the same way they treat physical firewall configurations. Open ports, permissive rules, and exposed management interfaces in the cloud are just as much of a finding as they would be on-premises.
For UK organisations using Microsoft 365 or Google Workspace without any IaaS infrastructure, the cloud firewall requirements may not apply directly. However, if you use any cloud-hosted servers, virtual machines, or containerised workloads, you must treat those environments with the same rigour as your on-premises network. This includes documenting all security group rules, ensuring default-deny inbound policies, and restricting management access to authorised IP addresses or VPN connections.
Firewall Best Practices for CE+
Beyond the minimum requirements, these best practices will help ensure your firewalls pass the CE+ assessment and provide genuine security:
Regular rule reviews: Review your firewall rules at least quarterly. Remove any rules that are no longer needed. Over time, firewalls accumulate “rule bloat” — old rules that were created for specific projects or temporary needs and never removed.
Logging and monitoring: Enable logging on your boundary firewall and review logs regularly for suspicious activity. While not strictly required for CE+, this demonstrates good practice and supports incident detection.
Segmentation: Where practical, segment your network so that a breach in one area does not give an attacker access to your entire network. Use firewall rules to control traffic between segments.
Firmware updates: Keep your firewall appliance's firmware up to date. Vulnerabilities in firewall software are regularly discovered and patched, and running outdated firmware undermines the protection the firewall provides.
Centralised management: Use Group Policy (Windows) or MDM solutions to centrally manage host-based firewall settings. This ensures consistent configuration across all devices and prevents users from disabling their firewalls.
Egress filtering: While Cyber Essentials focuses primarily on inbound traffic, implementing outbound (egress) filtering on your boundary firewall is a valuable additional measure. Egress filtering restricts which outbound connections are permitted, helping to prevent malware from communicating with command-and-control servers and limiting data exfiltration in the event of a breach. This is increasingly considered best practice by UK security professionals and may become a formal requirement in future iterations of the Cyber Essentials standard.
How Cloudswitched Helps
Firewall configuration is one of the areas where our clients benefit most from our managed CE+ service. We conduct a thorough audit of both your boundary and host-based firewalls, identify any gaps or misconfigurations, and implement the necessary changes to bring your environment into compliance.
Our pre-assessment external vulnerability scan replicates what the CE+ assessor will do, allowing us to identify and resolve any issues before the official assessment takes place. This dramatically increases your chances of passing first time.
We also provide ongoing firewall management for clients who prefer a fully managed approach, including quarterly rule reviews, firmware updates, log monitoring, and configuration changes as your business needs evolve. For organisations with remote workers, we deploy and manage endpoint firewall policies through cloud-based management tools, ensuring every device in your estate is consistently protected and audit-ready.
Your firewalls are the first line of defence for your organisation. Getting them right is not just a Cyber Essentials requirement — it is a fundamental element of sound cyber security practice. With proper configuration, regular review, and expert support, your firewall setup can pass the CE+ assessment with confidence and provide genuine, lasting protection for your business.
Ensure Your Firewalls Pass Cyber Essentials Plus
Cloudswitched provides end-to-end Cyber Essentials certification support, including comprehensive firewall auditing, remediation, and ongoing management. Let our experts ensure your firewall configuration meets every requirement first time.
CloudSwitched
London-based managed IT services provider offering support, cloud solutions and cybersecurity for SMEs.
