UK Sales: 0330 1340 230

HomeLatest NewsMSS Managed Firewall Mandatory Configurations

MSS Managed Firewall Mandatory Configurations

18/07/2025

by Paul Heritage

Device > Settings > Administration > Login / Multiple Administrators > Login security

Device > Settings > AdministrationLogin / Multiple Administrators > Login security

Option	Best Practice Value	Default Value
Password must be changed every (days)	90	Disabled
Change password after (hours)	1	1
Bar repeated passwords for this many changes	4	Disabled
New password must contain 8 characters different from the old password	Enable	Disabled
Enforce a minimum password length of	12	8
Enforce password complexity	Alphanumeric and symbolic characters	None
Complexity Requirement - Upper Case Characters	2	0
Complexity Requirement - Lower Case Characters	2	0
Complexity Requirement - Number Characters	2	0
Complexity Requirement - Symbolic Characters	2	0
Log out the Admin after inactivity of (mins)	20	5
Admin/user lockout	Enable	Disabled
Local admin/user account lockout	Enable	Disabled

Device > Settings > Firmware and Settings

Option	Best Practice Value	Default Value
Cloud Backup	Enabled	Disabled

Device > Users > Settings > Authentication

Option	Best Practice Value	Default Value
Display user login info since last login	Enabled	Disabled

Device > AppFlow > Flow Reporting > Settings

Option	Best Practice Value	Default Value
Enable AppFlow To Local Collector	Enabled	Disabled

Device > Log > Settings

Option	Best Practice Value	Default Value
Logging Level	Inform	Warning
Alert Level	Error	Alert

Device > Log > Name Resolution

Option	Best Practice Value	Default Value
Name Resolution Method	DNS	None

Network > SSLVPN > Server Settings

Option	Best Practice Value	Default Value
Inactivity Timeout (minutes)	60	10
Mouse Inactivity Check	Enabled	Disabled

Network > Firewall > Advanced > Settings

Option	Best Practice Value	Default Value
Enable Stealth Mode	Enabled	Disabled
Randomize IP ID	Enabled	Disabled
Decrement IP TTL for forwarded traffic	Enabled	Disabled
Never generate ICMP Time-Exceeded packets	Enabled	Disabled

Network > Firewall > Advanced > Connections

Option	Best Practice Value	Default Value
Enable Control Plane Flood Protection	Enabled	Disabled

Network > Firewall > Flood Protection > TCP > Layer 3 SYN Flood Protection - SYN Proxy

Option	Best Practice Value	Default Value
SYN Flood Protection Mode	Proxy WAN client connections when attack is suspected	Watch and report possible SYN floods

Network > Firewall > Flood Protection > UDP

Option	Best Practice Value	Default Value
Default UDP Connection Timeout	60	30
Enable UDP Flood Protection	Enabled	Disabled
UDP Flood Attack Threshold	5000	1000

Network > Firewall > Flood Protection > ICMP

Option	Best Practice Value	Default Value
Enable ICMP Flood Protection	Enabled	Disabled

Network > VoIP > Settings

Option	Best Practice Value	Default Value
Enable consistent NAT	Enabled	Disabled

Policy > Security Services > Gateway Anti-Virus

Option	Best Practice Value	Default Value
Enable Gateway Anti-Virus	Enabled	Disabled
PROTOCOLS - FTP Inbound & Outbound Inspection	Enabled	Disabled
PROTOCOLS - HTTP Inbound & Outbound Inspection	Enabled	Disabled
PROTOCOLS - IMAP Inbound Inspection	Enabled	Disabled
PROTOCOLS - POP3 Inbound Inspection	Enabled	Disabled
PROTOCOLS - SMTP Inbound & Outbound Inspection	Enabled	Disabled
PROTOCOLS - TCP STREAM Inbound & Outbound Inspection	Enabled	Disabled

Policy > Security Services > Anti-Spyware

Option	Best Practice Value	Default Value
Enable Anti-Spyware	Enabled	Disabled
SIGNATURE GROUPS - High Priority Spyware PREVENT & DETECT ALL	Enabled	Disabled
SIGNATURE GROUPS - Medium Priority Spyware PREVENT & DETECT ALL	Enabled	Disabled
SIGNATURE GROUPS - Low Priority Spyware PREVENT & DETECT ALL	Enabled	Disabled
PROTOCOLS - Enable Inbound Instpection for: HTTP FTP IMAP SMTP POP3	Enabled	Disabled
Enable Inspection of Outbound Spyware Communication	Enabled	Disabled

Policy > Security Services > Intrusion Prevention

Option	Best Practice Value	Default Value
Enable IPS	Enabled	Disabled
Signature Groups - High Priority Attackes PREVENT & DETECT ALL	Enabled	Disabled
Signature Groups - Medium Priority Attackes PREVENT & DETECT ALL	Enabled	Disabled

Policy > Capture ATP > Settings > Basic

Option

Best Practice Value

Default Value

Enable Capture ATP

Enabled

Disabled

File types for Capture ATP analysis:

Executables (PE, Mach-O, and DMG)
PDF
Office 97-2003(.doc , .xls ,etc.)
Office (.docx , .xlsx ,etc.)
Archives (.jar, .apk, .rar, .bz2, .bzip2, .7z, .xz, .gz, and .zip)

Enabled

Disabled

Policy > Security Services > Geo-IP Filter

Option	Best Practice Value	Default Value
Block connections to/from countries selected in the Countries tabs	Enabled	Disabled
Enable Logging	Enabled	Disabled
Block all Unknown countries	Enabled	Disabled
Countries: Afghanistan Algeria Azerbaijan Bangladesh Belarus Bosnia and Herzegovina Brazil Burundi Central African Republic China Comoros Congo, The Democratic Republic Cuba Eritrea Guatemala Guinea Guinea-Bissau Haiti India Iran, Islamic Republic of Iraq Korea, Democratic People's Repu Lebanon Mali Moldova, Republic of Montenegro Myanmar Nicaragua Niger Pakistan Russian Federation Saudi Arabia Somalia Sudan Syrian Arab Republic Tajikistan Tunisia Turkey Turkmenistan Ukraine Venezuela Vietnam Yemen Zimbabwe	Blocked	Allowed

Policy > Security Services > Botnet Fiter

Option	Best Practice Value	Default Value
Block connections to/from Botnet Command and Control Servers	Enabled	Disabled
Enable Logging	Enabled	Disabled

Policy > Security Services > App Control

Option	Best Practice Value	Default Value
Enable App Control	Enabled	Disabled
Enable Logging for All Apps	Enabled	Disabled

Policy > Security Services > App Control > Signatures

Option

Best Practice Value

Default Value

Categories:

APP-UPDATE
BROWSING-PRIVACY
FILETYPE-DETECTION
IM
INFRASTRUCTURE
MISC-APPS
MOBILE-APPS
MULTIMEDIA
PROTOCOLS
VoIP-APPS
WEB-BROWSER
WEB-CONFERENCING

No Logging

Categories:

GAMING
MINERS
P2P

Log & Block

No Logging or Blocking

Objects > Match Objects > URI Lists

Option

Best Practice Value

Default Value

CFS Global Allow List

sonicwall.com

Created

N/A

CFS Global Block List

malware[.]com
123movies[.]to
phishlabs[.]com
isthatphish[.]com
onion[.]ws
emotet[.]in

Created

N/A

Objects > Profile Objects > Content Filter > CFS Default Profile > Settings > URI List

Option	Best Practice Value	Default Value
CFS Global Allow List	Specified under Allowed URI List	N/A
CFS Global Block List	Specified under Forbidden URI List	N/A

Objects > Profile Objects > Content Filter > CFS Default Profile > Settings > Category

Option

Best Practice Value

Default Value

Categories:

Alcohol/Tobacco
Gambling
Weapons
Drugs/Illegal Drugs

Allowed

Blocked

Categories:

Pay to Surf Sites

Blocked

Allowed

Objects > Profile Objects > Content Filter > CFS Default Profile > Settings > Reputation

Option	Best Practice Value	Default Value
Enable Reputation	Enabled	Disabled
Reputation Action	CFS Default Reputation Object	N/A

Objects > Profile Objects > Content Filter > CFS Default Profile > Advanced

Option	Best Practice Value	Default Value
Enable HTTPS Content Filtering	Enabled	Disabled
Enable Google Force Safe Search	Enabled	Disabled
Enable Bing Force Safe Search	Enabled	Disabled

Policy > Rules and Policies > Content Filter Rules > CFS Default Policy

Option	Best Practice Value	Default Value
Source Zone	ALL	LAN

Comments

No posts found

New post