`

Free delivery

UK Sales: 0330 1340 230

MSS Managed Firewall Mandatory Configurations

18/07/2025
by Paul Heritage

Device > Settings > Administration > Login / Multiple Administrators > Login security

Device > Settings > AdministrationLogin / Multiple Administrators > Login security

Option

Best Practice Value

Default Value

Password must be changed every (days)

90

Disabled

Change password after (hours)

1

1

Bar repeated passwords for this many changes

4

Disabled

New password must contain 8 characters different from the old password

Enable

Disabled

Enforce a minimum password length of

12

8

Enforce password complexity

Alphanumeric and symbolic characters

None

Complexity Requirement - Upper Case Characters

2

0

Complexity Requirement - Lower Case Characters

2

0

Complexity Requirement - Number Characters

2

0

Complexity Requirement - Symbolic Characters

2

0

Log out the Admin after inactivity of (mins)

20

5

Admin/user lockout

Enable

Disabled

Local admin/user account lockout

Enable

Disabled

Device > Settings > Firmware and Settings

Option

Best Practice Value

Default Value

Cloud Backup

Enabled

Disabled

Device > Users > Settings > Authentication

Option

Best Practice Value

Default Value

Display user login info since last login

Enabled

Disabled

Device > AppFlow > Flow Reporting > Settings

Option

Best Practice Value

Default Value

Enable AppFlow To Local Collector

Enabled

Disabled

Device > Log > Settings

Option

Best Practice Value

Default Value

Logging Level

Inform

Warning

Alert Level

Error

Alert

Device > Log > Name Resolution

Option

Best Practice Value

Default Value

Name Resolution Method

DNS

None

Network > SSLVPN > Server Settings

Option

Best Practice Value

Default Value

Inactivity Timeout (minutes)

60

10

Mouse Inactivity Check

Enabled

Disabled

Network > Firewall > Advanced > Settings

Option

Best Practice Value

Default Value

Enable Stealth Mode

Enabled

Disabled

Randomize IP ID

Enabled

Disabled

Decrement IP TTL for forwarded traffic

Enabled

Disabled

Never generate ICMP Time-Exceeded packets

Enabled

Disabled

Network > Firewall > Advanced > Connections

Option

Best Practice Value

Default Value

Enable Control Plane Flood Protection

Enabled

Disabled

Network > Firewall > Flood Protection > TCP > Layer 3 SYN Flood Protection - SYN Proxy

Option

Best Practice Value

Default Value

SYN Flood Protection Mode

Proxy WAN client connections when attack is suspected

Watch and report possible SYN floods

Network > Firewall > Flood Protection > UDP

Option

Best Practice Value

Default Value

Default UDP Connection Timeout

60

30

Enable UDP Flood Protection

Enabled

Disabled

UDP Flood Attack Threshold

5000

1000

Network > Firewall > Flood Protection > ICMP

Option

Best Practice Value

Default Value

Enable ICMP Flood Protection

Enabled

Disabled

Network > VoIP > Settings

Option

Best Practice Value

Default Value

Enable consistent NAT

Enabled

Disabled

Policy > Security Services > Gateway Anti-Virus

Option

Best Practice Value

Default Value

Enable Gateway Anti-Virus

Enabled

Disabled

PROTOCOLS - FTP Inbound & Outbound Inspection

Enabled

Disabled

PROTOCOLS - HTTP Inbound & Outbound Inspection

Enabled

Disabled

PROTOCOLS - IMAP Inbound Inspection

Enabled

Disabled

PROTOCOLS - POP3 Inbound Inspection

Enabled

Disabled

PROTOCOLS - SMTP Inbound & Outbound Inspection

Enabled

Disabled

PROTOCOLS - TCP STREAM Inbound & Outbound Inspection

Enabled

Disabled

Policy > Security Services > Anti-Spyware

Option

Best Practice Value

Default Value

Enable Anti-Spyware

Enabled

Disabled

SIGNATURE GROUPS - High Priority Spyware PREVENT & DETECT ALL

Enabled

Disabled

SIGNATURE GROUPS - Medium Priority Spyware PREVENT & DETECT ALL

Enabled

Disabled

SIGNATURE GROUPS - Low Priority Spyware PREVENT & DETECT ALL

Enabled

Disabled

PROTOCOLS - Enable Inbound Instpection for:

  • HTTP
  • FTP
  • IMAP
  • SMTP
  • POP3

Enabled

Disabled

Enable Inspection of Outbound Spyware Communication

Enabled

Disabled

Policy > Security Services > Intrusion Prevention

Option

Best Practice Value

Default Value

Enable IPS

Enabled

Disabled

Signature Groups - High Priority Attackes PREVENT & DETECT ALL

Enabled

Disabled

Signature Groups - Medium Priority Attackes PREVENT & DETECT ALL

Enabled

Disabled

Policy > Capture ATP > Settings > Basic

Option

Best Practice Value

Default Value

Enable Capture ATP

Enabled

Disabled

File types for Capture ATP analysis:

  • Executables (PE, Mach-O, and DMG)
  • PDF
  • Office 97-2003(.doc , .xls ,etc.)
  • Office (.docx , .xlsx ,etc.)
  • Archives (.jar, .apk, .rar, .bz2, .bzip2, .7z, .xz, .gz, and .zip)

Enabled

Disabled

Policy > Security Services > Geo-IP Filter

Option

Best Practice Value

Default Value

Block connections to/from countries selected in the Countries tabs

Enabled

Disabled

Enable Logging

Enabled

Disabled

Block all Unknown countries

Enabled

Disabled

Countries:

  • Afghanistan
  • Algeria
  • Azerbaijan
  • Bangladesh
  • Belarus
  • Bosnia and Herzegovina
  • Brazil
  • Burundi
  • Central African Republic
  • China
  • Comoros
  • Congo, The Democratic Republic
  • Cuba
  • Eritrea
  • Guatemala
  • Guinea
  • Guinea-Bissau
  • Haiti
  • India
  • Iran, Islamic Republic of
  • Iraq
  • Korea, Democratic People's Repu
  • Lebanon
  • Mali
  • Moldova, Republic of
  • Montenegro
  • Myanmar
  • Nicaragua
  • Niger
  • Pakistan
  • Russian Federation
  • Saudi Arabia
  • Somalia
  • Sudan
  • Syrian Arab Republic
  • Tajikistan
  • Tunisia
  • Turkey
  • Turkmenistan
  • Ukraine
  • Venezuela
  • Vietnam
  • Yemen
  • Zimbabwe

Blocked

Allowed

Policy > Security Services > Botnet Fiter

Option

Best Practice Value

Default Value

Block connections to/from Botnet Command and Control Servers

Enabled

Disabled

Enable Logging

Enabled

Disabled

Policy > Security Services > App Control

Option

Best Practice Value

Default Value

Enable App Control

Enabled

Disabled

Enable Logging for All Apps

Enabled

Disabled

Policy > Security Services > App Control > Signatures

Option

Best Practice Value

Default Value

Categories:

  • APP-UPDATE
  • BROWSING-PRIVACY
  • FILETYPE-DETECTION
  • IM
  • INFRASTRUCTURE
  • MISC-APPS
  • MOBILE-APPS
  • MULTIMEDIA
  • PROTOCOLS
  • VoIP-APPS
  • WEB-BROWSER
  • WEB-CONFERENCING

No Logging

Categories:

  • GAMING
  • MINERS
  • P2P

Log & Block

No Logging or Blocking

Objects > Match Objects > URI Lists

Option

Best Practice Value

Default Value

CFS Global Allow List

  • sonicwall.com

Created

N/A

CFS Global Block List

  • malware[.]com
  • 123movies[.]to
  • phishlabs[.]com
  • isthatphish[.]com
  • onion[.]ws
  • emotet[.]in

Created

N/A

Objects > Profile Objects > Content Filter > CFS Default Profile > Settings > URI List

Option

Best Practice Value

Default Value

CFS Global Allow List

Specified under Allowed URI List

N/A

CFS Global Block List

Specified under Forbidden URI List

N/A

Objects > Profile Objects > Content Filter > CFS Default Profile > Settings > Category

Option

Best Practice Value

Default Value

Categories:

  • Alcohol/Tobacco
  • Gambling
  • Weapons
  • Drugs/Illegal Drugs

Allowed

Blocked

Categories:

  • Pay to Surf Sites

Blocked

Allowed

Objects > Profile Objects > Content Filter > CFS Default Profile > Settings > Reputation

Option

Best Practice Value

Default Value

Enable Reputation

Enabled

Disabled

Reputation Action

CFS Default Reputation Object

N/A

Objects > Profile Objects > Content Filter > CFS Default Profile > Advanced

Option

Best Practice Value

Default Value

Enable HTTPS Content Filtering

Enabled

Disabled

Enable Google Force Safe Search

Enabled

Disabled

Enable Bing Force Safe Search

Enabled

Disabled

Policy > Rules and Policies > Content Filter Rules > CFS Default Policy

Option

Best Practice Value

Default Value

Source Zone

ALL

LAN


Comments

No posts found

New post