Cyber Essentials Firewall Requirements Explained

Firewalls are one of the five technical controls at the heart of the Cyber Essentials scheme, and they are also one of the most commonly misunderstood. Many organisations assume that firewall compliance means deploying enterprise-grade hardware or investing in expensive next-generation security appliances. In reality, Cyber Essentials has a much more practical standard — but one with specific requirements that catch businesses out repeatedly during assessments. This guide explains exactly what the scheme demands, what it does not, and how to make sure your configuration will pass.

Boundary Firewall Requirements

Your boundary firewall — also referred to as an internet gateway — sits between your internal network and the internet. Cyber Essentials requires that this device blocks all inbound connections by default, permitting only those that you have explicitly chosen to allow. This is a default-deny posture: if a rule does not exist to allow a connection, it must be dropped.

Beyond the default-deny rule, CE imposes four core requirements on boundary firewalls:

• Change default administrator credentials. Any router or firewall shipped with a default username and password (admin/admin, for example) must have those credentials changed before the device is deployed. This applies to every device in scope.
• Use a device that receives security updates. Your firewall must be a product that is still supported by its vendor and is actively receiving firmware or software patches. End-of-life devices that no longer receive updates cannot meet this requirement.
• Document permitted inbound services. You must be able to demonstrate, for every inbound rule that exists, what service it permits, which systems it points to, and why it is necessary. Undocumented or forgotten port-forwarding rules are a common cause of CE failure.
• Use a supported firewall product. The device must be capable of stateful packet inspection. This is less demanding than it sounds — almost all modern routers sold to businesses and consumers support stateful inspection as standard.

Host-Based Firewall Requirements

Cyber Essentials also requires a host-based firewall on every device within scope — most commonly Windows Firewall (or its equivalent on macOS and Linux). This is especially important for laptops that leave the office and connect to untrusted networks such as hotel Wi-Fi or public hotspots. The scheme requires that the host-based firewall is enabled and configured to block inbound connections that have not been explicitly permitted. Windows Firewall in its default configuration meets this requirement without modification, but you must be able to demonstrate that it has not been disabled across your estate, whether manually or via a policy that has been overridden.

Home Workers and the Boundary Firewall Problem

This is where many SMBs encounter unexpected complications. If you have staff working from home, Cyber Essentials treats their home router as the boundary firewall for those devices. That means the home router must meet all the same requirements as your office firewall: it must be running supported, up-to-date firmware; the default admin credentials must have been changed; and UPnP (Universal Plug and Play) must be disabled.

UPnP is enabled by default on most consumer routers and allows devices on the local network to automatically open inbound ports without user intervention. This directly violates the default-deny principle. It must be disabled on every router in scope, including home routers used by remote workers.

Practically speaking, this means you need a process for auditing your home workers’ routers. Some organisations issue a configuration checklist and require employees to confirm compliance. Others issue a travel router or VPN appliance to each home worker so the CE boundary sits within a managed device rather than the employee’s personal router.

What Cyber Essentials Does NOT Require

It is worth being explicit about what is out of scope, because organisations frequently over-engineer their response to firewall requirements. Cyber Essentials does not require:

• Next-generation firewall (NGFW) features such as application-layer inspection or sandboxing
• Intrusion Detection Systems (IDS) or Intrusion Prevention Systems (IPS)
• Deep packet inspection
• Web content filtering or SSL inspection
• Centralised firewall management platforms

Basic stateful packet inspection — the capability present in virtually every modern router — is sufficient for Cyber Essentials. The scheme is designed to be achievable for organisations of all sizes, including those with limited IT budgets.

Common Mistakes That Cause CE Failure

• UPnP enabled on routers — including home routers. This is the single most common firewall failure in CE assessments.
• Unreviewed port-forwarding rules — rules added for a specific purpose years ago and never removed. Every inbound rule must have a documented justification.
• Default admin credentials still in use — particularly on routers installed by ISPs or third-party engineers where the credentials were never changed.
• Router firmware not updated — especially on devices that have been in service for several years without anyone checking for available updates.
• ISP-provided routers that are end-of-life — some older ISP routers are no longer supported by their manufacturers and cannot receive security patches. If your ISP is still supplying an unsupported device, it cannot be your boundary firewall for CE purposes.

Cloud Infrastructure and Security Groups

If any of your in-scope systems are hosted in the cloud — AWS, Azure, Google Cloud, or similar — the firewall requirement still applies. Cloud security groups and network access control lists (NACLs) count as firewalls under Cyber Essentials and must be configured to the same standard: default-deny, with every permitted inbound rule documented and justified. Overly permissive security groups (for example, inbound 0.0.0.0/0 on port 22 or 3389) are a common finding and will result in failure.

UK Router Choices: What Works and What Doesn’t

For UK SMBs looking for a CE-compliant boundary firewall, DrayTek routers are a well-regarded choice. DrayTek provides long-term firmware support, allows granular control over UPnP and inbound rules, and has a clear end-of-life policy — making it straightforward to demonstrate compliance during an assessment.

Common ISP-provided routers such as the BT Smart Hub and Sky Router are generally acceptable if they are running current firmware and have been configured correctly — default passwords changed, UPnP disabled. However, older ISP routers (particularly those more than four or five years old that have not received a firmware update in some time) may no longer be supported and should be replaced.

Auditing Your Firewall Configuration

Before your CE assessment, work through the following checks for every firewall in scope:

1. Log in to the admin interface and confirm that default credentials have been changed.
2. Check the current firmware version against the vendor’s latest release and update if necessary.
3. Review every inbound port-forwarding or firewall allow rule. For each one, document the service, the destination IP or device, and the business reason.
4. Confirm that UPnP is disabled in the router settings.
5. Check the vendor’s support page to confirm the device is still receiving security updates.

Documenting Firewall Rules for the SAQ

The CE self-assessment questionnaire (SAQ) will ask you to confirm that your firewall rules are documented. A simple spreadsheet listing each rule — inbound port, protocol, destination, and justification — is sufficient. The key is to be able to show that every open inbound port is there for a deliberate reason, not because it was added and forgotten.

Dealing with an Unmanaged ISP Router

If your ISP has provided a router that you cannot configure (no admin access, firmware managed by the ISP, or simply end-of-life), you have three practical options. First, request a replacement from your ISP — most business-grade ISPs will supply a supported device. Second, place a separate firewall appliance (such as a DrayTek or pfSense box) behind the ISP router, configure the ISP router to pass all traffic to your appliance in DMZ mode, and treat your appliance as the in-scope boundary firewall. Third, if the ISP router is genuinely out of scope — for example because it connects a segment of your network that has no in-scope devices — document that network isolation clearly and ensure no in-scope devices are connected to it.

Related Cyber Essentials Guides

• Cyber Essentials — The Complete UK Business Guide
• What Is Cyber Essentials? The UK Business Guide
• Cyber Essentials vs Cyber Essentials Plus: Which Do You Need?
• The Five Cyber Essentials Controls Explained
• How to Pass the Cyber Essentials Self-Assessment Questionnaire