Questionnaire Part 4 Secure Business Operations (Boundary Firewalls and Internet Gateways)
This guide reflects the Willow question set, introduced in April 2025. Applications using the Montpellier question set will differ in some areas; these applications may still be completed before 28th October 2025.
Secure Business Operations
Boundary Firewalls and Internet Gateways
This section is used to define what firewalls and gateways your company uses and if they are configured correctly and are supported.
You must answer all of the questions in this section. Any unanswered questions will delay the assessment.
Please read all the help text, as it is important that you answer all the questions correctly.
A4.1 Boundary Firewall
Do you have firewalls at the boundaries between your organisation’s internal networks, laptops, desktops, servers and the internet?
You must have firewalls in place between your office network and the internet.
CE Requirement: You must protect every device in scope with a correctly configured firewall (or network device with firewall functionality).
Further guidance:
This question requires a yes or no answer. You do not need to add Applicant Notes to be compliant.
A4.1.1 Off Network Firewalls
Do you have software firewalls enabled on all of your computers, laptops and servers?
Your software firewall needs to be configured and enabled at all times, even when sitting behind a physical/virtual boundary firewall in an office location.
Guidance on how to check your software firewall can be found here:
CE Requirement: You must protect every device in scope with a correctly configured firewall (or network device with firewall functionality).
CE Requirement: Make sure you use a software firewall on devices which are used on untrusted networks, such as public wifi hotspots.
If your organisation doesn't control the network to which a device connects, you must configure a software firewall on the device.
This question requires a yes or no answer. You do not need to add Applicant Notes to be compliant.
A4.1.2 Software Firewalls Not Default
If you answered no to question A4.1.1, is this because software firewalls are not installed by default for the operating system you are using? Please list the operating systems.
Only very few operating systems do not have software firewalls available. Examples might include embedded Linux systems or bespoke servers. For the avoidance of doubt, all versions of Windows, macOS and all common Linux distributions such as Ubuntu do have software firewalls available.
A4.2 Firewall Password Change Process
When you first receive an internet router or hardware firewall device, it may have had a default password on it. Have you changed all the default passwords on your boundary firewall devices?
The default password must be changed on all routers and firewalls, including those that come with a unique password pre-configured (i.e. BT Business Hub, Draytek Vigor 2865ac).
When relying on software firewalls included as part of the operating system of your end user devices, the password to access the device will need to be changed.
CE Requirement: Change default administrative passwords to a strong and unique password – or disable remote administrative access entirely.
Further guidance:
This question requires a yes or no answer. You do not need to add Applicant Notes to be compliant.
You must change this password to meet the scheme's requirements.
A4.2.1 Firewall Password Change Process
Please describe the process for changing the firewall password.
Home routers not supplied by your organisation are not included in this requirement.
You need to understand how the password on your firewall(s) is changed.
Please provide a brief description of how this is achieved.
Please give a short description of how your firewall passwords are changed. If you rely on software firewalls, you will need to describe how you change the administrator password on your laptops/desktops. If you rely on a third party to manage your firewalls, you will need to describe how password changes are managed and confirmed.
An example of an acceptable answer is:
"Our firewalls are fully managed by our IT company. If the password needs to be changed, we raise a change request with the IT company and they confirm with us when this has been done."
A4.3 Firewall Password Configuration
How is your firewall password configured?
Please select the options being used:
A. Multi-factor authentication, with a minimum password length 8 characters and no maximum length
B. Automatic blocking of common passwords, with a minimum password length 8 characters and no maximum length
C. A password minimum length of 12 characters and no maximum length
D. Passwordless system is being used as an alternative to user name and password, please describe
E. None of the above, please describe
Acceptable technical controls that you can use to manage the quality of your passwords are outlined in the section about password-based authentication in the ‘Cyber Essentials Requirements for IT Infrastructure’ document.
CE Requirement: Prevent access to the administrative interface (used to manage firewall configuration) from the internet, unless there is a clear and documented business need, and the interface is protected by one of the following controls:
• multi-factor authentication
• an IP allow list that limits access to a small range of trusted addresses combined with a properly managed password authentication approach
Further guidance:
Tick all that apply. You must use at least one of options A, B, C, or D to be compliant with the Cyber Essentials scheme.
A4.4 Firewall Password Issue
Do you change the firewall password when you know or suspect it has been compromised?
Passwords may be compromised if there has been a virus on your system or if the manufacturer notifies you of a security weakness in their product. You should be aware of this and know how to change the password if this occurs.
When relying on software firewalls included as part of the operating system of your end user devices, the password to access the device will need to be changed.
CE Requirement: You should make sure there is an established process in place to change passwords promptly if you know or suspect a password or account has been compromised.
Further guidance:
This question requires a yes or no answer. You do not need to add Applicant Notes to be compliant.
A4.5 Firewall Management Process
Do you have a process to manage your firewall?
At times your firewall may be configured to allow a system on the inside to become accessible from the internet (for example: a VPN server, a mail server, an FTP server or a service that is accessed by your customers). This is sometimes referred to as "opening a port". You need to show a business case for doing this because it can present security risks.
This question requires a yes or no answer. You do not need to add Applicant Notes to be compliant.
A4.6 Firewall Review Process
Have you reviewed your firewall rules in the last 12 months? Please describe your review process.
If you no longer need a service to be enabled on your firewall, you must remove it to reduce the risk of compromise. You should have a process that you follow to do this (i.e. when are services reviewed, who decides to remove the services, who checks that it has been done?).
CE Requirement: Remove or disable inbound firewall rules quickly when they are no longer needed.
An example of an acceptable answer is:
"Our IT team, overseen by our Operations Director, carry out a review of all open ports whenever there is a change to our setup and systems and, as a failsafe, every three months. Any updates to firewall services go through a change process, including sign-off and a check by the Operations Director that the change has been successful before the ticket is closed."
A4.7 Firewall Inbound Connections
Is your firewall configured to allow unauthenticated inbound connections?
By default, most firewalls block all services inside the network from being accessed from the internet, but you need to check your firewall settings.
CE Requirement: Block unauthenticated inbound connections by default.
This question requires a yes or no answer. You do not need to add Applicant Notes to be compliant.
A4.8 Allowed Connections
Please describe how you approve and document your allowed inbound connections.
The business case should be documented and recorded. A business case must be signed off at board level and associated risks reviewed regularly.
At times your firewall may be configured to allow a system on the inside to become accessible from the internet (for example: a VPN server, a mail server, an FTP server, or a service that is accessed by your customers). This is sometimes referred to as "opening a port". You need to show a business case for doing this because it can present security risks.
CE Requirement: Ensure inbound firewall rules are approved and documented by an authorised person, and include the business need in the documentation.
For this question, please describe your approval process, including that there is a person with sufficient authority who approves and documents firewall rules, and that the business need is included in your documentation.
A4.9 Firewall Remote Configuration
Are your boundary firewalls configured to allow access to their configuration settings over the internet?
Sometimes organisations configure their firewall to allow other people (such as an IT support company) to change the settings via the internet. If you have not set up your firewalls to be accessible to people outside your organisations or your device configuration settings are only accessible via a VPN connection, then answer "no" to this question.
CE Requirement: Prevent access to the administrative interface (used to manage firewall configuration) from the internet, unless there is a clear and documented business need, and the interface is protected by one of the following controls:
- multi-factor authentication
- an IP allow list that limits access to a small range of trusted addresses combined with a properly managed password authentication approach
This question requires a yes or no answer. You do not need to add Applicant Notes to be compliant.
Answering 'Yes' will trigger additional questions.
Answering 'Yes' will trigger additional questions.
A4.10 Documented Admin Access
If you answered yes in question A4.9, is there a documented business requirement for this access?
When you have made a decision to provide external access to your routers and firewalls, this decision must be documented (for example, written down).
CE Requirement: Ensure inbound firewall rules are approved and documented by an authorised person, and include the business need in the documentation.
This question requires a yes or no answer. You do not need to add Applicant Notes to be compliant.
A4.11 Admin Access Method
If you answered yes in question A4.9, is the access to the settings protected by either multi-factor authentication or by only allowing trusted IP addresses combined with managed authentication to access the settings? Please explain which option is used.
If you allow direct access to configuration settings via your router or firewall's external interface, this must be protected by one of the two options.
Please explain which option is used.
CE Requirement: Prevent access to the administrative interface (used to manage firewall configuration) from the internet, unless there is a clear and documented business need, and the interface is protected by one of the following controls:
- multi-factor authentication
- an IP allow list that limits access to a small range of trusted addresses combined with a properly managed password authentication approach
Access to the settings must be protected by either multi-factor authentication or by only allowing trusted IP addresses combined with managed authentication to access the settings.
An example of an acceptable answer is:
"Our firewall is accessible over the internet but is configured to be accessible only from our own IP address with managed authentication."
Related Articles
Questionnaire Part 5 Secure Business Operations (Secure Configuration)
This guide reflects the Willow question set, introduced in April 2025. Applications using the Montpellier question set will differ in some areas; these applications may still be completed before 28th October 2025. Secure Business Operations (Secure ...Questionnaire Part 6 Secure Business Operations (Security Update Management)
This guide reflects the Willow question set, introduced in April 2025. Applications using the Montpellier question set will differ in some areas; these applications may still be completed before 28th October 2025. Security Update Management A6.1 ...Questionnaire Part 7 Access Control
This guide reflects the Willow question set, introduced in April 2025. Applications using the Montpellier question set will differ in some areas; these applications may still be completed before 28th October 2025. Access Control (User Access Control) ...Questionnaire Part 2 Scope of Assessment
This guide reflects the Willow question set, introduced in April 2025. Applications using the Montpellier question set will differ in some areas; these applications may still be completed before 28th October 2025. Scope of Assessment This section is ...Questionnaire Part 3 Insurance
This guide reflects the Willow question set, introduced in April 2025. Applications using the Montpellier question set will differ in some areas; these applications may still be completed before 28th October 2025. Insurance When a UK-domiciled ...