topic Re: Harmony Endpoint Firewall default settings in Endpoint

Harmony Endpoint Firewall default settings

StevePearson — Thu, 02 Apr 2026 19:39:34 GMT

I've been troubleshooting an issue where the endpoint firewall is blocking traffic and this got me digging into the settings for the firewall and I discovered that the default settings are basically wide open, anything in, anything out!

This surprised me as even the Microsoft windows firewall blocks incoming traffic by default.

The policy itself at first glance looks ok:

The problem relates to the zones, the internet zone is everything that's not in the trusted zone, but the trusted zone, by default, looks like this:

I've not seen this documented anywhere and there is no mention of it in the course book for the CCES either!

I'm wondering how many people have deployed this on the assumption that it's default settings are safe!

Re: Harmony Endpoint Firewall default settings

lluner — Fri, 03 Apr 2026 20:28:03 GMT

@StevePearson

I believe the initial idea is to free everything up, even with the "cleanup" rule in the inbound lane. This is to avoid problems with firewall implementation and prevent the issue of blocking what was working, especially the inbound rule. In most organizations, inbound and outbound rules are perimeter firewall implementations. In some cases, there are rules for employees outside the company. Following this same idea, I'm implementing microsegmentation rules in the subnets within the organization to achieve this security.

Re: Harmony Endpoint Firewall default settings

ccsjnw — Wed, 29 Apr 2026 10:39:50 GMT

There's nobody manging security for their organisation, that has the expectation that whole public internet should be in a default "Trusted Zone". If this does indeed work out-of-the-box as described above, then this is a bad default that needs correcting.

There are a lot of Checkpoint "defaults" that are not fit for purpose in 2026 (Remote Access default ciphers come immediately to mind). I get that you don't won't to break stuff, but it doesn't need to be like this for fresh installs - preserving existing setting during an upgrade is an different matter entirely.