This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
StevePearson
Advisor
‎2026-04-02 12:39 PM

Harmony Endpoint Firewall default settings

I've been troubleshooting an issue where the endpoint firewall is blocking traffic and this got me digging into the settings for the firewall and I discovered that the default settings are basically wide open, anything in, anything out!

This surprised me as even the Microsoft windows firewall blocks incoming traffic by default.

The policy itself at first glance looks ok:

Default Policy.png

The problem relates to the zones, the internet zone is everything that's not in the trusted zone, but the trusted zone, by default, looks like this:

Trusted Zone.png

I've not seen this documented anywhere and there is no mention of it in the course book for the CCES either!

I'm wondering how many people have deployed this on the assumption that it's default settings are safe!

 

(1)
2 Replies
lluner
Advisor
‎2026-04-03 01:24 PM

@StevePearson 

I believe the initial idea is to free everything up, even with the "cleanup" rule in the inbound lane. This is to avoid problems with firewall implementation and prevent the issue of blocking what was working, especially the inbound rule. In most organizations, inbound and outbound rules are perimeter firewall implementations. In some cases, there are rules for employees outside the company. Following this same idea, I'm implementing microsegmentation rules in the subnets within the organization to achieve this security.

ccsjnw
Contributor
2 weeks ago
In response to lluner

There's nobody manging security for their organisation, that has the expectation that whole public internet should be in a default "Trusted Zone". If this does indeed work out-of-the-box as described above, then this is a bad default that needs correcting.

There are a lot of Checkpoint "defaults" that are not fit for purpose in 2026 (Remote Access default ciphers come immediately to mind). I get that you don't won't to break stuff, but it doesn't need to be like this for fresh installs - preserving existing setting during an upgrade is an different matter entirely.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events