Device Software Firewalls

A device software firewall is a host-based security feature included natively on devices, such as Windows Defender Firewall or macOS Application Firewall. CyberSecure Canada Section 5.7.3.3 requires these to be active on all network devices, or for alternative measures to be formally documented.

Organizations can prove compliance by exporting configuration reports from their Mobile Device Management (MDM) solution or endpoint management tools. Providing screenshots of active firewall policies distributed to a sample of endpoints is also valid evidence.

Yes, enabling the native Windows Defender Firewall satisfies the device software firewall requirement for Windows endpoints. Organizations must ensure it is centrally enforced so standard users cannot easily disable it.

Organizations should configure their MDM platform to deploy a mandatory configuration profile that enables the host-based firewall. The MDM can prevent standard users from modifying these settings and provide compliance reporting for offline or remote endpoints.

Organizations should collect centralized policy configuration screenshots, MDM compliance reports showing the percentage of compliant devices, and documented exceptions. This proves that the endpoint firewall policy is active, enforced, and monitored. Tools like WatchDog Security's Compliance Center can help link these artifacts to the control and maintain an audit-ready evidence trail over time.

Exceptions should be documented in the organization's internal hardening standards or firewall configuration records. This documentation must include a business justification, the specific ports or protocols allowed, and the duration of the exception.

Yes, if an organization uses an Endpoint Detection and Response (EDR) or third-party endpoint protection platform that manages or overrides the native firewall, this qualifies. The organization must document this alternative measure to satisfy CyberSecure Canada requirements.

Yes, the standard applies to devices within the network, including servers and VMs. If an organization relies solely on cloud security groups or perimeter network firewalls to protect servers, they must formally document this as an alternative measure in place instead of the software firewall.

Organizations should review firewall configurations and rule sets at least annually. Regular reviews ensure that legacy rules are removed and the endpoint firewall policy remains aligned with current business and security needs.

Organizations must either enforce host-based firewalls on BYOD devices via MDM or require contractors to attest to active firewalls before granting network access. Alternatively, segmenting these devices onto a separate guest network away from corporate assets can serve as a documented alternative measure.

A key challenge is proving, over time, that host-based firewalls are enabled across all endpoints and that exceptions are reviewed. Tools like WatchDog Security's Compliance Center can map this requirement to evidence requests, schedule recurring attestations, and centralize MDM or endpoint reports so audit evidence is consistent and easy to retrieve.

Firewall exceptions can become risky when business justifications, scope, and expiry dates are not tracked. Tools like WatchDog Security's Risk Register can record each exception as a risk with an owner, treatment plan, and review cadence, helping teams document approvals, monitor compensating controls, and demonstrate ongoing oversight during audits.