By default, the E100 stateful zone-based firewall will block any unsolicited traffic to protect the local network from outside threats and allow outbound connections. It is a good practice to modify the ALLOW policy to define more granular rules for traffic flows by source, destination, and protocol type. Additional security best practices include:
Leverage Identities to simplify firewall policy configuration
Define firewall zones that match your subnets and tunnels
Create Firewall Filter Policies that only allow ports based on application/use case
Apply Filter Policies to Zone Forwardings to restrict outbound traffic
These can be set in the Zone Firewall’s Filter Policy Rule Editor in NCM configuration section (refer to Figure 4 above) and should follow the security best practices as defined by the corporate security group. For more information, see Configuring a Zone Firewall.