Home Compliance & Certification IoT Firewall Guide

IoT Firewall Guide

Last updated on Dec 09, 2025

1. Purpose of This Guide

IoT devices (CCTV cameras, smart TVs, printers, door sensors, audio systems, etc.) connect directly to the internet — and many of them have weak default security. A firewall on the device (or on its network) helps prevent unwanted inbound connections and blocks risky outbound traffic.

This artefact demonstrates that your organisation has enabled and configured firewall protection for IoT devices where possible.

This artefact demonstrates:

  • Firewalls enabled on IoT devices (if supported)

  • Firewall rules or protections visible

  • Optional: evidence that network-level firewalling is applied if the device itself does not support built-in firewall features

Your screenshot proves your IoT devices are not sitting on the internet like open doors inviting trouble.

2. What You Will Submit

You may submit any one or more of the following:

A. Built-in IoT Device Firewall Evidence

A screenshot showing firewall or security features enabled on the IoT device, such as:

  • “Firewall: ON”

  • “Security Mode: Enabled”

  • “Block WAN access”

  • “Port blocking enabled”

  • “Remote access disabled”

Many modern devices display these settings in their admin panel.

B. DNS Firewall

StrongKeep customers can point the DNS for the IOT device to StrongKeep's DNS Firewall, once they add it as a protected device. You can read more about how to do that here.

C. Router or Gateway Firewall Enforcing Controls on IoT Devices

If the IoT device does not have its own firewall (common), you may provide:

  • Screenshot showing IoT devices are isolated from the internet or restricted (using your wifi router's settings)

These screenshots are fully acceptable as evidence.

3. How to Collect / Obtain / Generate This Evidence

Pick the method that matches your actual environment.

A. Common IoT Devices With Built-In Security Screens

CCTV Cameras (HikVision, Dahua, TP-Link, Reolink)

Look for:

  • Security → Firewall

  • Network → Advanced → Firewall

  • Remote Access: Disabled

  • DMZ/UPnP: Off (bonus evidence)

Screenshot the page showing the firewall toggle and rules (if visible).

Smart Printers (HP, Canon, Epson)

Look for:

  • Network → Firewall Settings

  • Web Access Control

  • IP Filtering

  • Block incoming connections

Take a screenshot showing the firewall enabled.

NAS Devices (Synology, QNAP)

Go to:

  • Control Panel → Security → Firewall
    Take a screenshot showing “Firewall: Enabled”.

B. Router-Level Firewall for IoT Network (Common SMB Setup)

If IoT devices are on a separate network and the router firewall protects them, provide screenshots such as:

Home/SMB Routers (Asus, Linksys, TP-Link, D-Link)

  • Firewall → ON

  • Block WAN Access → Enabled

  • Guest/IoT Network Isolation → Enabled

  • Port Forwarding → Disabled for IoT devices

Useful screenshot pages:

  • “Firewall Settings”

  • “IoT Network Settings”

  • “Access Control / MAC Filtering”

UniFi

Go to:
Settings → Firewall & Security or Networks → IoT Network
Screenshot:

  • Firewall rules applied

  • LAN → WAN restrictions

  • Device isolation enabled

Fortinet

Go to:
Policy & Objects → Firewall Policy
Screenshot the policy limiting:

  • IoT Zone → Corporate Zone

  • IoT Zone → Internet (restricted)

Cisco Meraki

Go to:
Security & SD-WAN → Firewall
Screenshot:

  • L3 Rules

  • L7 Rules

  • IoT VLAN protections

C. If IoT Devices Cannot Support Firewalls

Some devices (simple sensors, smart lights, older printers) offer no firewall settings.

In that case, provide network-level firewall evidence protecting them:

  • IoT VLAN with deny rules

  • Router firewall preventing inbound connections

  • Policy that IoT cannot reach corporate devices

This is fully compliant with CSA guidance.

4. Evidence Format

Accepted File Types:

  • PNG

  • JPG

  • PDF

Suggested Naming Convention:
YourCompanyName_IoT_Firewall_YYYY-MM-DD

Example:
AcmeClinic_IoT_Firewall_2025-03-20.png

5. What “Good” Looks Like

A strong submission includes:

  • Screenshots clearly showing “Firewall: ON”
    OR
    Evidence that the IoT network is protected by router/gateway firewalls.

  • Readable network or device names
    So auditors understand which devices are being protected.

  • Recent configurations
    (Don’t show a screenshot from a dusty old interface that nobody uses.)

  • Demonstrated restrictions
    e.g., blocking inbound access, limiting outbound traffic, disabling remote access.

Why it matters: auditors must see that IoT devices aren’t freely exposed to the internet.

6. Tips

  • Redact IP addresses if needed — the auditor only needs evidence of firewalling, not your full network map.

  • If you have no business-critical IoT devices, this artefact may be marked Not Applicable.

  • If IoT devices belong to the landlord (e.g., CCTV), note that they are not part of your operational environment.