The firewall component in SCSP prevention policies is listed either globally or for particular services or interactive programs.
In the Strict policy, the inbound rule is to deny all at the global level.
You can also set this on any other policy at Global Policy Options > Network Controls > Inbound > Globally set the default inbound rules to deny
In other policies, the firewall is open until you restrict it. You can block all, then allow the ports that you want in.
Here are some example locations of where to find this:
Global Policy Options > Network Controls > Inbound > Components
Global Policy Options > Network Controls > Inbound> Inbound network rules
Service Options > Network Controls > Inbound> Inbound network rules
Interactive Program Options > Network Controls > Inbound> Inbound network rules
So, you can set the deny rule globally, then granularly add rules below to allow traffic.