I wonder if it is possible to start CIS in full blocking mode (firewall) and being asked for each connection attempt (outbound) like ZA style. If it’s possible, how to do it (after network was already found by CIS)?
then choose the custom policy mode in the firewall security level
And change the configuration to Proactive under Miscellaneous → Manage my configurations.