WatchGuard Support Center

Knowledge Base - Article

 Use the Console Port to Regain Administrative Access

How can I regain administrative access to a Firebox if I accidentally delete or disable the policies that allow access?
(This article describes a specific scenario – for more complete information about how to use the Fireware command line interface (CLI), see the Fireware Command Line Interface Reference, available on the WatchGuard Firebox, XTM, & Dimension Documentation page.)

In a Fireware configuration file, two default policies control administrative access.
  • The WatchGuard policy (policy type WG-Firebox-Mgmt) — controls administrative access from WatchGuard System Manager and the CLI.
  • The WatchGuard Web UI policy (policy type WG-Fireware-XTM-WebUI) — controls administrative access to the Fireware Web UI from a web browser.
If you delete or disable these policies, then you can no longer connect to the device with these management tools. If you delete or disable these policies, the Firebox only allows administrative connections through the Firebox console port (serial interface).

To resolve this problem, you can connect to the Firebox through the console port and use the CLI to create a new policy to allow administrative connections from the other management tools. To complete this process, you need a compatible serial cable to connect your computer to the Firebox console port.
  • All Firebox models, and XTM 25, 26, 33, 330, 5 Series, 800 Series, 1500 Series, 2500 Series, 1050, and 2050 models have an RJ45 console port — use an RJ45 to serial cable.
  • XTM 21, 22, and 23 models have a USB console port — use a USB-serial connector.
  • XTM 8 Series models have a DB9 serial console port — use a standard serial cable.
This procedure shows how to create a WG-Firebox-Mgmt policy called "New-WatchGuard-Rule" that enables management connections to the Firebox from WatchGuard System Manager through any trusted interface.

1. Connect the serial port of your computer to the console port on the Firebox.

2. Set your terminal application, such as PuTTY, to use these settings:
Speed: 115200 baud
Data bits: 8
Stop bits: 1
Parity: None
Flow Control: None

3. Attempt to connect (usually this will be on COM1). There is no immediate response. Press Enter once to see the login prompt for your Firebox.
XTM_5_Series login:

4. Login as the user admin. Use the read-write (configuration) passphrase for your device.

5. Use the config command, and then the policy command to enter policy configuration mode.

The first set of console commands looks like this.  The commands you type are shown in red.

XTM_5_Series login: admin
--WatchGuard Firebox Operating System Software.
--Fireware XTM Version 11.5.3
--Copyright (c) 1996-2011 by WatchGuard Technologies, Inc.

6. Use the show policy-type command to find the WG-Firebox-Mgmt policy template.

WG(config/policy)#show policy-type
-- Total 97 Service Object(s)
Name                          Member(s)
Any                           01-single:any
Archie                        01-single:udp
WAIS                          01-single:tcp
WG-Firebox-Mgmt               03-single:tcp/single:tcp/single:tcp
WG-Fireware-XTM-WebUI         01-single:tcp


7. Use the rule command to open policy creation mode. End a command with ? to see the next required argument or available command options.

WG(config/policy)#rule ?
  <ident>  The rule name <[-](alpha|0-9)(alpha|0-9|-|_|.)*>

WG(config/policy)#rule New-WatchGuard-Rule?
  <cr>  Carriage return

WG(config/policy)#rule New-WatchGuard-Rule

8. Use the policy-type command to define the policy to allow management connections from any trusted interface.

WG(config/policy/rule-New-WatchGuard-Rule)#policy-type WG-Firebox-Mgmt from alias Any-Trusted to alias Firebox

9. Use the apply command to commit the new policy to the XTM device.

10. Repeat the exit command until your user session is ended and you see the login prompt.


XTM_5_Series login:

Now you should be able to connect to the Firebox from WatchGuard System Manager from any trusted interface. You can use Policy Manager to reenable the WatchGuard Web UI policy or add a new WG-Fireware-XTM-WebUI policy to allow management access to the Fireware Web UI from a web browser.