How can I regain administrative access to a Firebox if I accidentally delete or disable the policies that allow access?
(This article describes a specific scenario – for more complete information about how to use the Fireware command line interface (CLI), see the Fireware Command Line Interface Reference, available on the WatchGuard Firebox, XTM, & Dimension Documentation page.)
In a Fireware configuration file, two default policies control administrative access.
If you delete or disable these policies, then you can no longer connect to the device with these management tools. If you delete or disable these policies, the Firebox only allows administrative connections through the Firebox console port (serial interface).
To resolve this problem, you can connect to the Firebox through the console port and use the CLI to create a new policy to allow administrative connections from the other management tools. To complete this process, you need a compatible serial cable to connect your computer to the Firebox console port.
1. Connect the serial port of your computer to the console port on the Firebox.
2. Set your terminal application, such as PuTTY, to use these settings:
Speed: 115200 baud
Data bits: 8
Stop bits: 1
Flow Control: None
3. Attempt to connect (usually this will be on COM1). There is no immediate response. Press Enter once to see the login prompt for your Firebox.
4. Login as the user admin. Use the read-write (configuration) passphrase for your device.
5. Use the config command, and then the policy command to enter policy configuration mode.
The first set of console commands looks like this. The commands you type are shown in red.
XTM_5_Series login: admin
7. Use the rule command to open policy creation mode. End a command with ? to see the next required argument or available command options.
WG(config/policy/rule-New-WatchGuard-Rule)#policy-type WG-Firebox-Mgmt from alias Any-Trusted to alias Firebox
9. Use the apply command to commit the new policy to the XTM device.
XTM_5_Series login:Now you should be able to connect to the Firebox from WatchGuard System Manager from any trusted interface. You can use Policy Manager to reenable the WatchGuard Web UI policy or add a new WG-Fireware-XTM-WebUI policy to allow management access to the Fireware Web UI from a web browser.