Thread Info
  • State Verified Answer
  • +3 person also asked this people also asked this
  • Locked Locked
  • Replies 3 replies
  • Answers 1 answer
  • Subscribers 29 subscribers
  • Views 16422 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How can I disable a rule I created via CLI?

Timothy Stewart

I created a rule and now I can't access the web portal and I am looking for a way to disable the rule I created via the CLI.


Thanks.



This thread was automatically locked due to age.
Parents
  • 0

    I figured out a workaround,  luckily the NAT reflection rule only applied to outbound traffic internally.  A quick walk to the coffee shop and a 3 dollar cup of coffee helped me solve the problem since the rule didn't apply to inbound traffic and my firewall admin console is publicly available.  I'll be sure and create snapshots before applying risky rules like this.  It would still be helpful to know how to disable policies via CLI.

Reply
  • 0

    I figured out a workaround,  luckily the NAT reflection rule only applied to outbound traffic internally.  A quick walk to the coffee shop and a 3 dollar cup of coffee helped me solve the problem since the rule didn't apply to inbound traffic and my firewall admin console is publicly available.  I'll be sure and create snapshots before applying risky rules like this.  It would still be helpful to know how to disable policies via CLI.

Children
  • +3 in reply to Timothy Stewart
    Hi Timothy, Form the console interface you can disable the routing and policy engine via the "Device Console" using the command "system appliance_access enable" this will allow you access the GUI and resolve the policy error. When you have finished you can turn the routing and policy engines back on using "system appliance_access disable" please be aware there is no indication in the GUI if this feature has been enabled so if you do enable it and forget disable it your only indication it is enabled would be that no routing or policies are working.
  • 0 in reply to Leon.Friend

    Hi Leon.Friend,

    Sorry for replying on this old threat but it helped me very well. However some important information is missing from the answer.

    This command "system appliance_access enable" helped me get back into a customers XG Firewall located in Azure after we were locked out due to the wrong firewall rule being created. After disabling the firewall rule which disallowed us the access we disabled the command again with "system appliance_access disabled" as you suggested is very important.

    However the important information that ALL the internet packets will be dropped after the command is ran is missing from the answer.

    Also after performing the command, their will be no sort of 2nd confirmation that the firewall will drop ALL this traffic.
    It will just be a note saying this and start dropping all the internet traffic straight away:

    Now if you have a local Firewall this does only mean there's no internet for the organisation behind it for a brief moment while you regain access and disable the rule.

    But if you're running this command remotely it means you completely lose access to the firewall's webadmin if you access it through the internet if you don't have a back-up connection as we had in Azure

    I'm surprised the KB article doesn't warn you for this: https://community.sophos.com/kb/en-us/123542 / https://community.sophos.com/kb/en-us/133677

    I'll also suggest editting the KB article.

    Stay safe,

    Regards,

    Sander