Turn off firewall rules Auto-Order mode from the CLI

Is this only possible from the WebUI or the management software? I need a command line solution to be able to switch off the Auto-Order mode to allow manual designation of firewall rule priorities.

Best Answer

  • james.carsonjames.carson Moderator, WatchGuard Representative
    Answer ✓

    Hi Dramis,

    Auto-order mode isn't really a thing in the CLI -- the firewall just puts the policy wherever you tell it to put it. If you use CLI in addition to WSM and/or the WebUI, it'd still be a good idea to go turn it off -- but if you just use CLI, it should never invoke. This is because auto-order mode invokes when those tools load the config up -- and isn't actually done by the firewall processes themselves.

    On my firewall, I checked to make sure auto-order mode was on in policy manager before doing this.

    Log in as admin, and enter config mode, then policy mode:

    Type 'show rule' to get your rule list in order. I truncated the list to keep it readable (hopefully.)

    WG(config/policy)#show rule

    1 Disabled FTP FTP Any-External External IP --> Internal IP: 0 Global
    2 Allowed FTP-proxy FTP-proxy Any-Trusted Any-External

    You can move a rule by entering into that policy. For example: "rule Ping"
    WG(config/policy)#rule Ping

    you can then use the move command to move it to the desired location, and then type apply to apply the config.

    WG(config/policy/rule-Ping)#move 2

    Remember to type exit to get out of that edit mode.

    Then type "show rule"

    Index Action Name Service From-alias To-alias App-Control Geolocation
    1 Disabled FTP FTP Any-External External IP --> Internal IP: 0 Global
    2 Allowed Ping Ping Any-Trusted Any Global Global

    You can see the full CLI guide here:
    Fireware CLI reference:

    There's no way to toggle into 'manual order mode' from the CLI, which is just a flag that tells policy manager or the WebUI to not order the policies and leave them alone. If you plan on going back to WSM/WebUI, I'd suggest logging in and toggling it off first.

    -James Carson
    WatchGuard Customer Support


  • Thank you, that was comprehensive! As it stands, I will toggle the flag from the WebUI then. I don't want any behavior changes if WebUI is used to examine the rules at some point down the road.

Sign In to comment.