Skip to main content

Host Firewall Reset with a OTP

Introduction

There are circumstances when the Xshield agent may misconfigure the host firewall, resulting in connectivity loss to the machine (server or endpoint). This can significantly impact the usability of services running on the machine, causing productivity issues. Additionally, as the Xshield agent cannot communicate with the platform, there is no way to reprogram the host firewall from the platform. Typically, such situations require resetting the host firewall through a local application.

However, since Xshield is a security application, providing such a command to the machine user could compromise security, as users might reset the host firewall rules to circumvent applied security policies. Moreover, users often lack administrative rights to reset (or modify) the host firewall.

The Xshield agent application provides support to execute such an operation in user mode (without administrative privileges) and perform the host firewall reset operation by requiring a One-Time Password (OTP). This mechanism ensures that users do not require administrative privileges while also preventing unauthorized firewall resets that could bypass security policies.

The OTP is generated on the ColorTokens Xshield platform and distributed by the tenant administrator to the users of the machines where the Xshield agents are installed. The OTP has a fixed validity time of up to two hours.

Workflow

Getting the One-Time Password

When the Xshield agent cannot communicate with the Xshield platform and/or the applications on the asset are unable to communicate, follow these steps to recover the affected assets:

  1. Access the Xshield Platform.
  2. Navigate to the Settings page and select the Agent Config tab.
  3. Under this tab, locate the section titled Agent Firewall Reset Password.
  4. Copy the password value (displayed in clear text) and communicate it to the user/operator of the affected assets via an external communication mechanism (e.g., email, Teams channel, etc.).

Xshield Agent Firewall Reset Setting

Applying the One-Time Password

On the affected system with the Xshield agent:

  1. The system user or operator uses the Xshield Agent Command Line Tool to request the firewall reset by providing the one-time password.
  2. This tool can run without administrative privileges, allowing a standard user to execute the command if they have a valid password.
  3. The action to specify in the command is 'resetrules'. The tool passes the command request and OTP to the Xshield agent process, which has the necessary administrative privileges to reset the host firewall.
  4. If the Xshield agent service is not running, it must be started for this operation to complete.

Incorrect One-Time Password

If the user executes the resetrules command three times with an invalid OTP, the Xshield agent will block further attempts for one hour. Since the OTP is time-bound, the user may need to request a newly generated OTP from the administrator to reset the firewall.