How to disable the read-only flag for InControl inherited objects

Last modified on 8 Jul, 2021. Revision 8
If a firewall has been deleted from InControl, domain inherited objects on the firewall will remain as read-only and the administrator will be unable to edit or delete them using the firewall's WebUI or CLI. This article describes how the read-only flag on such objects can be disabled by using a new, empty instance of InControl.
Up to date for
cOS Core 13.00.11
InControl 3.00.00
Status OK
Peter Nilsson


We removed one of our firewalls from InControl but now we notice that several firewall objects are greyed out / read-only in the firewall’s WebUI management interface, so we cannot remove or change them. How can we get full access these objects again?


The most likely reason for these objects being read-only is that they were inherited from InControl domains. If we create an object in a domain and then use that object in a firewall managed by InControl, the object will exist locally on the firewall but be flagged as “read-only” in the firewall configuration. If we view it using the firewall’s WebUI management interface, it will be grayed out and it cannot be edited or deleted. This is the intended design in order to prevent accidental modification of inherited domain objects outside of InControl.

If we delete the firewall from InControl without first removing these inherited objects from the firewall configuration, they will remain read-only and cannot be edited or removed later using a firewall management interface.


The solution to this problem is to use InControl again to disable the flag. Here are the steps for how this can be achieved:

  1. Install a blank (temporary) InControl instance.
  2. Add the firewall you want to disable the read-only flags from to InControl.
  3. Open the objects that have the read-only flag and make a small change to them (e.g. change the comment field). Alternatively, simply delete the object if it's not needed.
  4. Deploy the configuration from InControl.
  5. Delete the firewall from InControl. If InControl is no longer needed, uninstall it.
  6. The read-only flag is now disabled and you can do whatever you want with the object from a firewall management interface, such as the WebUI.

Question: Is there any way to change this flag outside of InControl (for example, using the local CLI)?


No, at this time there is no such feature available. There exists an RFE (request for enhancement) to add a CLI command in a future cOS Core version that can change the read-only flag (RFE ID: COP-20720).

Related articles

No related articles found.