You can run this command to create a 'Login Console' rule (for logging-in locally using a keyboard/monitor) and an 'Admin Console' rule (for the GUI) at the very top of your policy:

$> cf policy restore_console_access

-- The Admin Console rule will be created with a Source and Destination zone of 'internal' when you run this command.  You can change that zone using 'cf policy modify.'

Do a 'man cf_policy' to read the whole manual page for the cf_policy command.  There is no need to ever create a rulegroup, but here is the syntax:

policy add table=rulegroup name=Administration pos=3 rulegroup='' disable=no \

    description='Allow access for firewall administration.' \

policy add table=rule name='Login Console' rulegroup=Administration pos=1 \

    action=allow appdefense=defaultgroup:defaultgroup \

    application='custom:Login Console' audit=standard \

    authenticator=authenticator:Password authgroups='*' dest=all:v4 \

    dest_zones=zone:Firewall disable=no exclude_capability='' ipsresponse='' \

    nat_addr='' nat_mode=none redir='' redir_port='' sign_category_grp='' \

    source=all:v4 source_zones=zone:Firewall ssl_ports='' tcp_ports='' \

    timeperiod='*' ts_enable=no ts_reputation=medium_unverified_threshold \

    udp_ports='' description='Allow login from system console.' \

policy add table=rule name='Admin Console' rulegroup=Administration pos=2 \

    action=allow appdefense=defaultgroup:defaultgroup \

    application='custom:Admin Console' audit=verbose \

    authenticator=authenticator:Password authgroups='*' dest=all:v4 \

    dest_zones=zone:internal disable=no exclude_capability='' ipsresponse='' \

    nat_addr=virtual_host:localhost nat_mode=normal \

    redir=virtual_ipaddr:Firewall redir_port=9002 sign_category_grp='' \

    source=all:v4 source_zones=zone:internal ssl_ports='' tcp_ports='' \

    timeperiod='*' ts_enable=no ts_reputation=medium_unverified_threshold \

    udp_ports='' \

    description='Allow Admin Console access from the internal zone' \