topic Re: Negate networks within an object group in General Topics

Negate networks within an object group

PA_nts — Mon, 30 Sep 2024 06:57:56 GMT

Hi,

is it possible to negate certain networks within a rule?

example.. src (192.168.0.0/16) and dest (10.0.0.0/8) action Deny

but want to negate dest 10.200.0.0/24 in the same rule so that 192.168.0.0/16 cannot talk to 10.0.0.0/8 but can talk to 10.200.0.0/24 (allowed lower down the order)

the FW negate option negates all the objects within src/dest. looking to see if possible to negate certain objects within this field only.. doesn't seem to be possible.

yes i can do it with multiple rules but want to do it with as few rules as possible as this will be deployed to multiple FWs across the globe and more rules means more complexity.

thanks in adv

Re: Negate networks within an object group

JayGolf — Mon, 30 Sep 2024 23:17:19 GMT

Hi @PA_nts ,

It is currently not possible to negate specific fields within Source Addresses or Destination Addresses. You will have to create multiple policies prior to your Deny policy.

Re: Negate networks within an object group

BPry — Wed, 02 Oct 2024 00:50:40 GMT

@PA_nts,

Any workarounds to this that you could utilize would be more complicated than having multiple security entries. Also if you're trying to create a generic "block traffic" rule it's likely easier and more beneficial to just do it via an EDL accessible to all of the firewalls.