https://live.paloaltonetworks.com/t5/general-topics/security-policy-exception/m-p/152039#M50303 <P>if your source zone consists of only 10.0.0.0/8, what you could do is put a source IP of 10.100.0.0/24 and check the negate option. that way the policy will only apply to IPs sourced from that zone that are NOT in the 10.100.0.0/24 range.</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Capture.JPG" style="width: 500px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/8732i4A6113F08FAD7927/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="Capture.JPG" alt="Capture.JPG" /></span></P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 10 Apr 2017 19:02:04 GMT bradk14 2017-04-10T19:02:04Z https://live.paloaltonetworks.com/t5/general-topics/security-policy-exception/m-p/152004#M50296 <P>Has Palo Alto looked into the capability for security policies to be built using an exception based logic. For example:</P><P>&nbsp;</P><P>Src: 10.0.0.0/8 <FONT color="#FF0000">(except) 10.100.0.0/24</FONT> Dst: ** App: ** etc.... This would then allow all 10. traffic except for the 10.100.0.0/24 subnet</P><P>&nbsp;</P><P>This is a function available in Checkpoint and some other platforms that has been very helpful, especially in preventing our policies from being filled with random drop rules.</P><P>&nbsp;</P><P>Thank you</P> Mon, 10 Apr 2017 17:57:05 GMT https://live.paloaltonetworks.com/t5/general-topics/security-policy-exception/m-p/152004#M50296 Gun-Slinger 2017-04-10T17:57:05Z https://live.paloaltonetworks.com/t5/general-topics/security-policy-exception/m-p/152028#M50301 <P>I can't speak to what Palo Alto has considered, of course, but is this mostly just a convenience thing to prevent the creation of two firewalls rules?</P><P>&nbsp;</P><P>i.e.</P><OL><LI>Deny 10.100.0.0/24</LI><LI>Allow 10.0.0.0/8</LI></OL><P>I'm sitting her smiling imagining having all of that in one rule and someone else looking at the logs and, based on how I've been naming things, scratching their head wondering why an IP in 10.100.0.0/24 is being denied by "Allow Internal Ranges to X Server".</P> Mon, 10 Apr 2017 18:10:46 GMT https://live.paloaltonetworks.com/t5/general-topics/security-policy-exception/m-p/152028#M50301 jsalmans 2017-04-10T18:10:46Z https://live.paloaltonetworks.com/t5/general-topics/security-policy-exception/m-p/152039#M50303 <P>if your source zone consists of only 10.0.0.0/8, what you could do is put a source IP of 10.100.0.0/24 and check the negate option. that way the policy will only apply to IPs sourced from that zone that are NOT in the 10.100.0.0/24 range.</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Capture.JPG" style="width: 500px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/8732i4A6113F08FAD7927/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="Capture.JPG" alt="Capture.JPG" /></span></P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 10 Apr 2017 19:02:04 GMT https://live.paloaltonetworks.com/t5/general-topics/security-policy-exception/m-p/152039#M50303 bradk14 2017-04-10T19:02:04Z