Object Group with exclusions

Reply
Highlighted
L1 Bithead

Object Group with exclusions

Checkpoint has option to creat an address group object with exclusion (e.g Include 10.20.x.x/16 and exclude 10.20.30.0/24 or other subnets from supernet). Is similar option available in Palo Alto.

Negate option in PA is just to negate all source/destination. 

 

Highlighted
Cyber Elite

@Vikram511,

You can't exclude in an address or address-group object. If you want this feature you would need to reach out to your SE and get a feature request put together or have your vote added to an existing request.

You are correct that negate-source and negate-destination will negate anything specified and match everything else. 

Highlighted
L1 Bithead

@BPry  Thanks for the quick reply. 

I checked in expedition while converting the object group with exclusion it has converted the object group into range of address excluding the subnet which was under exclude list in the checkpoint object. It serves the purpose.

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!