Description
This article describes extension to Firewall Policy to support 'Negate' option for:
- Source/Destination Address.
- Service.
Scope
FortiGate.
Solution
The purpose of 'Negate' option is to take the opposite of the cell to match the policy. For example:
- Normal Policy.
- Source = 172.16.10.0/24.
- Will match policy when the source is between 172.16.10.1 – 172.16.10.255.
- Negate Policy.
- Source = NOT (172.16.10.0/24).
- Will match policy when the source is NOT between 172.16.10.1 – 172.16.10.255.
To enable the ability to configure the 'Negate' option for source and destination addresses on firewall policies, beginning in FortiOS 6.2.3 and 6.4.0 it can be done by navigating to System > Feature Visibility > Enable "Policy Advanced Options". Once complete, these settings can be toggled as follows within the firewall policy configuration in the GUI:
From CLI it is possible to check like below:
IPv4 addresses.
FortiGate# config firewall policy
FortiGate(policy) # show
config firewall policy
edit 1
set name "Negate FW Policy"
set uuid 2975ca98-1159-51ec-a9d8-93fd2b51a256
set srcintf "internal"
set dstintf "dmz"
set srcaddr "internal_IP_not_allowed"
set dstaddr "dmz"
set action accept
set schedule "always"
set service "ALL"
next
end
FortiGate(1) # set srcaddr-negate
enable <----- Enable source address negate.
disable <----- Disable source address negate.
FortiGate(1) # set srcaddr-negate enable
FortiGate(1) # set dstaddr-negate
enable <----- Enable destination address negate.
disable <----- Disable destination address negate.
FortiGate(1) # set dstaddr-negate disable
FortiGate# config firewall policy
FortiGate(policy) # show
# config firewall policy
edit 1
set name "Negate FW Policy"
set uuid 2975ca98-1159-51ec-a9d8-93fd2b51a256
set srcintf "internal"
set dstintf "dmz"
set srcaddr "internal_IP_not_allowed"
set dstaddr "dmz"
set action accept
set schedule "always"
set service "ALL"
set srcaddr-negate enable
next
end
IPv6 addresses.
FortiGate # config firewall policy
FortiGate (policy) # edit 2
FortiGate (2) # show
# config firewall policy
edit 2
set name "IPv6 Negate FW Policy"
set uuid 29da17a0-115e-51ec-4765-ab8ddc314d77
set srcintf "internal"
set dstintf "dmz"
set srcaddr6 "IPv6_address"
set dstaddr6 "DMZ"
set action accept
set schedule "always"
set service "ALL"
next
end
FortiGate (2) # set srcaddr-negate enable
FortiGate (2) # set dstaddr-negate enable
FortiGate (2) # show
# config firewall policy
edit 2
set name "IPv6 Negate FW Policy"
set uuid 29da17a0-115e-51ec-4765-ab8ddc314d77
set srcintf "internal"
set dstintf "dmz"
set srcaddr6 "IPv6_address"
set dstaddr6 "DMZ"
set action accept
set schedule "always"
set service "ALL"
set srcaddr-negate enable
set dstaddr-negate enable
next
end
From GUI at Firewall Policies, it is possible to see a red circle alert with an exclamation point near Source, Destination or Service.
Related article:
Technical Tip: SSL VPN tunnel mode: negating split tunneling Routing Address IPs
