Description

This article describes extension to Firewall Policy to support 'Negate' option for:

1. Source/Destination Address.
2. Service.

Scope

FortiGate.

Solution

The purpose of the 'Negate' option is to take the opposite of the cell to match the policy. For example:

• Normal Policy.
• Source = 172.16.10.0/24.
• Will match policy when the source is between 172.16.10.1 – 172.16.10.255.
• Negate Policy.
• Source = NOT (172.16.10.0/24).
• Will match policy when the source is NOT between 172.16.10.1 – 172.16.10.255.
  
  

To enable the ability to configure the 'Negate' option for source and destination addresses on firewall policies, beginning in FortiOS v6.2.3 and v6.4.0 it can be done by navigating to System -> Feature Visibility -> Enable 'Policy Advanced Options'. Once complete, these settings can be toggled as follows within the firewall policy configuration in the GUI:

From CLI it is possible to check like below:

IPv4 addresses.

FortiGate# config firewall policy
FortiGate(policy) # show
config firewall policy
    edit 1
        set name "Negate FW Policy"
        set uuid 2975ca98-1159-51ec-a9d8-93fd2b51a256
        set srcintf "internal"
        set dstintf "dmz"
        set srcaddr "internal_IP_not_allowed"
        set dstaddr "dmz"
        set action accept
        set schedule "always"
        set service "ALL"
    next
end

FortiGate(1) # set srcaddr-negate
enable     <----- Enable source address negate.
disable    <----- Disable source address negate.
 
FortiGate(1) # set srcaddr-negate enable

FortiGate(1) # set dstaddr-negate
enable     <----- Enable destination address negate.
disable    <----- Disable destination address negate.
 
FortiGate(1) # set dstaddr-negate  disable

FortiGate# config firewall policy
FortiGate(policy) # show
config firewall policy
    edit 1
        set name "Negate FW Policy"
        set uuid 2975ca98-1159-51ec-a9d8-93fd2b51a256
        set srcintf "internal"
        set dstintf "dmz"
        set srcaddr "internal_IP_not_allowed"
        set dstaddr "dmz"
        set action accept
        set schedule "always"
        set service "ALL"
        set srcaddr-negate enable
    next
end

IPv6 addresses.

FortiGate # config firewall policy
FortiGate (policy) # edit 2
FortiGate (2) # show
config firewall policy
    edit 2
        set name "IPv6 Negate FW Policy"
        set uuid 29da17a0-115e-51ec-4765-ab8ddc314d77
        set srcintf "internal"
        set dstintf "dmz"
        set srcaddr6 "IPv6_address"
        set dstaddr6 "DMZ"
        set action accept
        set schedule "always"
        set service "ALL"
    next
end

FortiGate (2) # set srcaddr-negate enable
FortiGate (2) # set dstaddr-negate enable

FortiGate (2) # show
config firewall policy
    edit 2
        set name "IPv6 Negate FW Policy"
        set uuid 29da17a0-115e-51ec-4765-ab8ddc314d77
        set srcintf "internal"
        set dstintf "dmz"
        set srcaddr6 "IPv6_address"
        set dstaddr6 "DMZ"
        set action accept
        set schedule "always"
        set service "ALL"
        set srcaddr-negate enable
        set dstaddr-negate enable
    next
end

From GUI at Firewall Policies, it is possible to see a red circle alert with an exclamation point near Source, Destination, or Service.

Related article:

Technical Tip: SSL VPN tunnel mode: negating split tunneling Routing Address IPs

Technical Tip: Cannot configure negate features under local-in-policy setting in FortiGate unit