FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
vdralio
Staff
Staff
Article Id 194290

Description


This article describes extension to Firewall Policy to support 'Negate' option for:

 
1) Source/Destination Address.
2) Service.


Solution


The purpose of 'Negate' option is to take the opposite of the cell to match the policy. For example:
- Normal Policy.
- Source = 172.16.10.0/24.
- Will match policy when the source is between 172.16.10.1 – 172.16.10.255.
- Negate Policy.
- Source = NOT (172.16.10.0/24).
- Will match policy when the source is NOT between 172.16.10.1 – 172.16.10.255.

To enable the ability to configure the 'Negate' option for source and destination addresses on firewall policies, beginning in FortiOS 6.2.3 and 6.4.0 it can be done by navigating to System > Feature Visibility > Enable "Policy Advanced Options". Once complete, these settings can be toggled as follows within the firewall policy configuration in the GUI:

jroussel_0-1673997769497.png


From CLI it is possible to check like below:

IPv4 addresses.

FortiGate# config firewall policy
FortiGate(policy) # show
# config firewall policy

    edit 1
        set name "Negate FW Policy"
        set uuid 2975ca98-1159-51ec-a9d8-93fd2b51a256
        set srcintf "internal"
        set dstintf "dmz"
        set srcaddr "internal_IP_not_allowed"
        set dstaddr "dmz"
        set action accept
        set schedule "always"
        set service "ALL"
    next
end

FortiGate(1) # set srcaddr-negate
enable     <----- Enable source address negate.
disable    <----- Disable source address negate.
 
FortiGate(1) # set srcaddr-negate enable

FortiGate(1) # set dstaddr-negate

enable     <----- Enable destination address negate.
disable    <----- Disable destination address negate.
 
FortiGate(1) # set dstaddr-negate  disable

FortiGate# config firewall policy
FortiGate(policy) # show
# config firewall policy

    edit 1
        set name "Negate FW Policy"
        set uuid 2975ca98-1159-51ec-a9d8-93fd2b51a256
        set srcintf "internal"
        set dstintf "dmz"
        set srcaddr "internal_IP_not_allowed"
        set dstaddr "dmz"
        set action accept
        set schedule "always"
        set service "ALL"
        set srcaddr-negate enable
    next
end

IPv6 addressed.

FortiGate # config firewall policy
FortiGate (policy) # edit 2
FortiGate (2) # show
# config firewall policy
    edit 2
        set name "IPv6 Negate FW Policy"
        set uuid 29da17a0-115e-51ec-4765-ab8ddc314d77
        set srcintf "internal"
        set dstintf "dmz"
        set srcaddr6 "IPv6_address"
        set dstaddr6 "DMZ"
        set action accept
        set schedule "always"
        set service "ALL"
    next
end

FortiGate (2) # set srcaddr-negate enable
FortiGate (2) # set dstaddr-negate enable

FortiGate (2) # show
# config firewall policy
    edit 2
        set name "IPv6 Negate FW Policy"
        set uuid 29da17a0-115e-51ec-4765-ab8ddc314d77
        set srcintf "internal"
        set dstintf "dmz"
        set srcaddr6 "IPv6_address"
        set dstaddr6 "DMZ"
        set action accept
        set schedule "always"
        set service "ALL"
        set srcaddr-negate enable
        set dstaddr-negate enable
    next
end

From GUI at Firewall Policies, it is possible to see a red circle alert with an exclamation point near Source, Destination or Service.


 

Related article:

Technical Tip: SSL VPN tunnel mode: negating split tunneling Routing Address IPs