By Manny Fernandez

February 4, 2018

Negate Source, Destination or Service

I started working on Firewalls back in the early 90’s. I started on Checkpoint Firewall-1 running on AIX. I soon moved over to Windows where we had to disable so many services, it would take longer to prepare for the install than the actual install of the firewall itself. There used to be a local.arp file you needed to edit and add the external interface where the proxy ARP needed to come from’s MAC address and the NAT (Public) IP. As of 2011, there was still a variance of this learking in the bowels of CP. You would “push” the policy and then need to run a batch file to load the local.arp file. At any rate, Checkpoint did/does have some nice features that not everyone had. I did not know this feature existed on the FortiOS. The feature is the ‘negate’ feature.

Use Case: You want to create a policy that allows a guest VLAN to access anywhere EXCEPT your internal network of 10.1.1.0/24. Normally on the Cisco ASA and most other firewalls, it would require two policies, rules or ACE depending on what platform you are running. You would first define the ‘deny’ statement with the destination (10.1.1.0) above the second rule which would permit IP any, any. It would be much more efficient to create one policy that says, “everything except for this network”. Enter ‘negate’.

Here is my test scenario to prove the feature works: VLAN created ‘FORIFON’. I wanted to permit traffic to anywhere except 4.2.2.2.

Step 1
I start off creating a policy that permits the traffic that I want to block but with an action of ‘ACCEPT’. Once that is done, we go up to the top (or SSH using SecureCRT, Putty or something similar) and choose the CLI icon.

Once you are at the comman line, give the follwing command to get into the configuration mode of the firewall policies.

config firewall policy

Now you can issue the show command and Identify the ID number; remember this is different than the sequence number.

In my example, my ID is 43 so I enter the following command:

edit 43

Once there, I can again isse the show command and it will show me the configuration options for that particular policy ID.

NOTE: If you want to see the possible options you CAN configure, issue the ‘get’ command.

Here you can see that the source interface is going to be the ‘FORTIFON’ VLAN and my destination interface is wan1. We can also see that I am allowing ‘all’ sources (obviously coming from the VLAN FORTIFON) to a destination object named ‘SBC-DNS’ and my action is ‘accept’. For this presentation, the money-shot for this blog post is the:

set dstaddr-negate enable

Remeber, you can also use this same method for source and services.

Once this feature is turned on, it will change the visual representation of the policy in the GUI.

Notice the unusual red exclamation mark next to the object in the destination?

That is what tells you that this object is negated, thus all traffic to anywhere except the %said-object% will be permitted.

I connected another MacBook to the FORTIFON VLAN and obtain an IP address. I attempted to ping 8.8.8.8 and was successful, however when I attempted to ping 4.2.2.2, it fails.

Here we can see the output of me pinging out to 8.8.8.8, however you can see that when I attempt the same thing to 4.2.2.2, it fails.

Additionally, as you add destinations to this negated policy, all of those destination will have an ‘OR’ affect on the policy. In my example, I added an additional destination and the policy will now show:

I hope this was helpful to you.

Recent posts

  • If you've spent any time configuring user authentication on... Full Story

  • DNS is one of those technologies that quietly underpins... Full Story

  • BGP issues on FortiGate firewalls usually trace back to... Full Story

  • Every time your laptop talks to your router, a... Full Story

  • If you've spent any time configuring NAT on a... Full Story

  • If you have spent any time configuring firewall policies... Full Story

  • High availability on FortiGate is one of those features... Full Story

  • If you've configured SD-WAN on a FortiGate, you've almost... Full Story

  • FortiLink is the management protocol that turns a FortiSwitch... Full Story

  • FortiSwitches are pretty rock solid from Mean Time Between... Full Story

  • This is a quicky tip.  Have you ever gone... Full Story

  • DNS is one of those quiet pieces of internet... Full Story

  • This article is an updated version of the previous... Full Story

  • You will add ns2 as a secondary (slave) BIND9... Full Story

  • In the process of deploying my lab, I needed... Full Story

  • RFC 8805, used to be known as Self-Correcting IP... Full Story

  • Years back, I wrote an article about certificate pinning. ... Full Story

  • FortiGates have the ability to send alerts to Microsoft... Full Story

  • In this post, I am going to walk through... Full Story

  • Troubleshooting VoIP on a FortiGate can feel like trying... Full Story

  • Prior to FortiOS 7.0, there were three commands to... Full Story

  • In this post, I am going to go over... Full Story

  • What we are going to do:  We are going... Full Story

  • Choosing between FGCP (FortiGate Clustering Protocol) and FGSP (FortiGate... Full Story

  • Creating a VLAN on macOS (The "Pro" Move) A... Full Story

  • This blog post explores the logic behind how macOS... Full Story

  • Pretty Fly for a Wi-Fi Tell My Wi-Fi Love... Full Story

  • Part of my daily gig is creating BoMs (Bill-of-Materials)... Full Story

  • ICMP introduces several security risks, but careful filtering, rate... Full Story

  • The command diag debug application dhcps -1 enables full... Full Story

  • In the world of FortiOS, execute tac report is... Full Story

  • LLDP; What is it The Link Layer Discovery Protocol... Full Story

  • What it actually does When you run diagnose fdsm... Full Story

  • Monkey Bites are bite-sized, high-impact security insights designed for... Full Story

  • I have run macOS in macOS with Parallels but... Full Story

  • Don't be confused with my other FortiNAC posts where... Full Story

  • This is the third session in a multi-part article... Full Story

  • Today I was configuring key-based authentication on a FortiGate... Full Story

  • Netcat, often called the "Swiss Army knife" of networking,... Full Story

  • At its core, IEEE 802.1X is a network layer... Full Story

  • In case you did not see the previous FortiNAC... Full Story

  • This is our 5th session where we are going... Full Story

  • Now that we have Wireshark installed and somewhat configured,... Full Story

  • The Philosophy of Packet Analysis Troubleshooting isn't about looking... Full Story

  • 1. High-Level Overview The FortiGate Wireless Intrusion Detection System... Full Story

  • What MIMO Actually Does Multiple Input, Multiple Output (MIMO)... Full Story

  • A practitioner's tour of the diagnose, test, and fnsysctl... Full Story