Forum Discussion
NimbostratusInvert match in AFM policy
Hi!
Is it possible to invert the match sense in AFM parameters like we do using ! with iptables?
Thanks!
if you would like to change a single allowed address such as this one
- accept all traffic to 10.1.1.1/32
you can invert this to disallow the traffic by using specific rules first and allow more general rules after.
for example assuming the rest of the network is a 24 bit subnet mask,
- drop/reject all traffic for 10.1.1.1/32
- accept all traffic to 10.1.1.0/24
or vice-versa if you want to allow your specific ip address on a blocked subnet.
Renato_166638No... At least I haven't found this option.
Richard_KaronEmployee
if you would like to change a single allowed address such as this one
- accept all traffic to 10.1.1.1/32
you can invert this to disallow the traffic by using specific rules first and allow more general rules after.
for example assuming the rest of the network is a 24 bit subnet mask,
- drop/reject all traffic for 10.1.1.1/32
- accept all traffic to 10.1.1.0/24
or vice-versa if you want to allow your specific ip address on a blocked subnet.
- Renato_166638
Richard, that was a long time ago, but you suggestion is probably what I did. I was migrating some policies from PaloAlto to AFM and also trying to make it the more similar I could at same time for the customer.
if you would like to change a single allowed address such as this one
- accept all traffic to 10.1.1.1/32
you can invert this to disallow the traffic by using specific rules first and allow more general rules after.
for example assuming the rest of the network is a 24 bit subnet mask,
- drop/reject all traffic for 10.1.1.1/32
- accept all traffic to 10.1.1.0/24
or vice-versa if you want to allow your specific ip address on a blocked subnet.
- Renato_166638
Richard, that was a long time ago, but you suggestion is probably what I did. I was migrating some policies from PaloAlto to AFM and also trying to make it the more similar I could at same time for the customer.