https://community.checkpoint.com/t5/Firewall-and-Security-Management/Negating-a-specific-object/m-p/79923#M11458 <P>It would look just like this, it allows my home lan to anything but the RFC1918 networks on any port but HTTP/HTTPS:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Negate.JPG" style="width: 1039px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/5180i1711B3D3F4ABCCC5/image-dimensions/1039x87?v=v2" width="1039" height="87" role="button" title="Negate.JPG" alt="Negate.JPG" /></span></P> <P> </P> Fri, 27 Mar 2020 06:14:00 GMT Maarten_Sjouw 2020-03-27T06:14:00Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Negating-a-specific-object/m-p/79860#M11451 <P>I noticed that the option to negate a specific object is no long available in R80.xx, only available option is "negate cell"</P><P>I wonder why CheckPoint removed such a important feature.</P><P>I am simply trying to allow "any" but deny/negate "https" in the services cell, does anyone have a workaround?</P> Thu, 26 Mar 2020 19:49:31 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Negating-a-specific-object/m-p/79860#M11451 donat5 2020-03-26T19:49:31Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Negating-a-specific-object/m-p/79869#M11452 Negate the cell which in fact stops anything but what is in that cell.<BR />It might be named a bit different but it still works the same. Thu, 26 Mar 2020 21:50:26 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Negating-a-specific-object/m-p/79869#M11452 Maarten_Sjouw 2020-03-26T21:50:26Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Negating-a-specific-object/m-p/79882#M11453 <P>&nbsp;</P><P><a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/17364">@Maarten_Sjouw</a>&nbsp;</P><P>This even makes things more complicated; I would like to allow everything but https, how should my rule look like?</P><P>Any represents a lot of services which I cannot list.</P><P>&nbsp;</P> Thu, 26 Mar 2020 23:27:11 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Negating-a-specific-object/m-p/79882#M11453 donat5 2020-03-26T23:27:11Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Negating-a-specific-object/m-p/79884#M11454 <P>I think your only option is two rules</P><P>&nbsp;</P><P>top rule - service https - action - drop</P><P>second rule allow any</P> Thu, 26 Mar 2020 23:40:52 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Negating-a-specific-object/m-p/79884#M11454 Ryan_Ryan 2020-03-26T23:40:52Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Negating-a-specific-object/m-p/79888#M11455 <P><a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/14416">@Ryan_Ryan</a>&nbsp;</P><P>It seems so far the only option but why cp decided to get rid of such a good feature?</P><P>Now we end up with 2 rules instead of 1; I think checkpoint should reconsider putting this feature back.</P> Fri, 27 Mar 2020 00:09:33 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Negating-a-specific-object/m-p/79888#M11455 donat5 2020-03-27T00:09:33Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Negating-a-specific-object/m-p/79891#M11456 <P>No idea..</P><P>&nbsp;</P><P>Its possible with network groups - create group with exclusion</P><P>seems there is no option to create service group with exclusion - you could have created a group containing tcp and udp 1-<SPAN>65535 and icmp and then exclude https. </SPAN></P><P>&nbsp;</P><P><SPAN>If you wanted a really&nbsp;ugly solution you could create a group like above but with tcp range 1-442 and range 444-65535 group that together with udp range all ports and icmp.</SPAN></P><P>&nbsp;</P> Fri, 27 Mar 2020 00:17:09 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Negating-a-specific-object/m-p/79891#M11456 Ryan_Ryan 2020-03-27T00:17:09Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Negating-a-specific-object/m-p/79914#M11457 <P>I've been using Check Point since version 2 and I'm pretty sure it was never allowed to negate a specific object in a cell with two or more items in it.</P> <P>Here's a snapshot from R77.30 where I'm selecting a specific object and I'm being offered "Negate Cell"&nbsp;&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screen Shot 2020-03-26 at 9.12.06 PM.png" style="width: 400px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/5177i62A62A2BCCDC4E64/image-size/medium?v=v2&amp;px=400" role="button" title="Screen Shot 2020-03-26 at 9.12.06 PM.png" alt="Screen Shot 2020-03-26 at 9.12.06 PM.png" /></span></P> <P>And it shows like this when negated.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screen Shot 2020-03-26 at 9.18.56 PM.png" style="width: 400px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/5178iE4251C87CF083E5B/image-size/medium?v=v2&amp;px=400" role="button" title="Screen Shot 2020-03-26 at 9.18.56 PM.png" alt="Screen Shot 2020-03-26 at 9.18.56 PM.png" /></span></P> <P>Visually, it looks a little different in R80.x:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screen Shot 2020-03-26 at 9.13.50 PM.png" style="width: 400px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/5179i04007C58AECDB8D0/image-size/medium?v=v2&amp;px=400" role="button" title="Screen Shot 2020-03-26 at 9.13.50 PM.png" alt="Screen Shot 2020-03-26 at 9.13.50 PM.png" /></span></P> <P>In either case, the effect is the same.</P> <P> </P> Fri, 27 Mar 2020 04:26:09 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Negating-a-specific-object/m-p/79914#M11457 PhoneBoy 2020-03-27T04:26:09Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Negating-a-specific-object/m-p/79923#M11458 <P>It would look just like this, it allows my home lan to anything but the RFC1918 networks on any port but HTTP/HTTPS:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Negate.JPG" style="width: 1039px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/5180i1711B3D3F4ABCCC5/image-dimensions/1039x87?v=v2" width="1039" height="87" role="button" title="Negate.JPG" alt="Negate.JPG" /></span></P> <P> </P> Fri, 27 Mar 2020 06:14:00 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Negating-a-specific-object/m-p/79923#M11458 Maarten_Sjouw 2020-03-27T06:14:00Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Negating-a-specific-object/m-p/79971#M11459 <P>Oh...then I misunderstood&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/17364">@Maarten_Sjouw</a>&nbsp;explaination and thought that everything in the cell is allowed and the rest dropped. This makes sense now, thanks&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/7">@PhoneBoy</a>&nbsp;</P> Fri, 27 Mar 2020 14:12:53 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Negating-a-specific-object/m-p/79971#M11459 donat5 2020-03-27T14:12:53Z