Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Ivory

Negating a specific object

Jump to solution

I noticed that the option to negate a specific object is no long available in R80.xx, only available option is "negate cell"

I wonder why CheckPoint removed such a important feature.

I am simply trying to allow "any" but deny/negate "https" in the services cell, does anyone have a workaround?

0 Kudos
1 Solution

Accepted Solutions
Highlighted
Admin
Admin

I've been using Check Point since version 2 and I'm pretty sure it was never allowed to negate a specific object in a cell with two or more items in it.

Here's a snapshot from R77.30 where I'm selecting a specific object and I'm being offered "Negate Cell"  

Screen Shot 2020-03-26 at 9.12.06 PM.png

And it shows like this when negated.

Screen Shot 2020-03-26 at 9.18.56 PM.png

Visually, it looks a little different in R80.x:

Screen Shot 2020-03-26 at 9.13.50 PM.png

In either case, the effect is the same.

View solution in original post

0 Kudos
8 Replies
Highlighted
Negate the cell which in fact stops anything but what is in that cell.
It might be named a bit different but it still works the same.
Regards, Maarten
0 Kudos
Highlighted
Ivory

 

@Maarten_Sjouw 

This even makes things more complicated; I would like to allow everything but https, how should my rule look like?

Any represents a lot of services which I cannot list.

 

0 Kudos
Highlighted
Copper

I think your only option is two rules

 

top rule - service https - action - drop

second rule allow any

0 Kudos
Highlighted
Ivory

@Ryan_Ryan 

It seems so far the only option but why cp decided to get rid of such a good feature?

Now we end up with 2 rules instead of 1; I think checkpoint should reconsider putting this feature back.

0 Kudos
Highlighted
Copper

No idea..

 

Its possible with network groups - create group with exclusion

seems there is no option to create service group with exclusion - you could have created a group containing tcp and udp 1-65535 and icmp and then exclude https.

 

If you wanted a really ugly solution you could create a group like above but with tcp range 1-442 and range 444-65535 group that together with udp range all ports and icmp.

 

0 Kudos
Highlighted

It would look just like this, it allows my home lan to anything but the RFC1918 networks on any port but HTTP/HTTPS:

Negate.JPG

Regards, Maarten
0 Kudos
Highlighted
Admin
Admin

I've been using Check Point since version 2 and I'm pretty sure it was never allowed to negate a specific object in a cell with two or more items in it.

Here's a snapshot from R77.30 where I'm selecting a specific object and I'm being offered "Negate Cell"  

Screen Shot 2020-03-26 at 9.12.06 PM.png

And it shows like this when negated.

Screen Shot 2020-03-26 at 9.18.56 PM.png

Visually, it looks a little different in R80.x:

Screen Shot 2020-03-26 at 9.13.50 PM.png

In either case, the effect is the same.

View solution in original post

0 Kudos
Highlighted
Ivory

Oh...then I misunderstood @Maarten_Sjouw explaination and thought that everything in the cell is allowed and the rest dropped. This makes sense now, thanks @PhoneBoy 

0 Kudos