Negate Rule Not Working Firewall-1

Let's say you have three DMZ networks on Firewall-1, and you create three
network objects corresponding to these three networks:

10.10.10.0
10.10.11.0
10.10.12.0

You then create a group named DMZ-Networks and create a rule that says when
the Source is NOT DMZ-Networks (i.e., Negate DMZ-Networks), and the target
is the Firewall-1 object, then send an alert. The intent was to find any
packet from an external address that targets the firewall.

What I'm finding is that any broadcast from any machine in a DMZ network is
triggering the alert. Firewall-1 does not see a broadcast originating from
a machine in a DMZ Network as being from that network? How would you
modify the rule above so that broadcasts coming from inside the DMZ don't
trigger the Negate source condition?

--
Will

Re: Negate Rule Not Working Firewall-1

Will wrote:
> Let's say you have three DMZ networks on Firewall-1, and you create three
> network objects corresponding to these three networks:
>
> 10.10.10.0
> 10.10.11.0
> 10.10.12.0
>
> You then create a group named DMZ-Networks and create a rule that says when
> the Source is NOT DMZ-Networks (i.e., Negate DMZ-Networks), and the target
> is the Firewall-1 object, then send an alert. The intent was to find any
> packet from an external address that targets the firewall.
>
> What I'm finding is that any broadcast from any machine in a DMZ network is
> triggering the alert. Firewall-1 does not see a broadcast originating from
> a machine in a DMZ Network as being from that network? How would you
> modify the rule above so that broadcasts coming from inside the DMZ don't
> trigger the Negate source condition?
>
> --
> Will

When you created the network object, did you specify that the broadcast
address was included or excluded in the network definition. The default
for
NGX is to exclude the broadcast address from the network object.