https://community.cisco.com/t5/network-security/cisco-firepower-management-center-negate-object-network/m-p/4040080#M1067300 <P>Hi Cristian,</P> <P>Can you explain in more detail how to use an excluded list in a network object or object group definition? I don't see that option in my FMC running 6.5.0.2.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="FMC Network Group object.PNG" style="width: 626px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/68424iD61D2E13DF6F57FE/image-size/large?v=v2&amp;px=999" role="button" title="FMC Network Group object.PNG" alt="FMC Network Group object.PNG" /></span></P> Wed, 04 Mar 2020 11:41:22 GMT Marvin Rhoads 2020-03-04T11:41:22Z https://community.cisco.com/t5/network-security/cisco-firepower-management-center-negate-object-network/m-p/4039985#M1067287 <P>Hello together,</P><P>&nbsp;</P><P>does anyone know if it is possible to negate an object or network in the policies?</P><P>&nbsp;</P><P>Unfortunately I have not found anything for this.</P><P>I wanted to create a rule for Internet Access (allow any to "not RFC1918" http and https) just as an example.</P><P>&nbsp;</P><P>Anyone have an idea or is this not possible in the FMC?</P> Wed, 04 Mar 2020 09:07:05 GMT https://community.cisco.com/t5/network-security/cisco-firepower-management-center-negate-object-network/m-p/4039985#M1067287 marco.iacono 2020-03-04T09:07:05Z https://community.cisco.com/t5/network-security/cisco-firepower-management-center-negate-object-network/m-p/4040009#M1067291 You'd have to use two entries. First entry would to block http and https to RFC 1918 network object. Second entry to permit http and https to any destination. Rules are processed from top down with rule processing stopping after first matched entry (with action other than monitor). Wed, 04 Mar 2020 09:34:18 GMT https://community.cisco.com/t5/network-security/cisco-firepower-management-center-negate-object-network/m-p/4040009#M1067291 Marvin Rhoads 2020-03-04T09:34:18Z https://community.cisco.com/t5/network-security/cisco-firepower-management-center-negate-object-network/m-p/4040031#M1067297 <P>Hi,</P><P>&nbsp; &nbsp;&nbsp;</P><P>&nbsp; &nbsp; &nbsp;Yes you can, by using the excluded list in your network object definition.</P><P>&nbsp;</P><P>Regards,</P><P>Cristian Matei.</P> Wed, 04 Mar 2020 10:00:13 GMT https://community.cisco.com/t5/network-security/cisco-firepower-management-center-negate-object-network/m-p/4040031#M1067297 Cristian Matei 2020-03-04T10:00:13Z https://community.cisco.com/t5/network-security/cisco-firepower-management-center-negate-object-network/m-p/4040080#M1067300 <P>Hi Cristian,</P> <P>Can you explain in more detail how to use an excluded list in a network object or object group definition? I don't see that option in my FMC running 6.5.0.2.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="FMC Network Group object.PNG" style="width: 626px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/68424iD61D2E13DF6F57FE/image-size/large?v=v2&amp;px=999" role="button" title="FMC Network Group object.PNG" alt="FMC Network Group object.PNG" /></span></P> Wed, 04 Mar 2020 11:41:22 GMT https://community.cisco.com/t5/network-security/cisco-firepower-management-center-negate-object-network/m-p/4040080#M1067300 Marvin Rhoads 2020-03-04T11:41:22Z https://community.cisco.com/t5/network-security/cisco-firepower-management-center-negate-object-network/m-p/4040115#M1067309 <P>Hi,</P><P>&nbsp;</P><P>&nbsp; &nbsp;I meant "network variables". So you define a new network variable set, you include the networks and exclude the specific ranges. You than select in your access-control policy rule the newly defined variable set, from inspection tab. Although the variable set is used for intrusion policies, in the end you attach the intrusion policy to your access-control policy rules. There are some restrictions, read carefully in the Configuration Guide, in the Managing Reusable Objects section, Variable Sets.</P><P>&nbsp;</P><P>&nbsp;</P><P>Regards,</P><P>Cristian Matei.</P><P>&nbsp;</P> Wed, 04 Mar 2020 12:47:06 GMT https://community.cisco.com/t5/network-security/cisco-firepower-management-center-negate-object-network/m-p/4040115#M1067309 Cristian Matei 2020-03-04T12:47:06Z https://community.cisco.com/t5/network-security/cisco-firepower-management-center-negate-object-network/m-p/4040423#M1067350 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/295226">@Cristian Matei</a> would excluding the objects from inspection by the IPS policy have the effect of blocking the connections in the associated Access Control Policy rule?</P> <P>I would have thought the effect would be to exempt the excluded network(s) from IPS inspection once the associated rule action was determined - but not blocking the TCP connections in the first place.</P> Wed, 04 Mar 2020 19:49:40 GMT https://community.cisco.com/t5/network-security/cisco-firepower-management-center-negate-object-network/m-p/4040423#M1067350 Marvin Rhoads 2020-03-04T19:49:40Z https://community.cisco.com/t5/network-security/cisco-firepower-management-center-negate-object-network/m-p/4040453#M1067352 <P>Hi,</P><P>&nbsp;</P><P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/326046">@Marvin Rhoads</a>&nbsp;Yes Marvin, that is correct, i read the first questions "which says policies" and i replied, thinking IPS policies. If he needs to "negate networks" for ACP, he actually needs multiple ACP rules; if he needs to "negate networks" for IPS, he needs variable set.</P><P>&nbsp;</P><P>Regards,</P><P>Cristian Matei.</P> Wed, 04 Mar 2020 20:43:52 GMT https://community.cisco.com/t5/network-security/cisco-firepower-management-center-negate-object-network/m-p/4040453#M1067352 Cristian Matei 2020-03-04T20:43:52Z