As an administrator, I would like to be able to do a "negate" rule in the Cloud Firewall Service (CFS).

Example: Verdict: Block - Protocol/Port: SSH/22 - Destination: ANY - Exception: x.x.x.x

The rule above will allow SSH to the public IP space but block SSH to any other public sites/IP addresses.

The Cloud Firewall Service in Cloud SWG (formerly known as WSS) does not have an option to negate or use negation in policy rules to take the opposite to match the policy.

To accomplish negation, You will need to create 2 CFS policies. Navigate to the Portal > Policy > Cloud Firewall.

• CFS #1:
  
  
  • Source: Groups/Users OR Source IP OR Location
  • Destination: IP/Subnet or Hostname
  • Service: SSH/22
  • Verdict: Accept
    
    
• CFS#2:
  
  
  • Source: Any
  • Destination: Any
  • Service: SSH/22
  • Verdict: Deny
    
    
  • Note: This policy will block everything that is not allowed in the previous policy.
    
    

• About the Cloud Firewall Service
• About the CFS Policy Editor