Let's say you have three DMZ networks on Firewall-1, and you create three network objects corresponding to these three networks:
10.10.10.0 10.10.11.0 10.10.12.0You then create a group named DMZ-Networks and create a rule that says when the Source is NOT DMZ-Networks (i.e., Negate DMZ-Networks), and the target is the Firewall-1 object, then send an alert. The intent was to find any packet from an external address that targets the firewall.
What I'm finding is that any broadcast from any machine in a DMZ network is triggering the alert. Firewall-1 does not see a broadcast originating from a machine in a DMZ Network as being from that network? How would you modify the rule above so that broadcasts coming from inside the DMZ don't trigger the Negate source condition?