If I have a policy built like this:
set security policy from-zone untrusted to-zone trusted policy MINE match source-address safe_subnet destination-address my-server application junos-https
set security policy from-zone untrusted to-zone trusted policy MINE then permit
If there's 2 IP#s in safe_subnet that I want to exclude from that, how can I do it?
I have looked at source-address-excluded but that doesn't provide capability to subtract from safe_subnet, rather it becomes "everything minus source-address-excluded".
I have tried using a separately policy like this:
set security policy from-zone untrusted to-zone trusted policy NOT_MINE match source-address bad_servers destination-address my-server application junos-https
set security policy from-zone untrusted to-zone trusted policy NOT_MINE then deny
but when I use "show security match-policies", the result ignores "NOT_MINE".
Help?