Firewall block if IP matches this UNLESS it also matched that in 1 rule?

I haven’t had luck finding this question asked or answered anywhere so I figured I might as well start here. I’m looking for a way of processing configuration matches in a single rule.

For example, lets say I have the below config:

set firewall group network-group BLOCKED_NETS network 'X.0.0.0/8'
set firewall group network-group BLOCKED_NETS network 'Y.0.0.0/8'
set firewall group network-group BLOCKED_NETS network 'Z.0.0.0/8'
set firewall group address-group ALLOWED_IPS address 'X.1.1.1'
set firewall name WAN_IN default-action drop
set firewall name WAN_IN rule 85 action accept
set firewall name WAN_IN rule 85 description Allow In IPs
set firewall name WAN_IN rule 85 source group address-group ALLOWED_IPS
set firewall name WAN_IN rule 90 action drop
set firewall name WAN_IN rule 90 description BAD_NETS
set firewall name WAN_IN rule 90 source group network-group BLOCKED_NETS
set firewall name WAN_IN rule 95 action accept
set firewall name WAN_IN rule 95 description 'Allow in to TCP/80 on ABCD'
set firewall name WAN_IN rule 95 destination address A.B.C.D
set firewall name WAN_IN rule 95 destination port 80
set firewall name WAN_IN rule 95 protocol tcp

The desired effect:
I want to allow access to TCP/80 on ABCD
I want to block a network group of multiple networks
I want to exempt an IP that is included in those multiple networks from being blocked. (X.1.1.1 is an IP within the greater X.0.0.0/8 network)

However while I accomplish the above mostly, the glaring issue is that now the single IP that I’m attempted to except from the block rule, now has unfettered access in to ABCD at any port instead of only on port 80.

Is there some way to accomplish something like:

set firewall name WAN_IN rule 90 action drop
set firewall name WAN_IN rule 90 description BAD_NETS
set firewall name WAN_IN rule 90 source 1 group network-group BLOCKED_NETS
set firewall name WAN_IN rule 90 source 2 group address-group !ALLOWED_IPS

Simply put block any IP in the BLOCKED_NETS networks unless that IP in in the ALLOWED_IPS group? That would allow the ALLOWED_IPS to not blocked without giving them a broad allow in. Any ideas?

Try rearranging your rules so that specific allow rules for ALLOWED_IPS are processed before the general block rules for BLOCKED_NETS. This will allow traffic from ALLOWED_IPS destined for a specific server on TCP port 80, making sure only this traffic is permitted while implicitly denying access to other ports.

# Default Action
set firewall name WAN_IN default-action drop

# Allow Specific IP Access to TCP/80 on ABCD
set firewall name WAN_IN rule 85 action accept
set firewall name WAN_IN rule 85 description 'Allow ALLOWED_IPS to TCP/80 on ABCD'
set firewall name WAN_IN rule 85 source group address-group ALLOWED_IPS
set firewall name WAN_IN rule 85 destination address 'A.B.C.D'
set firewall name WAN_IN rule 85 destination port '80'
set firewall name WAN_IN rule 85 protocol 'tcp'

# Allow General Access to TCP/80 on ABCD
set firewall name WAN_IN rule 90 action accept
set firewall name WAN_IN rule 90 description 'Allow general access to TCP/80 on ABCD'
set firewall name WAN_IN rule 90  destination address 'A.B.C.D'
set firewall name WAN_IN rule 90 destination port '80'
set firewall name WAN_IN rule 90 protocol 'tcp'

# Block Traffic from BLOCKED_NETS
set firewall name WAN_IN rule 95 action drop
set firewall name WAN_IN rule 95 description 'Block traffic from BLOCKED_NETS'
set firewall name WAN_IN rule 95 source group network-group BLOCKED_NETS


Rule 90 in your snippet will allow any to port 80 regardless if they’re included in the ALLOWED_IPS group or in a BLOCKED_NETS. I could flip 90 and 95 so that we’re restricting the access for the allowed IP’s group but then we’d have to double our rule count, having 1 with the source of ALLOWED_IPS before the BLOCKED_NETS rules and a 2nd one with no source specified after the BLOCK_NETS rules. It would work but is redundant so I’m hoping there’s a better way.