Negate Rules function does not match the description
Originally the automatic Negate Network rules were intended to negate policy routing for locally connected subnets and VPN connected subnets.
Some time ago that appears to have changed to only VPN connected subnets. Probably here:
However the description of that function in the docs refers to both.
In a Multi-WAN configuration traffic for directly connected networks and VPN networks typically must still flow properly when using policy routing. The firewall will insert rules to pass this local and VPN traffic without a gateway specified, to maintain connectivity.
Rules are added automatically to negate policy routing for traffic destined to remote VPN subnets, but they do not always have the intended effect.
The actual intended function of those rules needs clarification and the docs updated to match that.
No data to display