What's New in 26.30
Learn about new features in this release.
About all_except
Use all_except to apply a policy to everything in scope while excluding specific items, allowing you to manage rules with minimal effort.
Apply a rule to all scoped items except those you explicitly exclude to manage policies without building long include lists. Define exceptions to exclude specific items, and the system applies the rule to everything else.
The PCE resolves all_except as “universe minus exclusions” and sends the VEN a fully expanded policy. The VEN enforces the resolved result, so the behavior scales with the size of the exclusion set, not the environment. As your environment grows, new workloads or services automatically fall under the “all” side of the rule unless they match your exclusions, reducing routine maintenance.
Where You See It in the UI
You’ll see all_except in segmentation rule‑building workflows.
Benefits of all_except
The feature all_except reduces routine maintenance. New workloads or services automatically fall under the “all” portion of the rule without requiring edits unless they match your exclusions.
You can avoid large, complex selection lists and easily create broad policies as your environment grows.
Rely on all_except when you need one rule to cover most of your environment while shielding a small number of workloads or services. It’s also useful when scopes remain stable over time or when label‑driven policies benefit from automatic inheritance.
Typical Use Cases
Apply the feature All Except when you want to:
Apply a policy to most workloads, excluding a few sensitive systems.
Allow automatic inheritance as new workloads adopt labels—no updates needed unless exclusions change.
Minimize long include lists and reduce maintenance overhead in fast‑growing environments.
Limitations in Release 26.30
Rule coverage results do not currently reflect policy rules that use "All IPs Except".