1.It says match on anything BUT what you've got in the cell.
A classic use of the rule might be:
Src: h-web_proxy - Dst: NEGATED g-internal_networks - Service: http, https.
This says "the web proxy is allowed to connect to anywhere OTHER THAN our internal networks, on http and https.
2.It just does a reverse of what it would be normally.
ie
you create a rule that allows
src = internal net
dst = any
srv = http(negate)
action = accept
Instead of allowing http out to the Internet, it allows everything but http out to the internet.
It is quite common to see a group defined that contains all of the internal and dmz networks and then negate that group in the destination column to allow internet access.
This therefore allows access to anywhere but the networks group.
