Use negative checks

i got a few cases where i got access lists (as in firewall rules etc.) that get changed a lot. Now i want to add some checks that alert me when something is reachable where it should not be.
I got an icinga agent that i can use for the checks (so on a box that is not supposed to be able to access the service) but i’m not sure if there is a reasonable way to set up the check that way … any idea?

There is the negate plugin in the ITL but I never tried it. I heard it should be a bit tricky to use but if you want to give it a try, we’ll be here to help.