Hi Matt,
As you have already tried, it works with prefix list as well. Suggested to try source-address instead of prefix-list to help understand better. Also your understanding of the keyword except is also correct just that you also should define the address set from which you would like to invert the selection of IP's.
Please read through the examples at https://www.juniper.net/documentation/en_US/junos/topics/concept/firewall-filter-stateless-match-conditions-address-fields.html#jd0e218 for further understanding. When you just mention the prefix-list, all other addresses implicitly do not match this condition.
Instead of using except and discard in combination, the below config serves the same purpose.
set interfaces lo0 unit 0 family inet filter input MGMT
set policy-options prefix-list MGMT_Net x.x.x.x24
set policy-options prefix-list MGMT_Net x.x.x.x/24
set firewall family inet filter MGMT term T1 from source-prefix-list MGMT_Net
set firewall family inet filter MGMT term T1 then accept
set firewall family inet filter MGMT term T2 from destination-port ssh
set firewall family inet filter MGMT term T2 from destination-port https
set firewall family inet filter MGMT term T2 from destination-port telnet
set firewall family inet filter MGMT term T2 from destination-port http
set firewall family inet filter MGMT term T2 then discard
set firewall family inet filter MGMT term accept_everything_else then accept
T1 -> Allows all traffic for the selected prefix list, for the rest of the IP's T2 will block the ports mentioned and accept_everything_else accepts rest of the traffic for all the IP's.
Thanks,
Pradeep
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!