From 19.4, go via 20.4R3 to 21.2R3-S8. ------------------------------ Olivier Benghozi ------------------------------

I have tested the above configuration and it gives me the following error after loading the set: [edit security policies from-zone WORK to-zone LAN] 'policy ALLOW_DNS_1' warning: Destination address or address_set (192.168.10.110/32) not found. Please check if it is a SecProfiling Feed. *from-zone ...

Yes, that looks alright. ------------------------------ Nikolay Semov ------------------------------

Great Nicolay! The above works very well! Thank you for your help. If I was to add another rule for let's say maybe a local DNS server, could I just do something like this: #Set a group to allow access to a local DNS server set groups GROUP_ALLOW_DNS security policies from-zone <*> to-zone <*> ...

Mhmm, yep. ------------------------------ Nikolay Semov ------------------------------

So that means I could put all of the above source nat rules into a simple block like so: ? set security nat source rule-set SOURCE-NAT-TO-WAN from zone [LAN IoT GUEST WORK] set security nat source rule-set SOURCE-NAT-TO-WAN to zone WAN set security nat source rule-set SOURCE-NAT-TO-WAN rule ALLOW_ALL_SOURCE_ADDRESSES ...

Yes, apply-groups GROUP_ALLOW_ALL, but yes, either way is fine. You can even mix the two if you like, though keep in mind that if you have a matching zone-based policy, it will take precedence over global policy. As for NAT, I'm not sure why the difference; I guess if you look at it on its own, it's ...