I need to be able to block everyone from accessing xx.xx.229.49 (internal ip)
but i need a few people to be able to access it internally.
How do i go about doing this?
First you need to block access to xx.xx.229.49 (internal ip) by going to the "firewall". Then create a group policy in the "Network Wide" tab and select "group policies". In this policy set an allow to xx.xx.229.49 (internal ip). Test it.
Does all your traffic hit the MX before being able to go to that IP's subnet?
If it is, you probably really need a switch (with L3 if you've got multiple subnets). MXes aren't routers.
If not, then the outbound rules on the firewall won't help you here. If your traffic is on the same subnet, or if routing between subnets is handled by a proper L3 device, then it won't hit your MX's rules.
You'll need to setup an ACL on the appropriate switch(es) in order to a) first allow your wanted traffic then b) issue a blanket deny to that IP.
You can use the MX firewall for inter-vlan firewalling too if it's the L3 device routing between subnets.
Basically you setup a rule that blocks all access to the IP address in the L3 firewall settings in Firewall & SD-WAN > Firewall.
And then you indeed define a group policy in Network-Wide > Group Policies that has specific L3 firewall rules for that special group of people and assign it to them. Keep in mind that this will only work if the destination IP address you're blocking access to is on a different subnet than the source subnet the clients are on.
If the special group of people are on their own VLAN you could use the regular firewall. Just add another rule with the source subnet set.
True fact, but I thought one was discouraged from using MX as the router itself.