I am trying to figure out how to apply firewall rules in the best manner. Currently I create group policies which then I apply to a given VLAN, which in turn is tagged in a SSDI .There is also the option of just creating the rules directly in the SSID and not assigning the pokily in the VLAN.
What is the difference, if any? What happens if both are applied?
Also, if I set some rules in the security appliance firewall (MX84) and then I create policies, will these policies override the firewall rules or add to them? I mean If I have rule A, B and C in the firewall and then I create a policy with rules D and E, at the end will I have rules A,B,C, D and E, or just rules D and E?
So you can totally apply whatever appropriate firewall policies via the wireless firewall page, which can then be overridden by network-wide group policies. The group policy has the precedence. In any group policy, you can specify if you want the group policy to "follow" the firewall rules, ignore them, or set your own custom rules right in the group policy. That way you can have firewall and traffic shaping rules set on the wireless side, SSID by SSID, as required, but then have group policies that can take precedence if/when needed.
What always comes first is any specific policy you apply to a specific client on their client details page. Then you'll have network-wide policies that can be applied for example to SSIDs which can override (or obey) any default network settings. You can also have multiple policies applied to a client, and you get the combination of both, so if you have firewall rules in one polict and bandwidth limits in the other, the client is subjected to both policies. All of this is covered in the first link below.
For example, try this simple test (I just did to prove it out): go to your wireless firewall page and create a L7 firewall rule to block something, like web payments for example and then connect to that SSID and confirm you cannot get to paypal. Then create a group policy that ignores firewall and traffic shaping rules, apply it to that client, and confirm that the group policy indeed overrides the firewall policy you set on the wireless page and you can now get to paypal, even though the wireless firewall rules say to block it. Then you can go to your Network Wide > Clients page and drop down the option to only show "all clients with a policy" and you'll see your client, click into the client's details page, and in the policy section click the "details" button, and you'll see the specific rules impacting (or currently overridden) for that specific client, and it even shows where things are being applied, at the global/dashboard level, at the SSID level, or at the security appliance.
On your 2nd example, yes, you can have A/B/C on the MX and D/E as group policies, and D/E can override, or complement, A/B/C rules. Try that also with a similar test like described above, and look at the individual client's policy section and click that details button to understand the effects.
Hope that helps! Here's a couple places for more info: