Hi Adrian4,   My team actually ran into a similar need for this while testing eBGP in routed mode (you can't filter based on source routes learned via eBGP either).   The workaround we found was to create a static route for the source network you are trying to create a firewall rule for, we chose to use 0.0.0.0 as the next hop (assuming route recursion, this should send it towards wherever you learn your default route from). You can then disable this route so it has no effect, but the firewall rule will be allowed to be entered.   Here's an example:   You want to enter a firewall rule defining source as 192.0.2.0/24, destination any, deny Enter a static route 192.0.2.0/24 next-hop 0.0.0.0, save, disable that route, save. Enter the firewall rule you desire, save.     Our team assumption is based on the reading here that Sources need to be from the "configured subnets" on the "MX Addressing & VLANs page" and thankfully static routes are included in that validation. We agree with you that the validation makes no sense honestly, why should any firewall care if you have an extra firewall rule disallowing source addresses that you may or may not own? What does that actually prevent? Hope this helps anyway   Also the group policy option is objectively terrible if you use it to override L3 firewall rules, as any device(s) governed by that firewall ruleset become independent flows when it comes to state tracking of the main L3 firewall rules, effectively making your firewall rules become stateless (useless) ... View more