If your rule has Zone A to Zone B specified and IP address source and destination of any, then the traffic will be filtered based on zones only regardless of IP. Entering in an IP address is not required, if you want to only filter on zones this can be done as long as your source and destination IPs are "any". Typically you assign interfaces to Zones so you need to understand your network topology to understand what traffic is coming through each zone, but when filtering at the zone level IP addresses do not need to be specified. For Example: I want all of my internal users to access anything in our DMZ and the web and my DMZ to be able to access the Web I would create 3 zones... Zone A = Internal Users, multiple subnets and IPs Zone B = DMZ multiple subnets and IPs Zone C = Internet multiple subnets and IPs My rule would go something like this: Name S. Zone D. Zone S. Address D. Address Application Service Action Rule 1 Zone A Zone B Zone C Any Any Any Any Allow Rule 2 Zone B Zone C Any Any Any Any Allow No Specific IPs need to be listed to put these rules in.
... View more