I have difficulty with ISA because isn't possible associate protocol, source and destination in the same rule. My problem is with this follow case: 1) all_snat_ips allow HTTP to any_internet_dest anytime 2) all_snat_ips allow FTP only-to my_public_ftp_server anytime 3) some_snat_ips allow FTP to any_internet_dest anytime ISA need to match one rule in "protocol rules" and in "site and content rules" to allow the request, so: * Protocol Rules FTP allow anytime applies-to(all_snat_ips) HTTP allow anytime applies-to(all_snat_ips) * Site and content Rules: RuleName = OpenAccess Destinations = All Schedule = Always Action = Allow AppliesTo = all_snat_ips HTTP Content = All content Groups I need an "OpenAccess rule" to grant HTTP to all internet destinations. But so I too permit FTP and I don't like it. The problem is that I can't associate the protocol, source and destination in the same rule and ISA don´t use sequence, only process deny before allow rules. Obs. The client set "some_snat_ips" is part of the client set "all_snat_ips". Any suggestions. Regards, Morvan Daniel Muller morvan@xxxxxxxxxxxxxxx Analista de Suporte - Softplan/Poligraph Sistema da Qualidade Certificado - ISO9001 - BRTUV/INMETRO Fone: 0XX(48)333-0389 Florianópolis - SC