Nsa 3650 and access rules

Hi, i have a doubt about Access rules on our Sonicwall cluster: i basically want to block all LAN>WAN traffic and make explicit allow rules for each internal network to be "whitelisted". This is the scenario:

• The routing of internal networks is performed by core switches, and we have a "transport" network between them and firewalls. The "transport" sub interface that is dedicated to this is in the LAN zone
• In the access list "LAN>WAN" i performed the following operations:
  • Created a "Deny all" rule with priority 263 (bottom one)that basically blocks everything
  • Created specific rules (one for each network) that allows the LAN>WAN traffic changing the source network objects with the appropriate ones.

This should be very simple but i see that if i disable a specific allow rule for a network (and theoretically this would result belonging to the "Deny all" rule) the traffic still flows, but if i enable the rule and change the action from "allow" to "deny" the traffic is effectively blocked.

Example: if i take the network "INT_SERVER" dedicated to our virtual servers and disable the relative allow rule they still can reach internet, but if i change the rule to "block" traffic is effectively blocked.

Seems that somehow the final "Deny all" rule is ignored, and only creating specific deny rule for each network can achieve what i'm looking for.

Any tips on this?

Thank you!