So I came across when setting up a deny policy that it was not working.
After some troubleshooting I found out that because the rule was for an inbound NAT, you have to configure the match-vip option on the policy to enable.
1
2
3
4
config firewall policy
edit "policy id"
set match-vip enable
end