@ggovek and @LukaszDziwisz
I think you both should use scopes in these rules.
First create a policy with VDI VM scope. The scope applies firewall rules under the policy to VDI VM's only. Use a segment or a vm name prefix as a filter for the group used in scoping. This policy is meant exclusively for egress traffic for the VDI VM filters.
Under this first policy just add one/two rules. Two for a blacklist or one for a whitelist. I'll use a blacklist as an example.
- For group X allow RDP to destination servers Y. ( This can be also applied to only direction OUT here)
- For everyone else (source: any) deny everything to servers Y. ( same)
Then create a second policy with server VM scope. You can use group servers Y as a scope here. This policy is meant exclusively for ingress traffic for the server VM filters.
- For VDI VMs (use the same group here as a source, that you used to scope the first policy) allow RDP to any/or destination servers Y. ( This can be applied to only direction IN)
- For everyone else deny RDP to servers Y. If you want only RDP connections from direction of VDI VMs. Otherwise something else.
With the help of scope you can divide the DFW into different sets of rules, which is quite helpful in the IDFW case.
