It goes out to the internet. The public DNS gives the public IP. When it comes back to the server, it goes through a firewall and gets NATed to an internal IP address. In policies, I have all internal networks denied, but allow the IP addresses through before the denies. Do I have to set a static route on the controller to say that the source be the public IP to the destination of internal IP?