We've had issues with subnet gateway addresses becoming entries in the user table, effectively bringing down that network segment. So, I don't want to aggregate the individual subnets because I don't feel that I will have protection against something like that happening again. I was thinking to use the netdestination idea as white listing all our valid networks and denying some specific hosts and subnets on a smaller range. I have an open ticket with support on it, but it's very slow moving.
Thanks to both of you for advice!