Do you have firewall license on controller? If yes then
- create destination "gateway", put ip address gateway on it.
- create destination "local", put subnet local on it
- on guest authenticated role acl, define
* - * - icmp/dns/dhcp - allow
* - gateway - * - allow
* - local - * - block
* - * - http/https - allow
If you dont have firewall license on controller, put guest gateway on fw box (ex:fortigate), and config acl from there.