Typical guest networks block access to all RFC1918 address space (assuming your internal network uses it); other networks can be added as well as needed. The easiest way to accomplish this is to setup a netdestination for all those ranges, then set a policy to deny access to them. For example:
netdestination internal-networks
network 10.0.0.0 255.0.0.0
network 192.168.0.0 255.255.0.0
network 172.16.0.0 255.240.0.0
<Add any others you want>
Then within the policy of your choice; above your ESI redirect rule add the following.
user alias internal-networks any deny
You may have to add an entry for the UTM; if you do, then add the following ahead of the deny rule (depending on what you are redirecting).
user host x.x.x.x svc-http permit
user host x.x.x.x svc-https permit
You can also use a similar netdestination option:
netdestination utm-appliance
host x.x.x.x
user alias utm-appliance svc-http permit
user alias utm-appliance svc-https permit