Looks like my FESX doesn't support ACL sequencing (like a stone-age Cisco) so I'm open for ideas on how to accomplish basic adds to a deny list and moving 'allow ip any any' to the end without interrupting traffic. ~Randy