so I managed to get it working by specifying "log" in policy statements, but realise that the denies were not logged. I understand that there is an implicit deny but believe I need to add a global deny policy to do logging. I am just wondering if this functions like a normal policy and will block any traffic not allowed in other rules?