Hi Bob, thanks for responding.

I tracked it down to Auto packet filtering being enabled (I thought I had turned that off, but had not), so the first rule is now:

#1: Admin Machine (10.0.1.50) -> ALLOW -> Satellite Locations (group)
#2: Internal Network (10.0.1.0/24) -> DROP -> Satellite Locations (group)
#3: Internal Network (10.0.1.0/24) -> ALLOW -> ANY

This has accomplished what I've been going for -- I wanted one machine on the 10.0.1.0/24 network to be able to connect to the various Satellite Location's routers/firewalls. That seem about right?

For failsafe security, I'm assuming I should set the various Satellite Locations' firewalls to drop 10.0.1.0/24 packets that do not match 10.0.1.50 as well?