How do I block (packet filtering?) all external IPs?

Thanks. I created a Packet Filter rule to allow an internal subnet (First) and tried to create another rule (Last) to drop (Action: "discard") everything else where the instructions in the doc linked below say to "Enter Expression Text" with nothing in the text field, which apparently means everything (?), and I got the following error:

01070087:3: Packet filter rule '/Common/TestRule1': rule matches all traffic and action is not "continue"

https://support.f5.com/content/kb/en-us/products/big-ip_ltm/manuals/product/bigip-datacenter-firewall-config-11-1-0/_jcr_content/pdfAttach/download/file.res/BIG-IP%C2%AE_Data_Center_Firewall_Configuration_Guide.pdf

Why should the rule be set to "continue" rather than "discard"?

So I got it to accept 2 rules I put in where I had to add an actual expression to "Enter Expression Text" field, but I have not yet enabled packet filtering. The instructions on that page I linked basically just says to select that checkbox and that's it.

What I have so far, Jeff, and please correct me if this is wrong, but I have the following: Rule 1 (First): Allow ("Accept")the management networks (ie: ( src net 192.168.1.0/24 ) and ( dst net 0.0.0.0/0 )) on all vlans. Rule 2 (Last): Deny ("Discard") everything else (ie: ( src net 0.0.0.0/0) and ( dst net 0.0.0.0/0 )) on all vlans.

Will this accomplish what I'm looking for?

Anything that does not match the first rule should hit the second rule, which is basically the same as unhandled traffic. You can verify in the var/log/pktfilter file. Make sure you have console access when you test. There maybe variables that I am not aware of in your set up.