I would recommend that some or all of the default NAT rule options be blank and require setting. In particular the Original Destination when ANY is set/choosen.
I faced the following behaviour and locked myself out of the Firewall GUI...opps. Yes the firewall is doing exactly as the rule says but its result is undesired.
1. Create a NAT Rule
2. change only the Translated Destination to an address eg 172.16.16.17
3. save the rule.....OPPS you are now locked out ALL traffic as all traffic is redirected to 172.16.16.17.
4. i can recover access by running the CLI command. console> system appliance_access enable. once i delete the rule access comes back.
Here is the rule i created and saved to get this result.
Matt