For your example, you can certainly put Source Zone <Any> if you like. What I probably will recommend is to lock the Source Zone down to any internal zone that clients will be located on.
Anti-spoofing will still work because the firewall will verify that the traffic is coming in on the correct zone, and if it is not, then it will deny the traffic (checks the source ip address to verify that it belongs in the correct source zone).
Thank you mtuma,
As I understood, even if I put <ANY> zone as source or destination zone, MFE will be know IP's behing interfaces and anti-spoofing will still work. Right?
What about NAT translation in this situation?
Yes the antispoofing will still occur regardless of how the rule is setup. If you use the NAT Host:Localhost object, the firewall will automatically NAT to the interface that the traffic is leaving on, so if the destination is on the External Zone, the traffic will be NAT'ted to the external interface.
Ok. Thank you for clarify this