Just wanted to drop a note for anyone else running into this ridiculous product limitation.
If you have a firewall policy with nested groups the Mac agent will not use and of the rules in nested groups. Only rules one level deep will work.
What a great product.
Retrieving data ...