This is a P-660HW-D1.
I have enabled multi-nat, and mapped an external address to an internal one (1:1). The internal address has a server set to respond to SSH (port 22). A firewall rule permits any WAN address access.
From the outside, I can connect to this service, no problem.
The firewall log feature has an "Access Control" option. If I turn this on, the above access is blocked. Turn logging off again, it works fine. What on earth is going on?