OK, I see that it appears as a logical "AND", which is what I want.
What I'm trying to do is get one rule that detects traffic sourced and destined on-net. That works. The other rule needs to show all OTHER HTTP traffic. That doesn't seem to work right, as there is an UNMANGAGED port 80 that shows a ton of traffic. I'm obviously doing something wrong.
ON-Net "172.16.0.0/12, 10.0.0/8"
Not-ON-Net "18.104.22.168-22.214.171.124, 126.96.36.199-188.8.131.52, 184.108.40.206-255.255.255.255"
HTTP-OnNet Port 80 Proto TCP Source ON-Net Destination ON-Net
HTTP Port 80 Proto TCP Source ON-Net Destination Not-On-Net
HTTP-UDP Port 80 Proto UDP Source Any Destination Any