Block internet access on VLAN

I have a dedicated VLAN for my CCTV camera. I am wondering what is the best setup to restrict the VLAN to have an internet connection.

Currently, I have both firewall in and out drop except to my internal network.   
Is there a better way to do it or am I doing it wrong ? 

   name VLAN_120_IN {
        default-action drop
        description ""
        rule 20 {
            action accept
            description "Accept traffic to LAN"
            destination {
                group {
                }
            }
            log disable
            protocol all
            source {
                group {
                    network-group LAN
                }
            }
        }
    }
    name VLAN_120_OUT {
        default-action drop
        description ""
        rule 1 {
            action accept
            description "TO LAN"
            destination {
                group {
                    network-group LAN
                }
            }
            log disable
            protocol all
        }
    }


network-group LAN {
            description ""
            network 192.168.100.0/24
            network 192.168.110.0/24
            network 192.168.120.0/24
        }

Thank you