Is the firewall proxying or NATing the inbound mail - if the SBG sees the TRUE connection IP address of the sender, you can turn on Connection Classification.
We have it enabled and it helps alot.
You might also want to setup a scheduled report and summarize IP connections, Top Rejected, or Top Deferred as candidates for your Local Bad Senders by IP list. For example, I've seen 7556 defered and 4506 rejected connections for 193.252.22.151 in the past 24 hours.