I'm not so sure. I just went back and adjusted that example policy to the more correct logic, updated all reports and ran the report. (This policy is the only policy added to the report in question)
But it's still running it against devices that have "FW" and "VPN" in the name.
I'm gonna have to try your SQL method.