Policy based on clients IP is only available through the use of the Firewall/VPN connection into the Cloud.
One way to define the policy in portal is to go under the Content Filtering --> Policy and then click on "Switch to Advanced Configuration" (if not already there)
When defining the policy under the "from where" section an IP address or subnet can be added and then selected. This IP address will be the "real" IP address of the workstation or subnet. When a VPN tunnel is created between the Firewall and the Cloud there is no NAT'ing of addresses inside the tunnel. Once the Cloud decrypts IPsec payload it will remember the source IP address (clients "real" IP) and then take care of the NAT'ing.