Netgroup is your best bet here and is external to ONTAP - you'd need a NIS or LDAP server. For the ONTAP side, you'd specify @netgroup name as the entry in the policy rule.
TR-4835 has a section on netgroups in AD starting on page 63:
If you want the "easiest" way, you could use 0/0 for "every host." The range method will work fine. Or you could do a subnet. (such as 10.10.10.0/24)
But there's no "easy" way to add 500 hosts to a rule other than the above.