Create a country-based firewall rule
Create rules to manage traffic to or from a country or group of countries.
If you have any active web application firewall (WAF) rules, the country-based firewall rule won't work. In this case, create a black hole DNAT rule and add the country you want to block as Original source. See Create a black hole DNAT rule.
To block traffic from a country, do as follows:
- Go to Rules and policies > Firewall rules. Select protocol IPv4 or IPv6 and select Add firewall rule. Select New firewall rule.
Create a rule using the following parameters:
Name Description Rule name Block country Rule position Top Action Drop Rule group None Source zones Any Source networks and devices Select the country you want to block. During scheduled time All the time Destination zones Any Destination networks Any Services Any
Here's an example of a rule that blocks traffic from a country:
You must set Source zones and Destination zones to Any to use country blocking effectively.