Skip to content

Create a country-based firewall rule

Create rules to manage traffic to or from a country or group of countries.


If you have any active web application firewall (WAF) rules, the country-based firewall rule won't work. In this case, create a black hole DNAT rule and add the country you want to block as Original source. See Create a black hole DNAT rule.

To block traffic from a country, do as follows:

  1. Go to Rules and policies > Firewall rules. Select protocol IPv4 or IPv6 and select Add firewall rule. Select New firewall rule.
  2. Create a rule using the following parameters:

    Name Description
    Rule name Block country
    Rule position Top
    Action Drop
    Rule group None
    Source zones Any
    Source networks and devices Select the country you want to block.
    During scheduled time All the time
    Destination zones Any
    Destination networks Any
    Services Any

    Here's an example of a rule that blocks traffic from a country:

    Settings for an example country-based firewall rule

    You must set Source zones and Destination zones to Any to use country blocking effectively.

  3. Click Save.

More resources