Block countries using a firewall rule
Create rules to block traffic related to a country or group of countries.
Configurations that block countries
The firewall implements DNAT rules, WAF rules, and then firewall rules.
To block countries, use one of the following configurations based on your requirements:
-
Create a firewall rule: Block countries using a firewall rule.
Note
The firewall doesn't evaluate firewall rules for traffic going to the interface selected under Hosted address in WAF rules. You can use a blackhole DNAT rule instead.
-
Create a WAF rule to block traffic to web servers over the selected hosted address. Scroll down to Access permissions and select the country under Blocked countries.
-
Create a blackhole DNAT rule with the following settings:
- Under Original source, select the country.
- Under Translated destination, select an IP host with an IP address that doesn't exist in your network.
Block countries using a firewall rule
To block traffic related to a country using a firewall rule, do as follows:
- Go to Rules and policies > Firewall rules.
- Select IPv4 or IPv6 protocol.
- Select Add firewall rule and select New firewall rule.
-
Create a rule using the following parameters:
Settings Values Rule name Block country Rule position Top Action Drop Rule group None Source zones Any Source networks and devices Select the country you want to block. During scheduled time All the time Destination zones Any Destination networks Any Services Any -
Click Save.
Note
You must set Source zones and Destination zones to Any to use country blocking effectively.
Here's an example of a rule that blocks traffic from a country:
More resources