Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

Block countries using a firewall rule

Create rules to block traffic related to a country or group of countries.

Configurations that block countries

The firewall implements DNAT rules, WAF rules, and then firewall rules.

To block countries, use one of the following configurations based on your requirements:

  • Create a firewall rule: Block countries using a firewall rule.

    Note

    The firewall doesn't evaluate firewall rules for traffic going to the interface selected under Hosted address in WAF rules. You can use a blackhole DNAT rule instead.

  • Create a WAF rule to block traffic to web servers over the selected hosted address. Scroll down to Access permissions and select the country under Blocked countries.

  • Create a blackhole DNAT rule with the following settings:

    1. Under Original source, select the country.
    2. Under Translated destination, select an IP host with an IP address that doesn't exist in your network.

    See Create a black hole DNAT rule.

Block countries using a firewall rule

To block traffic related to a country using a firewall rule, do as follows:

  1. Go to Rules and policies > Firewall rules.
  2. Select IPv4 or IPv6 protocol.
  3. Select Add firewall rule and select New firewall rule.
  4. Create a rule using the following parameters:

    Settings Values
    Rule name Block country
    Rule position Top
    Action Drop
    Rule group None
    Source zones Any
    Source networks and devices Select the country you want to block.
    During scheduled time All the time
    Destination zones Any
    Destination networks Any
    Services Any
  5. Click Save.

    Note

    You must set Source zones and Destination zones to Any to use country blocking effectively.

    Here's an example of a rule that blocks traffic from a country:

    Settings for an example country-based firewall rule.

More resources