https://live.paloaltonetworks.com/t5/next-generation-firewall/palo-alto-cgnat-block-issues-with-geoblock-rule/m-p/1240998#M6418 <P>We just migrationed from Cisco Firepower:</P> <P>We have some Negate Geo block rules that will block any country that is NOT on the lists of allowed, but now it is unintentinally blocking CGNAT addresses. We would still like to only allow US CGNAT's but the fix below would be world wide I believe? We don't want to wait until someone travels around the US and runs into the issue.</P> <P>&nbsp;</P> <P>This would also Apply to Employee and Public accesss as they both would be geo blocked. So Vpn isnt a final fix.</P> <P>Is there any other way around having to add the100.64.0.0/10 block ?</P> <P>&nbsp;</P> <P>How are others dealing with CGNAT's?</P> Thu, 30 Oct 2025 16:12:08 GMT E.Egger 2025-10-30T16:12:08Z https://live.paloaltonetworks.com/t5/next-generation-firewall/palo-alto-cgnat-block-issues-with-geoblock-rule/m-p/1240998#M6418 <P>We just migrationed from Cisco Firepower:</P> <P>We have some Negate Geo block rules that will block any country that is NOT on the lists of allowed, but now it is unintentinally blocking CGNAT addresses. We would still like to only allow US CGNAT's but the fix below would be world wide I believe? We don't want to wait until someone travels around the US and runs into the issue.</P> <P>&nbsp;</P> <P>This would also Apply to Employee and Public accesss as they both would be geo blocked. So Vpn isnt a final fix.</P> <P>Is there any other way around having to add the100.64.0.0/10 block ?</P> <P>&nbsp;</P> <P>How are others dealing with CGNAT's?</P> Thu, 30 Oct 2025 16:12:08 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/palo-alto-cgnat-block-issues-with-geoblock-rule/m-p/1240998#M6418 E.Egger 2025-10-30T16:12:08Z