https://live.paloaltonetworks.com/t5/advanced-threat-prevention/policy-objects-and-smtp/m-p/476726#M1570 <P>It of course depends on you other rules, but something like this would allow SNMP inbound, but block all other traffic:</P><P>Policies-&gt;Security</P><OL><LI>Name="Allow SMTP in to mailserver", SrcZone=WAN, SrcAddr=any, DstZone=DMZ, DstAddr=mailserver, Application=SMTP,SMTP_AUTH, Service=any Action=Allow</LI><LI>Name="Block all ElSalvador traffic inbound",&nbsp;SrcZone=WAN, SrcAddr=Regions:SV, DstZone=any, DstAddr=any, Application=any, Service=any Action=Drop</LI></OL><P>If you also want to block requests outbound to that country:</P><P class="lia-indent-padding-left-30px">3.&nbsp;Name="Block all traffic outbound to El Salvador",&nbsp;SrcZone=LAN, SrcAddr=any, DstZone=WAN, DstAddr=Regions:SV, Application=any, Service=any Action=Drop</P> Tue, 29 Mar 2022 23:09:07 GMT Adrian_Jensen 2022-03-29T23:09:07Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/policy-objects-and-smtp/m-p/476520#M1563 <P>howdy,</P><P>I can not get my head around how to do this.</P><P>Allow smtp from a country but block every other service, application.</P><P>You can negate countries but not services/applications.</P><P>can one do any/any with an exception?</P><P>Thank you</P> Tue, 29 Mar 2022 01:00:51 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/policy-objects-and-smtp/m-p/476520#M1563 PA200-1 2022-03-29T01:00:51Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/policy-objects-and-smtp/m-p/476628#M1568 <P>Your question is a bit open ended... Do you want to block everything but SMTP from a specific country? Or block all traffic to anywhere, except for SMTP from a specific country? Generally you are going to want to try and build rules with specific allows, followed by global drops for anything else.</P> Tue, 29 Mar 2022 15:52:07 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/policy-objects-and-smtp/m-p/476628#M1568 Adrian_Jensen 2022-03-29T15:52:07Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/policy-objects-and-smtp/m-p/476676#M1569 <P>Allow smtp from 1 specific country but block every other service, application from that 1 specific country.</P> Tue, 29 Mar 2022 19:58:52 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/policy-objects-and-smtp/m-p/476676#M1569 PA200-1 2022-03-29T19:58:52Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/policy-objects-and-smtp/m-p/476726#M1570 <P>It of course depends on you other rules, but something like this would allow SNMP inbound, but block all other traffic:</P><P>Policies-&gt;Security</P><OL><LI>Name="Allow SMTP in to mailserver", SrcZone=WAN, SrcAddr=any, DstZone=DMZ, DstAddr=mailserver, Application=SMTP,SMTP_AUTH, Service=any Action=Allow</LI><LI>Name="Block all ElSalvador traffic inbound",&nbsp;SrcZone=WAN, SrcAddr=Regions:SV, DstZone=any, DstAddr=any, Application=any, Service=any Action=Drop</LI></OL><P>If you also want to block requests outbound to that country:</P><P class="lia-indent-padding-left-30px">3.&nbsp;Name="Block all traffic outbound to El Salvador",&nbsp;SrcZone=LAN, SrcAddr=any, DstZone=WAN, DstAddr=Regions:SV, Application=any, Service=any Action=Drop</P> Tue, 29 Mar 2022 23:09:07 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/policy-objects-and-smtp/m-p/476726#M1570 Adrian_Jensen 2022-03-29T23:09:07Z