https://live.paloaltonetworks.com/t5/advanced-threat-prevention/country-block-and-security-policy-ordering/m-p/491104#M1632 <P>We are currently setting up policies to block all traffic to\from all countries except a select few. The rules are in place and seem to be&nbsp; working well. As a best practice, do you create a deny rule for all other out of country or do you just let the interzone-default rule catch the rest? If you do create a rule, is it best practice to keep defining your rules until both the&nbsp;interzone-default &amp;&nbsp;intrazone-default rules don't get hit?</P> Tue, 24 May 2022 22:43:21 GMT RussMc 2022-05-24T22:43:21Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/country-block-and-security-policy-ordering/m-p/491104#M1632 <P>We are currently setting up policies to block all traffic to\from all countries except a select few. The rules are in place and seem to be&nbsp; working well. As a best practice, do you create a deny rule for all other out of country or do you just let the interzone-default rule catch the rest? If you do create a rule, is it best practice to keep defining your rules until both the&nbsp;interzone-default &amp;&nbsp;intrazone-default rules don't get hit?</P> Tue, 24 May 2022 22:43:21 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/country-block-and-security-policy-ordering/m-p/491104#M1632 RussMc 2022-05-24T22:43:21Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/country-block-and-security-policy-ordering/m-p/491323#M1635 <P>Hi RussMc,</P><P>&nbsp;</P><P>Its good to have a deny rule so that you can block malicious IP traffic from all allowed countries.</P><P>Else such accepted traffic may hit on one of the rule above default rules.(i mean example: any traffic from to DMZ/public facing servers)</P> Wed, 25 May 2022 07:54:18 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/country-block-and-security-policy-ordering/m-p/491323#M1635 BNSRIKAR 2022-05-25T07:54:18Z