Block all countries except two - US and India

L0 Member

Block all countries except two - US and India

Hello everyone,


   Im trying to find out if its possible to block all countries except for two - United States and India easily. The only way we can see right now is to go country by country adding them into the list. Can someone please assist if theres an easier way to accomplish this?





L6 Presenter

Re: Block all countries except two - US and India

You have a couple alternatives.


One is to use two (or three) Security Policies, The first one allowing all traffic from (and/or a second rule for trafic *to*) US and India Regions, the next rule listed right after these rules, blocking destination any.


The second option is to use the Negate option. You would configure a Deny rule, and add US and India, then in the Source or Destination Address (depending on which direction of sessions you want to block, you may need to use separate rules for either direction) use the Negate checkbox, which will say, Deny everything 'except' these two Regions.


#1 Pros: Configuration is obvious to anyone reading it, especially if you need to add security profiles in the Actions tab.

#1 Cons: You need two (or three, to cover sessions in either direction) rules


#2 Pros: You need only one rule (or two, to cover sessions in either direction)

#2 Cons: Configuration may look awkward to someone who doesn't understand what the Negate option does, and it's also counter-intuitive to see Security Profiles configured in a Deny policy.

L0 Member

Re: Block all countries except two - US and India

Awesome, this makes sense, thank you very much

L0 Member

Re: Block all countries except two - US and India

Thanks for the explanation. Just a quick question - In option 1 do we need 2 rules wouldnt the default deny take care of denying everything except the countries that are allowed?

L7 Applicator

Re: Block all countries except two - US and India


The use of the rules is one for inbound and the other for outbound traffic. While yes a DENY ALL at the end could suffice, it just saves the firewall to keep having to match the traffic to the whole policy list. It's always top to bottom and left ot right until a match is found.


Hope that clarifies things.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!