It is possible to block the traffic destined to or sourced from an entire country in the Palo Alto Networks firewall. This works based on the fact that the PAN-OS performs a Public IP Address to region mapping by probing an internal database. This information is updated weekly through content updates and the firewall maintains this in its database.
Go to Policies > Security > Add > in the Source & Destination Fields > Click on Add There are three options to specify: address, address group and regions.
As shown in the example, select Regions:
Now it is possible to see all the countries in the world, and their corresponding region codes as shown below:
Select the country in which to block, the example below shows China (CN):
Users can also specify specific Public IP address from the country by clicking on the Add button. The country will now be called in the destination as shown below:
The final configured security policy will look like the screenshot shown below. The configuration will block all the traffic sourced or destined to that country based upon where the region is called in the Policy, Source or Destination.
Regions can also be created under Object > Regions, as shown below:
New regions can also be created by using the Geo Location feature which can be used in the creation of Traffic and Threat maps. This can be done by specifying the exact coordinates of the region
Note:Some regions such as EU regions does not fully contain all the EU countries, these countries have to be added in conjunction with the regions.