Block Internet Access to Geographic Locations

To prevent users from accessing web sites hosted in the countries you choose, you can specify a geolocation destination.

This option is available only when the rule action is Block and the rule includes no destinations other than geolocations.

The location of a site is determined by its public IP address.


Traffic to a blocked destination may be allowed if a domain resolves to multiple IP addresses corresponding to different countries.

All traffic blocked based on configured geolocation is logged.

To block access by site location:

  1. Create an internet access rule.
  2. (Recommended) Position geolocation rules at the top of the rule list and place any exceptions above the general geolocation rules.
  3. Choose Block as the rule action.
  4. Choose Geolocations as the Destination.
  5. Select continents and countries as applicable.
  6. In the security controls section, choose a web profile in which decryption is enabled. You can also specify in this profile a notification page that will be displayed to end users who attempt to access destinations blocked by this rule.

Ensure Rule Matching for Encrypted Internet Traffic < Block Internet Access to Geographic Locations > Advanced Application Controls