Country blocking broken?

Question

Hi! 
 I've recently tried to set up inbound country blocking on my XG home installation (updated to the latest MR) according to the KB sample. Therefore I've created the following firewall rule 
 Source: WAN Network: (country list including the elements "China" and "Russia") 
 Target: LAN Network: Any 
 Action: Drop 
 Logging: Log events 
 I've also moved this rule to the top of the list to ensure that I don't have any conflicting rules. 
 Now if I try to test these rules with either http://www.websitepulse.com/help/testtools.china-test.html or some online ICMP tools originating from Russia, I get positive results (where I've expected to see a connection drop). Also I don't see any connection drops or similar events in my log. The "traffic counter" beside my firewall rule is also stalling at "0b/0b". 
 The chinese test site originates from several different IPs which are clearly based in China (203.130.38.1, for example). 
 Am I missing something here?

BenVerschaeren · Accepted Answer

HI There, 
 You're creating the rule in the wrong spot this is a device access rule. You'll need to create a device access ACL under System >Administration >Device Access It'll need to look similar to below. I tried that and it worked for me. 
 The test at website pulse does not appear to be accurate. I just use a ping test on both UTM and XG that had ICMP disable and website pulse reported a response when from any other device I was getting no response back. I then ran the test using CA's tool https:/asm.ca.com/en/ping.php and got the accurate/desired outcome.