country blocking - block all then add exceptions??

You're right, Jean, Country Blocking does work as you understand.  That said,  I wouldn't use Country Blocking for this.

I would only use specific IPs or subnets instead of the "Any" object in WebAdmin Settings:

As for IPsec remote access, I would use Authentication by X509 instead of a preshared key.

In both cases, you could add extra security with One-Time Passwords.

Cheers - Bob

As said by bob, the country blocking rules work in this way.
i mean this is the right approach to prevent access from all over the world. Use "from" as option.
In order not to prevent my own VPN and web access, I exclude my own country completely.
As Bob said, "any" should not be the source in the WebAdmin. Better use  your own IP or a DynDNS host.
If you receive mail, don't forget to build an exception.

Ok, I've blocked "from" all countries except mine, and made a handful of them "all" so no one / no software can even go there, and put in exclusion for IPSec Group, my WebAdmin port (which I changed from 4444), for only my DynDNS host.

Works as expected so far. Or at least I'm not being prevented from administering unit remotely, and the internet is working for folks at remote site.

Thanks.

Great.

You should see blocked connection attempts within firewall live log.

Interesting. while country blocking is a firewall rule, I can't tell in firewall logs what country the call is from/to but I can see it in web filtering logs.

I actually monitor things using Fastvue Sophos Reporter, which I'm generally impressed with so far (still in trial period) - it takes data from web filtering logs so works fine for reporting country blocking (after I got a tip to get there from their support folks)

We use some country blocking in both directions.

Exception configuration trick:

If the exception address is external  (e.g. packets going to or from example.com), the country does not matter, so the country list MUST BE EMPTY

If the exception address is internal (e,g, packets from my PC at 10.10.10.10), the country list MUST BE CONFIGRED.  (All is a possible option.)

Logging

As you noticed, Country names only appear in the web filtering log.    It can be useful to enable country blocking even if nothing is blocked, simply to get the country information in your web filter log files.   You can use maxmind.com to look up a country name from an individual IP.  You could marry IP addresses in the firewall log with IP addresses in the Web Filter log to get country names for a subset of the firewall log data.

Protection Suggestions

I would not under any circumstances enable Web Admin access from the Internet.    Since you must run WebAdmin remotely, log in using IPSC VPN or SSL VPN, and then connect to Web Admin.

User Portal is different from Web Admin.   In some configurations, you need to allow User Portal access from the internet.

OTP (One Time Passwords) is a great feature.   Use it for any of the remote access methods that you enable.

If you have an internal mail server and a sophisticated spam filter, I suggest exempting country blocking from all sources for incoming traffic on port 25, then block unwanted senders in your spam filter.   This gives better visibility to lost traffic than if it is blocked at the firewall.   But it sounds like this does not apply to your specific situation.