Firewall rule DMZ -> Internet

Have you considered using the Country Blocking aspect of UTM?

Network Protection > Firewall > Country Blocking tab.  It blocks all incoming/outgoing traffic for that country you specify, or even continent. 

If you are finding your internal computer(s) accessing specific IPs that you want blocked, you can also add a blackhole static route.

Interfaces & Routing > Static Route

You can add IPs to a group, name it something like 'Blackhole' and add those IPs to that group.  Then create a static route, select Blackhole Route then add that Blackhole group.  It basically send that traffic to 'nowhere'.

Thank you for your reply!

Yes, I thought about it but I just want to implement it for 1 FW rule. I don't want it to be applied for the rest of FW rules. Do you know if it's possible to do this for a specific FW rule?

BR,

I think I understand your question - You can add exceptions if you need to still get through to a site that you frequent, by adding it to the Web Protection filter as an exception.  I do this for a few things, such as blocking an Asian country, but I still need to access a couple of sites, so I add it to my exception list.  Or, you can create a country blocking exception list (tab next to Country Blocking) and you can define what hosts/networks and any services you want to have an exception to access a blocked country.

In fact I don't want to configure my machines from the DMZ Network to use the proxy. I'm trying to create a specific firewall rule: Zone DMZ 1 --> Internet (I want to add to this rule an exception. I want my machine reaching every IP address but the Russian and Chinese IP address for that rule). In the other hand I have other rules that permit my other DMZ zones to access to every IP address out there.

BR,

Yeah I think the Country Blocking Exception Lists can do this for you, because you can add hosts and networks to that exception list.  So you can effectively just block China and Russia in Country Blocking, then add your exceptions.  You just need to create your groups to separate which machine(s) you want the exception.

Hi!

Thank you for your help! I think that you're right, I can do it this way. The issue here is that if I block the traffic coming from China in the "" tab I would have to create several exceptions for the rest of my other firewall rules (those rules who needs to accept traffic coming from everywhere). If I wanted to block the traffic coming from China for all my FW rules except one, it would be much easier and faster to configure.

Thank you for your help and your suggestions, I learned new things with you.

BR,