Setup
Country Blocking is configured under Portal › Firewall › Countries.
Don’t use “Accept United States / Canada only”
A common first instinct is to restrict the client to traffic from just the US and Canada. We don’t recommend this.
A surprising share of the services people use route their traffic through international infrastructure. Facebook, for example, sends most of its traffic through Ireland. Limiting the client to US/Canada will silently break a substantial portion of the modern web.
Recommended baseline — block known bad-actor countries
Unless you are absolutely certain the client only needs US/Canada reachability, change the rule to Block known bad countries. We maintain the underlying list and keep it current.
Manually blocking specific countries
If you’d rather curate the list yourself, set the rule to Block from specific countries and add the geographies that the majority of malicious traffic originates from. A good starting set:
Algeria, Bangladesh, Belarus, Brazil, Bulgaria, Burkina Faso, Burundi, Cameroon, Central African Republic, Chad, China, Estonia, Hungary, India, Indonesia, Iran, Jamaica, Latvia, Lebanon, Lithuania, Myanmar, Nepal, Nigeria, North Korea, Pakistan, Philippines, Romania, Russia, Saudi Arabia, Syria, Taiwan, Thailand, Turkey, Ukraine, Uruguay, Vietnam.
Least-privilege alternative — allow specific countries
For a stricter posture, flip the model and set the rule to Accept traffic from specific countries with a curated allow-list. The following set covers nearly every public service we’ve encountered while keeping the surface area small:
US, Canada, Mexico, Australia, Ireland, UK, France, Italy, Austria, Sweden.
If the client runs into a site or service that’s hosted outside this set, the list can be adjusted accordingly. Contact support and we can refine it together.
