>
    Strata Copilot
    Block Incoming Connections from Specific Countries
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma Access
    3. Prisma Access Administration
    4. Prisma Access Advanced Deployments
    5. Block Incoming Connections from Specific Countries
    Download PDF
    Prisma Access

    Block Incoming Connections from Specific Countries

    Table of Contents

    Block Incoming Connections from Specific Countries

    Block incoming connections from the countries you specify based on the geo location information.
    Prisma Access allows you to create security policy rules to block login attempts for Remote Network, Mobile Users—GlobalProtect, and Mobile Users—Explicit Proxy deployments from countries you specify. Prisma Access blocks incoming connections from the countries you specify based on the geo location information from the source IP address of the client.
    Use the following guidelines when creating these rules:
    • You must configure these security policy rules exactly as written.
    • Do not use the negate option with these rules; it is an unsupported configuration and will not function correctly to geoblock traffic.
    To block incoming connections from these countries, complete the following task.
    1. Create a security policy pre rule using one of the specific rule names:
      Be sure that you configure this rule as a pre rule.
      • To block a country for Mobile Users—GlobalProtect deployments, create a rule named Mobile_User_EMBG_Source_Countries.
      • To block a country for Mobile Users—Explicit Proxy deployments, create a rule named Explicit_Proxy_EMBG_Source_Countries.
      • To block a country for Remote Network deployments, create a rule named Remote_Network_EMBG_Source_Countries.
    2. Add a Tag for the rule named PA_predefined_embargo_rule.
    3. Add one or more countries to block in the Source Address.
    4. Specify an Action of Drop.

    © 2026 Palo Alto Networks, Inc. All rights reserved.