Country Blocking WAF

This is a midterm solution, which works fine for now. Any issue with this? 

Seems to work for me aswell. But actually don´t like the way it´s designed. But if it is a midterm solution, I can live with it.

From a technical perspective: When I tcpdump on interface "any" for my dummy/blackhole IP, I cannot see that packets. Why is that?

If you have a DNAT and firewall rule, you should see the outgoing packet, or your firewall rule does not hit and the packet is dropped by default drop. 

I have a WAF Rule and the Blackhole NAT entry for country blocking. When I execute the tcpdump, the blackhole-ip won´t appear anywhere. But I think it should somehow be displayed by tcpdump.

I assume, your firewall rule does not hit. Please show some screenshots of DNAT and firewall

Correct me if, I´m wrong, tcpdump should show any packet, that´s being generated? I can definitely say, that the DNAT Rule blackholing works, so I expect to see the in use blackhole IP (DNAT DST IP) when capturing using tcpdump, right?

Yes it should and it does. But do not forget: DNAT and Firewall Rule need to match both. DNAT will work and grep the traffic without a matching firewall rule, but will drop the traffic because of the missing firewall rule. Your firewall rule is not hitting. 

The only difference between the settings (country blocking active/country blocking active) is, that I enable or disable DNAT to make countryblock work. So without the activated NAT, the firewall rules are matching. So why shouldn´t they match with NAT activated?

The only difference between the settings (country blocking active/country blocking active) is, that I enable or disable DNAT to make countryblock work. So without the activated NAT, the firewall rules are matching. So why shouldn´t they match with NAT activated?

Again: Please post screenshots of your rule. 

Ok, I missed to point out, that I was actually testing with the Userportal and not with the WAF. So my question is not about the WAF, but the Userportal. Sorry for the confusion.

Here are my NAT rules. Of course there is no firewallrule for the Userportal.

You do not need a allow NAT. 
Please show the Firewall Rule matching for NAT Rule 2. 

There are multiple waf rules, that are matching. But as I said, my question was in regards to the Userportal.

This is the "countryblock" NAT:

This is an example WAF Rule:

NAT will redirect the traffic, if the NAT rule hits. 

Firewall will allow the traffic.

If NAT hits and firewall rule is not available, it will not forward the traffic (=deny). 

Your firewall rule for the Blackhole NAT does not hit. Therefore you do not see the packet outgoing to the Blackhole Host. 

OR: The blackhole Host is not reachable, therefore the ARP will not be resolved and the packet will not be send.