WAF Rule configuration to only allow access from North America

Please take a look over here: https://community.sophos.com/sophos-xg-firewall/f/discussions/127424/sophos-waf-understand

Thanks Peter, so how does the blackhole DNAT interact with the WAF rules? In the example in the other link we are blocking ALL external traffic, but I want to allow a country group to these web servers. In the external source networks and devices section do I have to just add all country codes minus the one I want to allow??

Thanks Peter, so how does the blackhole DNAT interact with the WAF rules? In the example in the other link we are blocking ALL external traffic, but I want to allow a country group to these web servers. In the external source networks and devices section do I have to just add all country codes minus the one I want to allow??

Ok, afaik you can not apply a GEO IP block to only a specific WAF rule. It applies to all traffic...

I am actually OK with this. So on the blackhole DNAT, do I add source as everything except my country code?

Goto SYSTEM > Hosts and services > Country group

Add a new Country Group, add all the countries except for the North America' s

Use this country group in your DNAT rule

What is the purpose  of blackhomeNAT and how to set it up? 

Thx

support.sophos.com/.../KB-000038943