topic Re: Create whitelist for single IP when using Geo-blocking objects in Firewall and Security Management

Create whitelist for single IP when using Geo-blocking objects

Secret-goblin-5 — Fri, 12 Dec 2025 13:58:34 GMT

We have a geo blocking rule, so far so simple.

However, we now have 1 specific IP which needs to get to the rest of the rules below the geo blocking rule... but is from one of the countries which we block.

How do I add an exception for specific IPs to the geo blocking rule, while still having all the other rules below the geo blocking function?

Re: Create whitelist for single IP when using Geo-blocking objects

CaseyB — Fri, 12 Dec 2025 14:12:33 GMT

We just add bypass rules above the GeoBlock, like this:

Re: Create whitelist for single IP when using Geo-blocking objects

the_rock — Fri, 12 Dec 2025 14:12:44 GMT

I cant see how this can work with rule below geo block, as first rule will always block the country. You need to add exception above.

Re: Create whitelist for single IP when using Geo-blocking objects

Secret-goblin-5 — Fri, 12 Dec 2025 14:22:48 GMT

Thanks for the quick reply.

This works if you know exactly which service etc the allowed IP needs.
But we have 470 rules below the geo block I want the IP to be checked against.

I don't want to give it access to everything (HTTP(S) in your example) encase it gain access to something it should not.

A workaround is to build an inline layer for just them above the geo block, with just the access they need.
Basically what you have, but more granular
But I would then need to build a new inline layer for every exception to our geo blocklist.

Re: Create whitelist for single IP when using Geo-blocking objects

the_rock — Fri, 12 Dec 2025 14:28:05 GMT

Right, but if you think about it, any fw policy goes top to bottom, left to right, so if you try an exception below that geo block rule, it will never work, since upper rule will always take effect first.

Hope that makes sense.

Re: Create whitelist for single IP when using Geo-blocking objects

the_rock — Fri, 12 Dec 2025 15:12:31 GMT

Thats exactly how I do it and recommend to customers.

Re: Create whitelist for single IP when using Geo-blocking objects

the_rock — Sat, 13 Dec 2025 13:46:56 GMT

That is true, but there is no sadly better choice. That is just how policy works with any fw vendor out there.

Re: Create whitelist for single IP when using Geo-blocking objects

Secret-goblin-5 — Tue, 16 Dec 2025 09:19:50 GMT

So there is no way to remove just 1 IP from a geo block list and let that IP run through the rest of the rule base?

This feels like such a simple ask as well.

I will do what I did with this one, build an inline rule above the Geo Block with just the correct rules for this IP, and hope we don't get too many IPs we need to add to our exception list.

Re: Create whitelist for single IP when using Geo-blocking objects

the_rock — Tue, 16 Dec 2025 11:47:43 GMT

You cant do that. Again, think about it in logical way. Since any policy goes top to bottom, left to right, if country is blocked on the top of the rulebase, then ANY ip originating from that country would also be blocked, so adding exception BELOW such rule would never work, as initial rule would block the traffic.

Re: Create whitelist for single IP when using Geo-blocking objects

Secret-goblin-5 — Tue, 16 Dec 2025 12:08:12 GMT

I think you misunderstand my ask.

I want to geo block all of Sweden except IP 2.3.4.5 (for example)

Then have IP 2.3.4.5 move through the other ~450 rules until it is accepted or blocked.

I have been told this is not possible.

What I will need to do instead is make a new inline rule for just IP 2.3.4.5 above my geo block which gives it access to only what it needs, and then do this for every other IP I need to allow.

This increases the size of the policy, makes admin harder (if we add an object I need to add it to multiple whitelisted IPs) and is just uglier.

Re: Create whitelist for single IP when using Geo-blocking objects

the_rock — Tue, 16 Dec 2025 12:14:51 GMT

Im totally clear mate 🙂

I get what you are trying to do, thats why both @CaseyB and I are saying you need to add exception for that IP ABOVE the geo block rule, there is no other way around it, You are more than welcome to open TAC case for this, but I can bet in any money I have they will tell you exact same thing.

Re: Create whitelist for single IP when using Geo-blocking objects

Secret-goblin-5 — Tue, 16 Dec 2025 12:19:03 GMT

Okay, but the exception above it (obviously above) would be a blanket allow, it would not then take it through the other 450 rules.

The issue is I do not want to copy all 450 rules into a set of rules just for this IP, and I do not want to administer that many extra rules just for a single IP.

I want it to "skip" to geo blocking rule and move onto the one below it, not just be blanked accepted and never get checked against anything else. This is not possible, so I am accepting that my work load will increase for each outlier we have.

Re: Create whitelist for single IP when using Geo-blocking objects

the_rock — Tue, 16 Dec 2025 12:28:04 GMT

Just for the context, if traffic is blocked on any given rule, it will never check any more rules, thats it, so creating exception below block rule would be work for nothing.

Just saying.

Re: Create whitelist for single IP when using Geo-blocking objects

Secret-goblin-5 — Tue, 16 Dec 2025 12:30:19 GMT

I know this, I want the exception to be above. I have always wanted that.

The problem is that the exception is a blanket allow, which I do NOT want.

I want it to flow through all the other rules encase one of those blocks it.

Re: Create whitelist for single IP when using Geo-blocking objects

the_rock — Tue, 16 Dec 2025 12:47:05 GMT

Ok, as long as you are aware of that, then you would need to somehow figure out best way to allow those exceptions (services etc...)

Good luck!

Re: Create whitelist for single IP when using Geo-blocking objects

PhoneBoy — Tue, 16 Dec 2025 17:41:01 GMT

The requirement is clear and we even have something that enables such things: "Group with Exclusions."
You create it like so:

This object requires two regular groups to be created and referenced:

The objects you want to be part of the group
The objects you want to be excluded

Unfortunately, when I tried to do this using an Updatable Object in R82, I got the following error:

This object type only supports groups with regular host/network objects.

If you can find a feed of IP addresses for Sweden, you can use a script like the following for Office 365 referenced in sk167000.
This will convert the feed into the necessary static objects that will allow this object type to be used.
You lose the dynamicness of the updatable object, of course, and any changes will require a policy push.