I said similar to not exactly the same as.
You wouldn't be allowing access to/from a country, but specific IPs.
The SK I was referring to was linked in the original: https://support.checkpoint.com/results/sk/sk112454
This refers to fwaccel dos commands, which I believe can be used to achieve what you're after.
More specifically, you'd have to do something like the following: (replace X.X.X.X with external gateway IP and Y.Y.Y.Y with source IPs, repeat for each source IP):
[Expert@R8120:0]# fwaccel dos rate add -a d -l a service 17/500 source Y.Y.Y.Y destination cidr:X.X.X.X/32 pkt-rate 100000
This command sets a rate limit on IKE traffic (UDP 500, needed to start a VPN negotiation) to 100000 IKE packets per second.
IKE Negotiations happen infrequently and don't require anywhere near this amount of packets.
However, you can now rate limit everything else IKE related to zero, effectively blocking the traffic:
[Expert@R8120-GA:0]# fwaccel dos rate add -a d -l a service 17/500 source any destination cidr:X.X.X.X/32 pkt-rate 0
Note the above merely blocks the IKE negotiation, which is needed to establish a VPN connection (Site to Site or Remote Access).
I believe that is sufficient to achieve your objective.
The above commands need to be entered in expert mode on each gateway in the cluster.
Read the SK linked above for more information.
