Our access control policy blocks specific countries in the source column of rule #1 (Geo block).
We also have IoC Feeds for that countries' IP addresses in place.
Our firewall log shows:
Rule #1 (Geo Block) isn't listed within 'Matched Rules', just IPS and Threat Prevention:
Usually Access Control gets processed before Threat Prevention while it absolutely makes sense to block blacklisted IP addresses before Access Control. Since IoC Feeds are configured and installed with the Threat Prevention policy I'm trying to understand how IoC feeds work before Access Control.