Thanks for the quick reply.

This works if you know exactly which service etc the allowed IP needs.
But we have 470 rules below the geo block I want the IP to be checked against.

I don't want to give it access to everything (HTTP(S) in your example) encase it gain access to something it should not.

A workaround is to build an inline layer for just them above the geo block, with just the access they need.
Basically what you have, but more granular
But I would then need to build a new inline layer for every exception to our geo blocklist.

Right, but if you think about it, any fw policy goes top to bottom, left to right, so if you try an exception below that geo block rule, it will never work, since upper rule will always take effect first.

Hope that makes sense.

That is true, but there is no sadly better choice. That is just how policy works with any fw vendor out there.

So there is no way to remove just 1 IP from a geo block list and let that IP run through the rest of the rule base?

This feels like such a simple ask as well.

I will do what I did with this one, build an inline rule above the Geo Block with just the correct rules for this IP, and hope we don't get too many IPs we need to add to our exception list.

You cant do that. Again, think about it in logical way. Since any policy goes top to bottom, left to right, if country is blocked on the top of the rulebase, then ANY ip originating from that country would also be blocked, so adding exception BELOW such rule would never work, as initial rule would block the traffic.

I think you misunderstand my ask.

I want to geo block all of Sweden except IP 2.3.4.5 (for example)

Then have IP 2.3.4.5 move through the other ~450 rules until it is accepted or blocked.

I have been told this is not possible.

What I will need to do instead is make a new inline rule for just IP 2.3.4.5 above my geo block which gives it access to only what it needs, and then do this for every other IP I need to allow.

This increases the size of the policy, makes admin harder (if we add an object I need to add it to multiple whitelisted IPs) and is just uglier.

Im totally clear mate 🙂

I get what you are trying to do, thats why both @CaseyB  and I are saying you need to add exception for that IP ABOVE the geo block rule, there is no other way around it, You are more than welcome to open TAC case for this, but I can bet in any money I have they will tell you exact same thing.

Okay, but the exception above it (obviously above) would be a blanket allow, it would not then take it through the other 450 rules.

The issue is I do not want to copy all 450 rules into a set of rules just for this IP, and I do not want to administer that many extra rules just for a single IP.

I want it to "skip" to geo blocking rule and move onto the one below it, not just be blanked accepted and never get checked against anything else. This is not possible, so I am accepting that my work load will increase for each outlier we have.

Just for the context, if traffic is blocked on any given rule, it will never check any more rules, thats it, so creating exception below block rule would be work for nothing.

Just saying.

I know this, I want the exception to be above. I have always wanted that.

The problem is that the exception is a blanket allow, which I do NOT want.

I want it to flow through all the other rules encase one of those blocks it.

Ok, as long as you are aware of that, then you would need to somehow figure out best way to allow those exceptions (services etc...)

Good luck!

Thats exactly how I do it and recommend to customers.