Hi, thanks for your reply, I agree that it is better to block high-risk countries. But the question was more about how the layer3 ip to ip rules are handled, country example was to explain why I create the policy from the first time.Perhaps you can give me a hint about that as well, I try to be more specific...
E.g. Suppose network firewall rules says "deny all private IP" and I create a policy with my country settings and apply to interface. Does that mean that my default "permit all" in the group policy give access to private IP even thou default firewall rules says no.. In my example traffic is incoming via NAT and allowed in the country part of the policy. But I want to be sure that the firewall "allow all part" do not override the default network firewall rules, when applied to an interface (for the servers attached to that interface).