We have some GEO blocks on the general firewalling but our customer is saying that on a server that has a 1:1 NAT configured they are getting traffic from one of the blocked countries.  Now I don't know for sure if the 1:1 will bypass the layer 3 and 7 rules or not and I don't know 100% if the address that they say is getting to the server is in the countries they are blocking.

So kind of a quick thought was if they had a tool to check IP addresses vs the database where I could put in an IP and it would spit out the country then I would know for sure.

Right, that makes sense.

1:1 NAT and port forwarding are not inspected by layer 7 firewall rules.

https://community.meraki.com/t5/Security-SD-WAN/MX-GEO-IP-filtering-on-Port-Forward-rules/m-p/60930/...

I think that is wrong when it comes to geo-blocking.  I'm pretty sure it blocks everything both in and out that is covered by a geo-blocking rule.

Let's say you create a L7 firewall Rule to block Canada but you have a 1:1 NAT or PortForwarding on a specific IP ( 10.1.2.3 ). Any Source inbound will be able to reach 10.1.2.3 but 10.1.2.3 will only be able to reply to Sources that are not from Canada , right ?    Canada -> 10.1.2.3  = OK ( allowed by the 1:1 NAT .) 10.1.2.3 -> Canada = Blocked by L7 rule.   Or am I missing something ? 

This was my initial assumption but reading a few non authoritative comments (Meraki community linked above and some Reddit posts), it seems to indicate that any NAT or port forwarding rule will bypass the layer 7 rules.

I did a quick and dirty test this morning by geoblocking my own country and testing my VPN (which is a port forward) from my phone. Even with the rule in place, the vpn connected without an issue.

I might try to do another test tomorrow.

So I tried another option to block countries on a web server we have running here with a 1:1 NAT.  I made a group policy that blocks USA (I am in USA) and then tried to get to our server with that policy applied to the web server.  I was not able to connect to the web server.  Once I changed back to the normal policy I could again connect.

So it seems that if we want to GEO block a 1:1 NAT  we need to make a policy and then apply that policy to the server.

From my understanding (which may be out of dat now), Meraki use MaxMind for their Geo IP database. You can use tools on their site (the demo portal) to test the location of up to 25 addresses a day.

I was always of the understanding that the Geo-blocking only works in the upstream (outbound) direction. So if you have traffic coming from a blocked country it will potentially hit the servers (firewall rules permitting), but any return traffic will be dropped. This prevents and TCP connections from establishing, but does mean you potentially see traffic from ‘blocked’ countries hitting your servers - e.g. TCP SYNs, UDP and ICMP traffic. You’d need to check this to be sure though.