Technical Tip: Blocking incoming traffic on UDP port 520 (RIP) from blocked countries

To create Geo-based address objects, go to 'Policy and Object' and select 'Addresses'. Choose to create a new address object to define the IP ranges for the specific country to block.

config firewall address
    edit "China"
        set type geography
        set country "CN"
    next
end

Add Geo-based address objects in an address group:

config firewall addrgrp
    edit "Geo_block"
        set member "China" "Russia"

    next
end

Create a service with the required port, or edit the current service RIP. Set the category to 'General', and the UDP port range to 520.

config firewall service custom
    edit "RIP"
        set category "General"
        set udp-portrange 520
    next
end

Create a local-in policy with interface set to 'any', the source address to 'Geo_block', the destination address to 'all', the service to 'RIP', the schedule to 'always', and the action to 'deny'.

config firewall local-in-policy
    edit 1
        set intf "any"
        set srcaddr "Geo_block"
        set dstaddr "all"
        set service "RIP"
        set action deny
        set schedule "always"
    next
end

To permit RIP traffic (UDP port 520) only from a specific source while blocking all other addresses, enable source address negation. Specify the allowed IP in the srcaddr field rather than creating a list of blocked addresses. With source address negation enabled, the firewall automatically denies traffic from all sources except the one explicitly defined in the policy.

config firewall local-in-policy
    edit 1
        set intf "any"
        set srcaddr "Allowed-RIP-source-IP"
        set srcaddr-negate "enable"  <----
        set dstaddr "all"
        set action "deny"
        set service "RIP"
        set schedule "always"
end