Below are the steps to block web access to a specific country code in FortiGate. Access can be blocked with DNS filter UTM profiles.

DNSfilter:

• Create a new one or edit the existing DNSfilter profile.
• Create Static Domain Filter entry:

From CLI:

config dnsfilter domain-filter

    edit 1

        set name "BlockTLD"

            config entries

                edit 1

                    set domain *.<country code> <--- In place of <country code> put the ccTLD of the specific country.

                    set type wildcard

                next

            end

    next

end

config dnsfilter profile

    edit "BlockccTLD"

        config domain-filter

            set domain-filter-table 1

        end

    next

end

From GUI:

Navigate to Security profiles -> DNS Filter, Edit or Create DNS Filter, and then navigate to Static Domain Filter -> Domain Filter: Enable. 

Once enabled, 'Create New' the Domain Filter and add the Country TLD as below:

Make sure all the DNS queries of the client to the DNS server are passing via FortiGate, and the DNS profile is applied in the policy.

From CLI:

config firewall policy

    edit 1

        set name "DNSpolicy"

        set srcintf "LAN"

        set dstintf "WAN"

        set action accept

        set srcaddr "all"

        set dstaddr "DNS_SERVERS"

        set schedule "always"

        set service "DNS"

        set utm-status enable

        set dnsfilter-profile "BlockccTLD"

        set ssl-ssh-profile "certificate-inspection"

        set nat enable

    next

end

From GUI:

Navigate to Policy & Objects -> Firewall Policy, then create or edit the DNS Policy to add this DNS filter.

With this configuration in place, all the DNS queries with specific ccTLDs will get blocked.