There are two separate policy sets:
- Firewall Policy (config firewall policy)
- Local-in Policy (config firewall local-in-policy)
Firewall Policy handles traffic coming in one interface and going out another interface. Local-in Policy handles traffic hits the FGT itself like IPsec, SSL VPNs, and other FGT initiated traffic's returns.
Did you put the your GEO blocking policy in the local-in-policy? Or firewall policy?