The trick to Geo-IP blocking is not turning off the country from accessing critical areas of your network, its filtering them to receive only the traffic that is necessary to your business. Firewalls just do not get you there.
Even with well made firewalls like Sonicwall, Foritnet, Checkpoint, and several others that have geo-ip capabilities. Their approach is broad stroking when tackling Geo-IP management. It’s not that they do not care; it could be as simple as a marketing move, limitations given all they do, or simply put “It’s not their focus” for the product line.
If you ever tried really cranking up the geo-ip for any of them you will find internal hardship for your users, latency, load, and frustration. Understandable because the feature isn’t treated very seriously, or an after thought.
The fact is Geo-IP should not be done on any application layer inspecting anything, rather MUST be done within its own layer given the scope of the Geo-IP task.
The question is always asked “What countries should I block?”, as if judging the name of the country, and ideology is the gauge on how to filter it. The fact is there are no borders on the internet, ideology, and greed so asking what country to block is not the best measuring stick. Sure the attackers motivation could stem from that country, but it rarely starts and ends there. An attackers attack surface, and their resources are limitless because of their ability to traverse country to country without resistance. There are many factors why they can do this, and it all starts with what we call “The Human Condition”. The two main traits being imperfection, and the inability to predict the future yet.