Can I just block every country except the US?
We don’t recommend it for most situations. Many websites (maybe yours!) use Content Delivery Networks, which have servers in other countries. Blocking some countries may prevent you from using important websites or services.
So which countries should I block/not block?
You could start with an “Allow All” outbound policy, and block only the countries perceived as the highest risk for you. Or, you could block most of the countries you don’t do business with. However, we recommend not blocking outbound traffic (at least initially) to the United States, Canada, Ireland, the United Kingdom, the European Union, Norway, Sweden, Finland, Denmark, Germany, France, Netherlands, Switzerland, Australia, Japan, and Brazil. Many CDN’s have servers in these countries, and blocking these countries may prevent you from using important websites or services.
What do you recommend for inbound country policies?
Inbound country policy requirements are different for everyone. Consider where your users and customers are located (the United States and Canada, for instance), and be sure to allow inbound traffic from those countries. You can probably block the countries you don’t do business with.
Can I set different policies for different types of traffic (i.e. email vs web)?
Absolutely! Different types of traffic often have different requirements and risks. You can tailor your policies to the needs of your various traffic types.
Which threat categories are most applicable to outbound traffic?
Command and Control, Botnets, Endpoint Exploits, Drop Site, Fraudulent Activity, Illegal Activity, Tor/Anonymizers
Which threat categories are most applicable to inbound traffic?Command and Control, Botnets, Scanners, Web Exploits, Compromised, Fraudulent activity, Illegal Activity, Tor/Anonymizers