You could make a Netgroup (a group of network objects) that consists of these countries that shouldn't hit your firewall (a group of geo-location objects). Use this netgroup in a Deny rule as the Source Endpoint and set the zones to External and External; you have to set a Redirect in the rule to anything (any object) for the Deny rule to work. Then you set up an audit filter to match this rule_name and if an IP from one of those countries hits your firewall you can then Blackhole that IP.
Check out this post here I made and the other post I linked to inside this one to make the audit filter: https://community.mcafee.com/message/172260#172260
Thank You Sliedl for the quick response and very good directions.
I will now be able to pass this on to management and then start implementing it on our test firewall. This couldl take some time so I am going to mark as answered.