set locationParameter -matchWildcardtoany YES
add locationFile /var/netscaler/inbuilt_db/Citrix_Netscaler_InBuilt_GeoIP_DB_IPv4 -format netscaler
add audit messageaction Non_US_Drop WARNING "CLIENT.IP.SRC + \" was dropped because they are not in the US. They are listed as \" + CLIENT.IP.SRC.LOCATION" -logtoNewnslog YES
add audit messageaction Non_US_Canada_Drop WARNING "CLIENT.IP.SRC + \" was dropped because they are not in US or Canada. They are listed as \" + CLIENT.IP.SRC.LOCATION" -logtoNewnslog YES
add responder policy Drop_Non_US "CLIENT.IP.SRC.MATCHES_LOCATION(\"*.US.*.*.*.*\").NOT" DROP -logAction Non_US_Drop
add responder policy Drop_Non_US_and_Canada "(CLIENT.IP.SRC.MATCHES_LOCATION(\"*.US.*.*.*.*\").NOT && CLIENT.IP.SRC.MATCHES_LOCATION(\"*.CA.*.*.*.*\").NOT)" DROP -logAction Non_US_Canada_Drop
Copy and paste the above code into a terminal window into your ADC. Then enable (if not already) the Responder feature. Bind these to your vServer that you want restricted access to and then test away.
I recommend engineers have a private VPN account so that they can route their traffic to various countries specifically for testing features such as this.
If everything is being trapped, make sure you have the * setup as a wild card. The code above includes it, and the article below goes into more detail.