@scottalanmiller said:

We lead with geo-specific deny rules to block regions before allowing ports.

And in that case it makes sense. You're blocking all traffic from China or Russia, for example. Then you allow the ports you want open but those countries are blocked, and maybe every other country is fine (hopefully you haven't blocked Spain... ;)), and then you deny the rest. That also makes logistical sense. I don't disagree with @thecreativeone91. It all comes down to what your objective is and then determining the best way to approach it.