The ideal way to accomplish this involves defining Permission settings for Enforcement Policy
Each enforcement policy has a set of permissions for which network objects the nodes can connect with, as well as when , and which services may be used. These conditions that make up a permission set are the network, time and service objects. Create a new network object defining which IP addresses or range of addresses you want the blocked nodes to be able to connect to. All other connections will be denied by default
I Hope this helps,
Let me know if you have more questions!