Hi Andrew, you should be able to creat an IP Address exception for the single IP from the disallowed country. Go to Application Security:IP Addresses: IP Address Exceptions, and click create. Then add the allowed IP address and select the option to "Never block this IP address."
Apply the change to the ASM security policy and you should be all set.
Requests from that IP address will still be marked as illegal, because they still originate from a disallowed geolocation. But the exception flag will be an error because it is specified as an allowed address.
Erik Novak