Merge pull request #105472 from vhorne/fw-rule-logic

Updates based on GH Issues requests

Author: tiburd

articles/firewall/firewall-faq.md

@@ -49,7 +49,7 @@ There are three types of rule collections:
 
 ## Does Azure Firewall support inbound traffic filtering?
 
-Azure Firewall supports inbound and outbound filtering. Inbound protection is typically used for non-HTTP/S protocols. For example RDP, SSH, and FTP protocols. For best inbound HTTP/S protection, use a web application firewall such as [Azure Web Application Firewall on Azure Application Gateway](../web-application-firewall/ag/ag-overview.md).
+Azure Firewall supports inbound and outbound filtering. Inbound protection is typically used for non-HTTP/S protocols. For example RDP, SSH, and FTP protocols. For best inbound HTTP/S protection, use a web application firewall such as [Azure Web Application Firewall (WAF)](../web-application-firewall/overview.md).
 
 ## Which logging and analytics services are supported by the Azure Firewall?
 

articles/firewall/rule-processing.md

@@ -5,20 +5,86 @@ services: firewall
 author: vhorne
 ms.service: firewall
 ms.topic: article
-ms.date: 11/19/2018
+ms.date: 02/25/2020
 ms.author: victorh
 ---
 
 # Azure Firewall rule processing logic
-Azure Firewall has NAT rules, network rules, and applications rules. The rules are processed according to the rule type.
+You can configure NAT rules, network rules, and applications rules on Azure Firewall. The rules are processed according to the rule type. 
 
+> [!NOTE]
+> If you enable threat intelligence-based filtering, those rules are highest priority and are always processed first. Threat-intelligence filtering may deny traffic before any configured rules are processed. For more information, see [Azure Firewall threat intelligence-based filtering](threat-intel.md).
 
-## Network rules and applications rules 
-Network rules are applied first, then application rules. The rules are terminating. So if a match is found in network rules, then application rules are not processed.  If there is no network rule match, and if the packet protocol is HTTP/HTTPS, the packet is then evaluated by the application rules. If still no match is found, then the packet is evaluated against the infrastructure rule collection. If there is still no match, then the packet is denied by default.
+## Outbound
 
-## NAT rules
-Inbound connectivity can be enabled by configuring Destination Network Address Translation (DNAT) as described in [Tutorial: Filter inbound traffic with Azure Firewall DNAT using the Azure portal](tutorial-firewall-dnat.md). DNAT rules are applied first. If a match is found, an implicit corresponding network rule to allow the translated traffic is added. You can override this behavior by explicitly adding a network rule collection with deny rules that match the translated traffic. No application rules are applied for these connections.
+### Network rules and applications rules
 
+If you configure network rules and application rules, then network rules are applied in priority order before application rules. The rules are terminating. So if a match is found in a network rule, no other rules are processed.  If there is no network rule match, and if the protocol is HTTP,HTTPS, or MSSQL, the the packet is then evaluated by the application rules in priority order. If still no match is found, then the packet is evaluated against the [infrastructure rule collection](infrastructure-fqdns.md). If there is still no match, then the packet is denied by default.
+
+## Inbound
+
+### NAT rules
+
+Inbound connectivity can be enabled by configuring Destination Network Address Translation (DNAT) as described in [Tutorial: Filter inbound traffic with Azure Firewall DNAT using the Azure portal](tutorial-firewall-dnat.md). NAT rules are applied in priority before network rules. If a match is found, an implicit corresponding network rule to allow the translated traffic is added. You can override this behavior by explicitly adding a network rule collection with deny rules that match the translated traffic.
+
+Application rules are not applied for inbound connections. So if you want to filter inbound HTTP/S traffic, you should use Web Application Firewall (WAF). For more information, see [What is Azure Web Application Firewall?](../web-application-firewall/overview.md)
+
+## Examples
+
+The following examples show the results of some of these rule combinations.
+
+### Example 1
+
+Connection to google.com is allowed because of a matching network rule.
+
+**Network rule**
+
+- Action: Allow
+
+
+|name  |Protocol  |Source type  |Source  |Destination type  |Destination address  |Destination ports|
+|---------|---------|---------|---------|----------|----------|--------|
+|Allow-web     |TCP|IP address|*|IP address|*|80,443
+
+**Application rule**
+
+- Action: Deny
+
+|name  |Source type  |Source  |Protocol:Port|Target FQDNs|
+|---------|---------|---------|---------|----------|----------|
+|Deny-google     |IP address|*|http:80,https:443|google.com
+
+**Result**
+
+The connection to google.com is allowed because the packet matches the *Allow-web* network rule. Rule processing stops at this point.
+
+### Example 2
+
+SSH traffic is denied because a higher priority *Deny* network rule collection blocks it.
+
+**Network rule collection 1**
+
+- Name: Allow-collection
+- Priority: 200
+- Action: Allow
+
+|name  |Protocol  |Source type  |Source  |Destination type  |Destination address  |Destination ports|
+|---------|---------|---------|---------|----------|----------|--------|
+|Allow-SSH     |TCP|IP address|*|IP address|*|22
+
+**Network rule collection 2**
+
+- Name: Deny-collection
+- Priority: 100
+- Action: Deny
+
+|name  |Protocol  |Source type  |Source  |Destination type  |Destination address  |Destination ports|
+|---------|---------|---------|---------|----------|----------|--------|
+|Deny-SSH     |TCP|IP address|*|IP address|*|22
+
+**Result**
+
+SSH connections are denied because a higher priority network rule collection blocks it. Rule processing stops at this point.
 
 ## Next steps