Merge pull request #113145 from JackStromberg/patch-40

PRMerger19 · web-flow · commit 3496f869271a · 2020-04-30T08:54:59.000-07:00
Adding limitation on NAT rules
diff --git a/articles/firewall/overview.md b/articles/firewall/overview.md
@@ -117,6 +117,7 @@ Network filtering rules for non-TCP/UDP protocols (for example ICMP) don't work
 |DNAT isn't supported with Forced Tunneling enabled|Firewalls deployed with Forced Tunneling enabled can't support inbound access from the Internet because of asymmetric routing.|This is by design because of asymmetric routing. The return path for inbound connections goes via the on-premises firewall, which hasn't seen the connection established.
 |Outbound Passive FTP doesn't work for Firewalls with multiple public IP addresses.|Passive FTP establishes different connections for control and data channels. When a Firewall with multiple public IP addresses sends data outbound, it randomly selects one of its public IP addresses for the source IP address. FTP fails when data and control channels use different source IP addresses.|An explicit SNAT configuration is planned. In the meantime, consider using a single IP address in this situation.|
 |NetworkRuleHit metric is missing a protocol dimension|The ApplicationRuleHit metric allows filtering based protocol, but this capability is missing in the corresponding NetworkRuleHit metric.|A fix is being investigated.|
+|NAT rules with ports between 64000 and 65535 are unsupported|Azure Firewall allows any port in the 1-65535 range in network and application rules, however NAT rules only support ports in the 1-63999 range.|This is a current limitation.
 |Configuration updates may take five minutes on average.|An Azure Firewall configuration update can take three to five minutes on average, and parallel updates aren't supported.|A fix is being investigated.
 
 ## Next steps
