Merge pull request #298179 from MicrosoftDocs/main

learn-build-service-prod[bot] · web-flow · commit 7b0bc791262d · 2025-04-13T05:07:50.000Z
Merged by Learn.Build PR Management system
diff --git a/articles/firewall/firewall-known-issues.md b/articles/firewall/firewall-known-issues.md
@@ -5,7 +5,7 @@ services: firewall
 author: varunkalyana
 ms.service: azure-firewall
 ms.topic: concept-article
-ms.date: 04/10/2025
+ms.date: 04/11/2025
 ms.author: varunkalyana
 ---
 
@@ -32,6 +32,7 @@ Azure Firewall Standard has the following known issues:
 |---------|---------|---------|
 |DNAT support for private IP addresses limited to Standard and Premium versions|Support for DNAT on Azure Firewall private IP address is intended for enterprises, so is limited to the Standard and Premium Firewall versions.| None|
 |Network filtering rules for non-TCP/UDP protocols (for example ICMP) don't work for Internet bound traffic|Network filtering rules for non-TCP/UDP protocols don't work with SNAT to your public IP address. Non-TCP/UDP protocols are supported between spoke subnets and VNets.|Azure Firewall uses the Standard Load Balancer, [which doesn't support SNAT for IP protocols today](../load-balancer/outbound-rules.md#limitations). We're exploring options to support this scenario in a future release.|
+|When an Azure Firewall is deallocated and then allocated again, sometimes it may be assigned a new private IP address that differs from the previous one.| In such scenarios, the existing User Defined Routes (UDRs) configured with the old private IP address will need to be reconfigured to reflect the new private IP address.|A fix for this issue to retain the previously assigned private IP address is in our roadmap.|
 |Missing PowerShell and CLI support for ICMP|Azure PowerShell and CLI don't support ICMP as a valid protocol in network rules.|It's still possible to use ICMP as a protocol via the portal and the REST API. We're working to add ICMP in PowerShell and CLI soon.|
 |FQDN tags require a protocol: port to be set|Application rules with FQDN tags require port: protocol definition.|You can use **https** as the port: protocol value. We're working to make this field optional when FQDN tags are used.|
 |Moving a firewall to a different resource group or subscription isn't supported|Moving a firewall to a different resource group or subscription isn't supported.|Supporting this functionality is on our road map. To move a firewall to a different resource group or subscription, you must delete the current instance and recreate it in the new resource group or subscription.|
