Merge pull request #177385 from vhorne/fwm-policy

Update policy overview from Eliran

Author: v-andreaco

articles/firewall-manager/policy-overview.md

@@ -5,24 +5,49 @@ author: vhorne
 ms.service: firewall-manager
 services: firewall-manager
 ms.topic: conceptual
-ms.date: 11/24/2020
+ms.date: 10/26/2021
 ms.author: victorh
 ---
 
 # Azure Firewall Manager policy overview
 
-Firewall Policy is an Azure resource that contains NAT, network, and application rule collections, and Threat Intelligence settings. It's a global resource that can be used across multiple Azure Firewall instances in Secured Virtual Hubs and Hub Virtual Networks. Policies work across regions and subscriptions.
+Firewall Policy the recommended method to configure your Azure Firewall. It's a global resource that can be used across multiple Azure Firewall instances in Secured Virtual Hubs and Hub Virtual Networks. Policies work across regions and subscriptions.
 
 ![Azure Firewall Manager policy](media/policy-overview/policy-overview.png)
 
 ## Policy creation and association
 
 A policy can be created and managed in multiple ways, including the Azure portal, REST API, templates, Azure PowerShell, and CLI.
 
-You can also migrate existing rules from Azure Firewall using the portal or Azure PowerShell to create policies. For more information, see [How to migrate Azure Firewall configurations to Azure Firewall policy](migrate-to-policy.md). 
+You can also migrate existing Classic rules from Azure Firewall using the portal or Azure PowerShell to create policies. For more information, see [How to migrate Azure Firewall configurations to Azure Firewall policy](migrate-to-policy.md). 
 
 Policies can be associated with one or more virtual hubs or VNets. The firewall can be in any subscription associated with your account and in any region.
 
+## Classic rules and policies
+
+Azure Firewall supports both Classic rules and policies, but policies is the recommenced configuration. The following table compares policies and classic rules:
+
+
+| Subject | Policy  | Classic rules |
+| ------- | ------- | ----- |
+|Contains     |NAT, Network, Application rules, custom DNS and DNS proxy settings, IP Groups, and Threat Intelligence settings (including allowlist), IDPS, TLS Inspection, Web Categories, URL Filtering|NAT, Network, and Application rules, custom DNS and DNS proxy settings, IP Groups, and Threat Intelligence settings (including allowlist)|
+|Protects     |Virtual hubs and Virtual Networks|Virtual Networks only|
+|Portal experience     |Central management using Firewall Manager|Standalone firewall experience|
+|Multiple firewall support     |Firewall Policy is a separate resource that can be used across firewalls|Manually export and import rules, or using third-party management solutions |
+|Pricing     |Billed based on firewall association. See [Pricing](#pricing).|Free|
+|Supported deployment mechanisms     |Portal, REST API, templates, Azure PowerShell, and CLI|Portal, REST API, templates, PowerShell, and CLI. |
+
+## Standard and Premium policies
+
+Azure Firewall supports Standard and Premium policies. The following table summarizes the difference between the two:
+
+
+|Policy type|Feature support  | Firewall SKU support|
+|---------|---------|----|
+|Standard policy    |NAT rules, Network rules, Application rules<br>Custom DNS, DNS proxy<br>IP Groups<br>Web Categories<br>Threat Intelligence|Standard or Premium|
+|Premium policy    |All Standard feature support, plus:<br><br>TLS Inspection<br>Web Categories<br>URL Filtering<br>IDPS|Premium
+
+
 ## Hierarchical policies
 
 New policies can be created from scratch or inherited from existing policies. Inheritance allows DevOps to create local firewall policies on top of organization mandated base policy.
@@ -32,25 +57,13 @@ Network rule collections inherited from a parent policy are always prioritized a
 
 Threat Intelligence mode is also inherited from the parent policy. You can set your threat Intelligence mode to a different value to override this behavior, but you can't turn it off. It's only possible to override with a stricter value. For example, if your parent policy is set to **Alert only**, you can configure this local policy to **Alert and deny**.
 
-Like Threat Intelligence mode, the Threat Intelligence allow list is inherited from the parent policy. The child policy can add additional IP addresses to the allow list.
+Like Threat Intelligence mode, the Threat Intelligence allowlist is inherited from the parent policy. The child policy can add additional IP addresses to the allowlist.
 
 NAT rule collections aren't inherited because they're specific to a given firewall.
 
 With inheritance, any changes to the parent policy are automatically applied down to associated firewall child policies.
 
-## Traditional rules and policies
 
-Azure Firewall supports both traditional rules and policies. The following table compares policies and rules:
-
-
-| Subject | Policy  | Rules |
-| ------- | ------- | ----- |
-|Contains     |NAT, Network, Application rules, custom DNS and DNS proxy settings, IP Groups, and Threat Intelligence settings (including allow list)|NAT, Network, and Application rules, custom DNS and DNS proxy settings, IP Groups, and Threat Intelligence settings (including allow list)|
-|Protects     |Virtual hubs and Virtual Networks|Virtual Networks only|
-|Portal experience     |Central management using Firewall Manager|Standalone firewall experience|
-|Multiple firewall support     |Firewall Policy is a separate resource that can be used across firewalls|Manually export and import rules, or using third-party management solutions |
-|Pricing     |Billed based on firewall association. See [Pricing](#pricing).|Free|
-|Supported deployment mechanisms     |Portal, REST API, templates, Azure PowerShell, and CLI|Portal, REST API, templates, PowerShell, and CLI. |
 
 ## Pricing