Merge pull request #46735 from vhorne/upd-fw-known

PRMerger18 · web-flow · commit b7d6fe601438 · 2018-07-16T14:51:20.000-07:00
add new known issue
diff --git a/articles/firewall/overview.md b/articles/firewall/overview.md
@@ -6,7 +6,7 @@ ms.service: firewall
 services: firewall
 ms.topic: overview
 ms.custom: mvc
-ms.date: 7/11/2018
+ms.date: 7/16/2018
 ms.author: victorh
 #Customer intent: As an administrator, I want to evaluate Azure Firewall so I can determine if I want to use it.
 ---
@@ -57,6 +57,7 @@ The Azure Firewall public preview has the following known issues:
 |Interoperability with NSGs     |If a network security group (NSG) is applied on the firewall subnet, it may block outbound Internet connectivity even if the NSG is configured to allow outbound internet access. Outbound Internet connections are marked as coming from a VirtualNetwork and the destination is Internet. An NSG has VirtualNetwork to VirtualNetwork *allow* by default, but not when destination is Internet.|To mitigate, add the following inbound rule to the NSG that is applied on the firewall subnet:<br><br>Source: VirtualNetwork Source ports: Any <br><br>Destination: Any Destination Ports: Any <br><br>Protocol: All Access: Allow|
 |Conflict with Azure Security Center (ASC) Just-in-Time (JIT) feature|If a virtual machine is accessed using JIT, and is in a subnet with a user-defined route that points to Azure Firewall as a default gateway, ASC JIT doesn’t work. This is a result of asymmetric routing – a packet comes in via the virtual machine public IP (JIT opened the access), but the return path is via the firewall, which drops the packet because no session is established on the firewall.|To work around this issue, place the JIT virtual machines on a separate subnet that doesn’t have a user-defined route to the firewall.|
 |Hub and spoke with global peering doesn’t work|The hub and spoke model, where the hub and firewall are deployed in one Azure region, with the spokes in another Azure region, connected to the hub via Global VNet Peering is not supported.|For more information, see [Create, change, or delete a virtual network peering](https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-manage-peering#requirements-and-constraints)|
+Network filtering rules for non-TCP/UDP protocols (for example ICMP) don't work for Internet bound traffic|Network filtering rules for non-TCP/UDP protocols don’t work with SNAT to your public IP address. Non-TCP/UDP protocols are supported between spoke subnets and VNets.|Azure Firewall uses the Standard Load Balancer, [which doesn't support SNAT for IP protocols today](https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-standard-overview#limitations). We are exploring options to support this scenario in a future release.
 
 
 
