Skip to content

Commit e3cfc80

Browse files
Merge pull request #227003 from vhorne/fwm-pol-over
add Basic policy
2 parents 3291a6b + 5055a20 commit e3cfc80

File tree

1 file changed

+6
-5
lines changed

1 file changed

+6
-5
lines changed

articles/firewall-manager/policy-overview.md

Lines changed: 6 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,7 @@ author: vhorne
55
ms.service: firewall-manager
66
services: firewall-manager
77
ms.topic: conceptual
8-
ms.date: 10/26/2021
8+
ms.date: 02/10/2023
99
ms.author: victorh
1010
---
1111

@@ -37,13 +37,14 @@ Azure Firewall supports both Classic rules and policies, but policies is the rec
3737
|Pricing |Billed based on firewall association. See [Pricing](#pricing).|Free|
3838
|Supported deployment mechanisms |Portal, REST API, templates, Azure PowerShell, and CLI|Portal, REST API, templates, PowerShell, and CLI. |
3939

40-
## Standard and Premium policies
40+
## Basic, Standard, and Premium policies
4141

42-
Azure Firewall supports Standard and Premium policies. The following table summarizes the difference between the two:
42+
Azure Firewall supports Basic (preview), Standard, and Premium policies. The following table summarizes the difference between these policies:
4343

4444

4545
|Policy type|Feature support | Firewall SKU support|
4646
|---------|---------|----|
47+
|Basic policy|NAT rules, Application rules<br>IP Groups<br>Threat Intelligence (alerts)|Basic
4748
|Standard policy |NAT rules, Network rules, Application rules<br>Custom DNS, DNS proxy<br>IP Groups<br>Web Categories<br>Threat Intelligence|Standard or Premium|
4849
|Premium policy |All Standard feature support, plus:<br><br>TLS Inspection<br>Web Categories<br>URL Filtering<br>IDPS|Premium
4950

@@ -53,11 +54,11 @@ Azure Firewall supports Standard and Premium policies. The following table summa
5354
New policies can be created from scratch or inherited from existing policies. Inheritance allows DevOps to create local firewall policies on top of organization mandated base policy.
5455

5556
Policies created with non-empty parent policies inherit all rule collections from the parent policy.
56-
Network rule collections inherited from a parent policy are always prioritized above network rule collections defined as part of a new policy. The same logic also applies to application rule collections. However, network rule collections are always processed before application rule collections regardless of inheritance.
57+
Network rule collections inherited from a parent policy are always prioritized over network rule collections defined as part of a new policy. The same logic also applies to application rule collections. However, network rule collections are always processed before application rule collections regardless of inheritance.
5758

5859
Threat Intelligence mode is also inherited from the parent policy. You can set your threat Intelligence mode to a different value to override this behavior, but you can't turn it off. It's only possible to override with a stricter value. For example, if your parent policy is set to **Alert only**, you can configure this local policy to **Alert and deny**.
5960

60-
Like Threat Intelligence mode, the Threat Intelligence allowlist is inherited from the parent policy. The child policy can add additional IP addresses to the allowlist.
61+
Like Threat Intelligence mode, the Threat Intelligence allowlist is inherited from the parent policy. The child policy can add more IP addresses to the allowlist.
6162

6263
NAT rule collections aren't inherited because they're specific to a given firewall.
6364

0 commit comments

Comments
 (0)