Added multiple subdomain wildcard example

Author: steevaavoo

articles/firewall/firewall-faq.yml

@@ -21,35 +21,35 @@ sections:
       - question: What capabilities are supported in Azure Firewall?
         answer: |
           To learn about Azure Firewall features, see [Azure Firewall features](features.md).
-          
+
       - question: What is the typical deployment model for Azure Firewall?
         answer: |
           You can deploy Azure Firewall on any virtual network, but customers typically deploy it on a central virtual network and peer other virtual networks to it in a hub-and-spoke model. You can then set the default route from the peered virtual networks to point to this central firewall virtual network. Global VNet peering is supported, but it isn't recommended because of potential performance and latency issues across regions. For best performance, deploy one firewall per region.
-          
+
           The advantage of this model is the ability to centrally exert control on multiple spoke VNETs across different subscriptions. There are also cost savings as you don't need to deploy a firewall in each VNet separately. The cost savings should be measured versus the associate peering cost based on the customer traffic patterns.
-          
+
       - question: How can I install the Azure Firewall?
         answer: |
           You can set up Azure Firewall by using the Azure portal, PowerShell, REST API, or by using templates. See [Tutorial: Deploy and configure Azure Firewall using the Azure portal](tutorial-firewall-deploy-portal.md) for step-by-step instructions.
-          
+
       - question: What are some Azure Firewall concepts?
         answer: |
           Azure Firewall supports rules and rule collections. A rule collection is a set of rules that share the same order and priority. Rule collections are executed in order of their priority. Network rule collections are higher priority than application rule collections, and all rules are terminating.
-          
+
           There are three types of rule collections:
-          
+
           * *Application rules*: Configure fully qualified domain names (FQDNs) that can be accessed from a subnet.
           * *Network rules*: Configure rules that contain source addresses, protocols, destination ports, and destination addresses.
           * *NAT rules*: Configure DNAT rules to allow incoming Internet connections.
-          
+
       - question: Does Azure Firewall support inbound traffic filtering?
         answer: |
           Azure Firewall supports inbound and outbound filtering. Inbound protection is typically used for non-HTTP/S protocols. For example RDP, SSH, and FTP protocols. For best inbound HTTP/S protection, use a web application firewall such as [Azure Web Application Firewall (WAF)](../web-application-firewall/overview.md).
-          
+
       - question: Which logging and analytics services are supported by the Azure Firewall?
         answer: |
           Azure Firewall is integrated with Azure Monitor for viewing and analyzing firewall logs. Logs can be sent to Log Analytics, Azure Storage, or Event Hubs. They can be analyzed in Log Analytics or by different tools such as Excel and Power BI. For more information, see [Tutorial: Monitor Azure Firewall logs](./firewall-diagnostics.md).
-          
+
       - question: How does Azure Firewall work differently from existing services such as NVAs in the marketplace?
         answer: Azure Firewall is a managed, cloud-based network security service that protects your virtual network resources. It's a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability. It is pre-integrated with third-party security as a service (SECaaS) providers to provide advanced security for your virtual network and branch Internet connections.
 
@@ -65,34 +65,34 @@ sections:
       - question: How do I set up Azure Firewall with my service endpoints?
         answer: |
           For secure access to PaaS services, we recommend service endpoints. You can choose to enable service endpoints in the Azure Firewall subnet and disable them on the connected spoke virtual networks. This way you benefit from both features: service endpoint security and central logging for all traffic.
-          
+
       - question: What is the pricing for Azure Firewall?
         answer: |
           See [Azure Firewall Pricing](https://azure.microsoft.com/pricing/details/azure-firewall/).
-          
+
       - question: How can I stop and start Azure Firewall?
         answer: |
           You can use Azure PowerShell *deallocate* and *allocate* methods. For a firewall configured for forced tunneling, the procedure is slightly different.
-          
+
           For example, for a firewall NOT configured for forced tunneling:
-          
+
           ```azurepowershell
           # Stop an existing firewall
 
           $azfw = Get-AzFirewall -Name "FW Name" -ResourceGroupName "RG Name"
           $azfw.Deallocate()
           Set-AzFirewall -AzureFirewall $azfw
           ```
-          
+
           ```azurepowershell
           # Start the firewall
-          
+
           $azfw = Get-AzFirewall -Name "FW Name" -ResourceGroupName "RG Name"
           $vnet = Get-AzVirtualNetwork -ResourceGroupName "RG Name" -Name "VNet Name"
           $publicip1 = Get-AzPublicIpAddress -Name "Public IP1 Name" -ResourceGroupName "RG Name"
           $publicip2 = Get-AzPublicIpAddress -Name "Public IP2 Name" -ResourceGroupName "RG Name"
           $azfw.Allocate($vnet,@($publicip1,$publicip2))
-          
+
           Set-AzFirewall -AzureFirewall $azfw
           ```
 
@@ -108,7 +108,7 @@ sections:
 
           ```azurepowershell
           # Start the firewall
-          
+
           $azfw = Get-AzFirewall -Name "FW Name" -ResourceGroupName "RG Name"
           $vnet = Get-AzVirtualNetwork -ResourceGroupName "RG Name" -Name "VNet Name"
           $pip= Get-AzPublicIpAddress -ResourceGroupName "RG Name" -Name "azfwpublicip"
@@ -118,14 +118,14 @@ sections:
           ```
 
           When you allocate and deallocate, [firewall billing](https://azure.microsoft.com/pricing/details/azure-firewall) stops and starts accordingly.
-          
+
           > [!NOTE]
           > You must reallocate a firewall and public IP to the original resource group and subscription.
 
       - question: What are the known service limits?
         answer: |
           For Azure Firewall service limits, see [Azure subscription and service limits, quotas, and constraints](../azure-resource-manager/management/azure-subscription-service-limits.md#azure-firewall-limits).
-          
+
       - question: Can Azure Firewall in a hub virtual network forward and filter network traffic between two spoke virtual networks?
         answer: Yes, you can use Azure Firewall in a hub virtual network to route and filter traffic between two spoke virtual network. Subnets in each of the spoke virtual networks must have a UDR pointing to the Azure Firewall as a default gateway for this scenario to work properly.
 
@@ -135,23 +135,23 @@ sections:
       - question: Does Azure Firewall outbound SNAT between private networks?
         answer: |
           Azure Firewall doesn't SNAT when the destination IP address is a private IP range per [IANA RFC 1918](https://tools.ietf.org/html/rfc1918). If your organization uses a public IP address range for private networks, Azure Firewall SNATs the traffic to one of the firewall private IP addresses in AzureFirewallSubnet. You can configure Azure Firewall to **not** SNAT your public IP address range. For more information, see [Azure Firewall SNAT private IP address ranges](snat-private-range.md).
-          
+
           In addition, traffic processed by application rules are always SNAT-ed. If you want to see the original source IP address in your logs for FQDN traffic, you can use network rules with the destination FQDN.
       - question: Is forced tunneling/chaining to a Network Virtual Appliance supported?
         answer: |
           Forced tunneling is supported when you create a new firewall. You can't configure an existing firewall for forced tunneling. For more information, see [Azure Firewall forced tunneling](forced-tunneling.md).
-          
+
           Azure Firewall must have direct Internet connectivity. If your AzureFirewallSubnet learns a default route to your on-premises network via BGP, you must override this with a 0.0.0.0/0 UDR with the **NextHopType** value set as **Internet** to maintain direct Internet connectivity.
-          
+
           If your configuration requires forced tunneling to an on-premises network and you can determine the target IP prefixes for your Internet destinations, you can configure these ranges with the on-premises network as the next hop via a user defined route on the AzureFirewallSubnet. Or, you can use BGP to define these routes.
-          
+
       - question: Are there any firewall resource group restrictions?
         answer: Yes. The firewall, VNet, and the public IP address all must be in the same resource group.
 
       - question: When configuring DNAT for inbound Internet network traffic, do I also need to configure a corresponding network rule to allow that traffic?
         answer: |
           No. NAT rules implicitly add a corresponding network rule to allow the translated traffic. You can override this behavior by explicitly adding a network rule collection with deny rules that match the translated traffic. To learn more about Azure Firewall rule processing logic, see [Azure Firewall rule processing logic](rule-processing.md).
-          
+
       - question: How do wildcards work in target URLs and target FQDNs in application rules?
         answer: |
          - **URL** - Asterisks work when placed on the right-most or left-most side. If it is on the left, it can't be part of the FQDN.
@@ -164,7 +164,7 @@ sections:
            |---------|---------|---------|---------|
            |TargetURL  |`www.contoso.com` |Yes|`www.contoso.com`<br>`www.contoso.com/`|
            |TargetURL  |`*.contoso.com` |Yes|`any.contoso.com/`|
-           |TargetURL  |`*contoso.com`|Yes         |`example.anycontoso.com`<br>`contoso.com`|
+           |TargetURL  |`*contoso.com`|Yes         |`example.anycontoso.com`<br>`sub1.example.anycontoso.com`<br>`contoso.com`|
            |TargetURL  |`www.contoso.com/test`|Yes|`www.contoso.com/test`<br>`www.contoso.com/test/`<br>`www.contoso.com/test?with_query=1`|
            |TargetURL  |`www.contoso.com/test/*`|Yes|`www.contoso.com/test/anything`<br>Note - `www.contoso.com/test` will **not** match (last slash)|
            |TargetURL  |`www.contoso.*/test/*`|No|         |
@@ -178,7 +178,7 @@ sections:
            |TargetFQDN    |`*contoso.com`|Yes|`example.anycontoso.com`<br>`contoso.com`|
            |TargetFQDN    |`www.contoso.*`|No|         |
            |TargetFQDN    |`*.contoso.*`|No|         |
-          
+
       - question: |
           What does *Provisioning state: Failed* mean?
         answer: Whenever a configuration change is applied, Azure Firewall attempts to update all its underlying backend instances. In rare cases, one of these backend instances may fail to update with the new configuration and the update process  stops with a failed provisioning state. Your Azure Firewall is still operational, but the applied configuration may be in an inconsistent state, where some instances have the previous configuration where others have the updated rule set. If this happens, try updating your configuration one more time until the operation succeeds and your Firewall is in a *Succeeded* provisioning state.
@@ -203,63 +203,63 @@ sections:
 
       - question: How long does it take for Azure Firewall to scale out?
         answer: |
-          Azure Firewall gradually scales when average throughput or CPU consumption is at 60%. A default deployment maximum throughput is approximately 2.5 - 3 Gbps and starts to scale out when it reaches 60% of that number. Scale out takes five to seven minutes. 
-          
+          Azure Firewall gradually scales when average throughput or CPU consumption is at 60%. A default deployment maximum throughput is approximately 2.5 - 3 Gbps and starts to scale out when it reaches 60% of that number. Scale out takes five to seven minutes.
+
           When performance testing, make sure you test for at least 10 to 15 minutes, and start new connections to take advantage of newly created Firewall nodes.
 
       - question: How does Azure Firewall handle idle timeouts?
         answer: |
          When a connection has an idle timeout (four minutes of no activity), Azure Firewall gracefully terminates the connection by sending a TCP RST packet.
 
       - question: How does Azure Firewall handle VM instance shutdowns during virtual machine scale set scale in (scale down) or fleet software upgrades?
-        answer: | 
-         An Azure Firewall VM instance shutdown may occur during virtual machine scale set scale in (scale down) or during fleet software upgrade. In these cases, new incoming connections are load balanced to the remaining firewall instances and are not forwarded to the down firewall instance. After 45 seconds the firewall starts rejecting existing connections by sending TCP RST packets. After an additional 45 seconds the firewall VM shuts down. For more information, see [Load Balancer TCP Reset and Idle Timeout](../load-balancer/load-balancer-tcp-reset.md). 
-                
+        answer: |
+         An Azure Firewall VM instance shutdown may occur during virtual machine scale set scale in (scale down) or during fleet software upgrade. In these cases, new incoming connections are load balanced to the remaining firewall instances and are not forwarded to the down firewall instance. After 45 seconds the firewall starts rejecting existing connections by sending TCP RST packets. After an additional 45 seconds the firewall VM shuts down. For more information, see [Load Balancer TCP Reset and Idle Timeout](../load-balancer/load-balancer-tcp-reset.md).
+
       - question: Does Azure Firewall allow access to Active Directory by default?
         answer: |
           No. Azure Firewall blocks Active Directory access by default. To allow access, configure the AzureActiveDirectory service tag. For more information, see [Azure Firewall service tags](service-tags.md).
-          
+
       - question: Can I exclude an FQDN or an IP address from Azure Firewall Threat Intelligence based filtering?
         answer: |
           Yes, you can use Azure PowerShell to do it:
-          
+
           ```azurepowershell
           # Add a Threat Intelligence allowlist to an Existing Azure Firewall
 
           # Create the allowlist with both FQDN and IPAddresses
           $fw = Get-AzFirewall -Name "Name_of_Firewall" -ResourceGroupName "Name_of_ResourceGroup"
           $fw.ThreatIntelWhitelist = New-AzFirewallThreatIntelWhitelist `
              -FQDN @("fqdn1", "fqdn2", …) -IpAddress @("ip1", "ip2", …)
-          
+
           # Or Update FQDNs and IpAddresses separately
           $fw = Get-AzFirewall -Name $firewallname -ResourceGroupName $RG
           $fw.ThreatIntelWhitelist.IpAddresses = @($fw.ThreatIntelWhitelist.IpAddresses + $ipaddresses)
           $fw.ThreatIntelWhitelist.fqdns = @($fw.ThreatIntelWhitelist.fqdns + $fqdns)
-          
-          
+
+
           Set-AzFirewall -AzureFirewall $fw
           ```
-          
+
       - question: Why can a TCP ping and similar tools successfully connect to a target FQDN even when no rule on Azure Firewall allows that traffic?
         answer: |
           A TCP ping isn't actually connecting  to the target FQDN. Azure Firewall doesn't allow a connection to any target IP address/FQDN unless there is an explicit rule that allows it.
-          
+
           TCP ping is a unique use case where if there is no allowed rule, the Firewall itself responds to the client's TCP ping request even though the TCP ping doesn't reach the target IP address/FQDN. In this case, the event is not logged. If there is a network rule that allows access to the target IP address/FQDN, then the ping request reaches the target server and its response is relayed back to the client. This event is logged in the Network rules log.
 
 
       - question: Are there limits for the number of IP addresses supported by IP Groups?
         answer: |
           Yes. For more information, see [Azure subscription and service limits, quotas, and constraints](../azure-resource-manager/management/azure-subscription-service-limits.md#azure-firewall-limits)
-          
+
       - question: Can I move an IP Group to another resource group?
         answer: No, moving an IP Group to another resource group isn't currently supported.
 
       - question: What is the TCP Idle Timeout for Azure Firewall?
         answer: |
           A standard behavior of a network firewall is to ensure TCP connections are kept alive and to promptly close them if there's no activity. Azure Firewall TCP Idle Timeout is four minutes. This setting isn't user configurable, but you can contact Azure Support to increase the idle timeout up to 30 minutes.
-          
+
           If a period of inactivity is longer than the timeout value, there's no guarantee that the TCP or HTTP session is maintained. A common practice is to use a TCP keep-alive. This practice keeps the connection active for a longer period. For more information, see the [.NET examples](/dotnet/api/system.net.servicepoint.settcpkeepalive).
-          
+
       - question: Can I deploy Azure Firewall without a public IP address?
         answer: No, currently you must deploy Azure Firewall with a public IP address.