You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/firewall/threat-intel.md
+6-8Lines changed: 6 additions & 8 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -5,27 +5,25 @@ services: firewall
5
5
author: duau
6
6
ms.service: azure-firewall
7
7
ms.topic: concept-article
8
-
ms.date: 08/01/2022
8
+
ms.date: 10/07/2025
9
9
ms.author: duau
10
10
# Customer intent: As a network security administrator, I want to enable threat intelligence-based filtering on my firewall, so that I can proactively alert and deny traffic from known malicious IP addresses and domains to enhance the security of my network.
You can enable Threat intelligence-based filtering for your firewall to alert and deny traffic from/to known malicious IP addresses, FQDNs, and URLs. The IP addresses, domains and URLs are sourced from the Microsoft Threat Intelligence feed, which includes multiple sources including the Microsoft Cyber Security team.[Intelligent Security Graph](https://www.microsoft.com/security/operations/intelligence) powers Microsoft threat intelligence and uses multiple services including Microsoft Defender for Cloud.<br>
15
+
You can enable Threat intelligence-based filtering for your firewall to alert and deny traffic from/to known malicious IP addresses, FQDNs, and URLs. The IP addresses, domains and URLs are sourced from the Microsoft Threat Intelligence feed, which includes multiple sources including the Microsoft Cyber Security team.<br>
If you've enabled threat intelligence-based filtering, the firewall processes the associated rules before any of the NAT rules, network rules, or application rules.
20
+
When threat intelligence-based filtering is enabled, Azure Firewall evaluates traffic against the threat intelligence rules before applying NAT, network, or application rules.
21
21
22
-
When a rule triggers, you can choose to just log an alert, or you can choose alert and deny mode.
22
+
Administrators can configure the firewall to operate in alert-only mode or in alert and deny mode when a threat intelligence rule is triggered. By default, the firewall operates in alert-only mode. This mode can be disabled or changed to alert and deny.
23
23
24
-
By default, threat intelligence-based filtering is in alert mode. You can’t turn off this feature or change the mode until the portal interface becomes available in your region.
24
+
Allow lists can be defined to exempt specific FQDNs, IP addresses, ranges, or subnets from threat intelligence filtering.
25
25
26
-
You can define allowlists so threat intelligence doesn't filter traffic to any of the listed FQDNs, IP addresses, ranges, or subnets.
27
-
28
-
For a batch operation, you can upload a CSV file with list of IP addresses, ranges, and subnets.
26
+
For batch operations, administrators can upload a CSV file containing IP addresses, ranges, and subnets to populate the allow list.
0 commit comments