You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/firewall-manager/policy-overview.md
+13-11Lines changed: 13 additions & 11 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,12 +1,12 @@
1
1
---
2
2
title: Azure Firewall Manager policy overview
3
3
description: Learn about Azure Firewall Manager policies.
4
-
author: duongau
4
+
author: sujamiya
5
5
ms.service: azure-firewall-manager
6
6
services: firewall-manager
7
7
ms.topic: concept-article
8
-
ms.date: 03/06/2024
9
-
ms.author: duau
8
+
ms.date: 07/09/2025
9
+
ms.author: sujamiya
10
10
---
11
11
12
12
# Azure Firewall Manager policy overview
@@ -21,7 +21,7 @@ A policy can be created and managed in multiple ways, including the Azure portal
21
21
22
22
You can also migrate existing Classic rules from Azure Firewall using the portal or Azure PowerShell to create policies. For more information, see [How to migrate Azure Firewall configurations to Azure Firewall policy](migrate-to-policy.md).
23
23
24
-
Policies can be associated with one or more virtual hubs or VNets. The firewall can be in any subscription associated with your account and in any region.
24
+
Policies can be associated with one or more firewalls deployed in either a Virtual WAN (creating a Secured Virtual Hub) or a Virtual Network (creating a Hub Virtual Network). Firewalls can reside in any region or subscription linked to your account.
25
25
26
26
## Classic rules and policies
27
27
@@ -31,7 +31,7 @@ Azure Firewall supports both Classic rules and policies, but policies is the rec
31
31
| Subject | Policy | Classic rules |
32
32
| ------- | ------- | ----- |
33
33
|Contains |NAT, Network, Application rules, custom DNS and DNS proxy settings, IP Groups, and Threat Intelligence settings (including allowlist), IDPS, TLS Inspection, Web Categories, URL Filtering|NAT, Network, and Application rules, custom DNS and DNS proxy settings, IP Groups, and Threat Intelligence settings (including allowlist)|
34
-
|Protects |Virtual hubs and Virtual Networks|Virtual Networks only|
34
+
|Protects |Virtual Hubs (VWAN) and Virtual Networks|Virtual Networks only|
35
35
|Portal experience |Central management using Firewall Manager|Standalone firewall experience|
36
36
|Multiple firewall support |Firewall Policy is a separate resource that can be used across firewalls|Manually export and import rules, or using third-party management solutions |
37
37
|Pricing |Billed based on firewall association. See [Pricing](#pricing).|Free|
@@ -51,17 +51,19 @@ Azure Firewall supports Basic, Standard, and Premium policies. The following tab
51
51
52
52
## Hierarchical policies
53
53
54
-
New policies can be created from scratch or inherited from existing policies. Inheritance allows DevOps to create local firewall policies on top of organization mandated base policy.
54
+
New firewall policies can either be created from scratch or inherited from existing policies. Inheritance allows DevOps to define local firewall policies on top of organization mandated base policies.
55
55
56
-
Policies created with non-empty parent policies inherit all rule collections from the parent policy. The parent policy and the child policy must be in the same region. A firewall policycan be associated with firewalls across regions regardless where they're stored.
56
+
When a new policy is created with a non-empty parent policy, it inherits all rule collections from the parent. Both the parent and child policies must reside in the same region. However, a firewall policy, regardless of where it is stored, can be associated with firewalls in any region.
57
57
58
-
Network rule collections inherited from a parent policy are always prioritized over network rule collections defined as part of a new policy. The same logic also applies to application rule collections. However, network rule collections are always processed before application rule collections regardless of inheritance.
58
+
### Rule inheritance ###
59
+
Network rule collections inherited from the parent policy are always prioritized over network rule collections defined as part of a new policy. The same logic also applies to application rule collections. Regardless of inheritance, network rule collections are processed before application rule collections.
59
60
60
-
Threat Intelligence mode is also inherited from the parent policy. You can set your threat Intelligence mode to a different value to override this behavior, but you can't turn it off. It's only possible to override with a stricter value. For example, if your parent policy is set to **Alert only**, you can configure this local policy to **Alert and deny**.
61
+
NAT rule collections are not inherited, as they are specific to individual firewalls. If you want to use NAT rules, you must define them in the child policy.
61
62
62
-
Like Threat Intelligence mode, the Threat Intelligence allowlist is inherited from the parent policy. The child policy can add more IP addresses to the allowlist.
63
+
### Threat Intelligence mode and allowlist inheritance ###
64
+
Threat Intelligence mode is also inherited from the parent policy. While you can override this setting in the child policy, it must be with a stricter mode - you cannot disable it. For example, if your parent policy is set to **Alert only**, the child policy can be set to **Alert and deny**, but not to a less strict mode.
63
65
64
-
NAT rule collections aren't inherited because they're specific to a given firewall.
66
+
Similarly, the Threat Intelligence allowlist is inherited from the parent policy, and the child policy can append additional IP addresses to this list.
65
67
66
68
With inheritance, any changes to the parent policy are automatically applied down to associated firewall child policies.
0 commit comments