New Blog | Organizing rule collections and rule collection groups in Azure Firewall Policy

By BeatrizSilveira

Firewall Policy is the recommended method to manage Azure Firewall security and operational configurations. When using Firewall Policy, any rules must be part of a rule collection and rule collection group. Rule collections are sets of rules that share the same priority and action, and can be of type DNAT, Network, or Application. Rule collection groups are containers for rule collections of any type and are processed first by Azure Firewall based on priority. To learn more about rules, rule collections, and rule collections groups, see Azure Firewall Policy rule sets.

 

This article provides some best practices for configuring and organizing Firewall Policy rules into rule collections and rule collections groups.

 

Rule processing logic

 

The first thing to note is that if threat intelligence-based filtering is enabled, those rules are evaluated first and may deny traffic before any configured rules are processed.

 

For configured rules, the following logic applies:

 

1. All DNAT rules are processed first, followed by Network rules, and lastly, by Application rules.
2. For each rule type stated in 1., the firewall evaluates rules based on priority. It will look at the rule collection group with the highest priority, and within that rule collection group, at the rule collection with the highest priority. Keep in mind that priority is any number between 100 (highest priority) and 65,000 (lowest priority).
3. If there are rules inherited from a parent policy, these will take precedence over rules configured in the child policy. Thus, the logic described in step 2. will apply to inherited rules first.

For detailed examples of this rule processing logic, see Rule processing using Firewall Policy.

 

Read the full post here: Organizing rule collections and rule collection groups in Azure Firewall Policy