Copyright (c) 2026 MindMesh Academy. All rights reserved. This content is proprietary and may not be reproduced or distributed without permission.
6.2.2. Rule Configuration
Rule Types:
| Type | Layer | Use Case |
|---|---|---|
| NAT rules | L3-4 | DNAT for inbound access |
| Network rules | L3-4 | Allow/deny by IP/port |
| Application rules | L7 | FQDN, web categories |
Processing Order:
- NAT rules (DNAT)
- Network rules
- Application rules
Within each type: Rules processed by priority (collection group → collection → rule).
FQDN Filtering:
Rule: Allow *.microsoft.com on HTTPS
- Firewall resolves FQDN
- Inspects SNI header for HTTPS
- Allows/denies based on match
FQDN Tags: Pre-defined groups of FQDNs:
| Tag | Includes |
|---|---|
| WindowsUpdate | Microsoft Update URLs |
| AppServiceEnvironment | ASE dependencies |
| AzureBackup | Backup service URLs |
Written byAlvin Varughese
Founder•15 professional certifications