Hello @Yang, Steven ,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
We've already informed the Azure Firewall Product Group team regarding the documentation bug for directions, and they have mentioned that they will be fixing it shortly.
The values for "Direction" are as follows:
- Outbound - 0
- Inbound - 1
- Bidirectional - 2
- Internal - 3
- Internal/Outbound - 4
Bi-directional or Any means signature is always applied on any traffic direction (inbound/outbound irrespective of the sent from and destined to).
Refer: https://learn.microsoft.com/en-us/azure/firewall/premium-features#idps-signature-rules
You can also refer the below blog written by Azure Firewall PG, where you can see Any means both inbound and outbound:
The values for Severity are mentioned as below in the IDPS document:
- Low (priority 3): An abnormal event is one that doesn't normally occur on a network or Informational events are logged. Probability of attack is low.
- Medium (priority 2): The signature indicates an attack of a suspicious nature. The administrator should investigate further.
- High (priority 1): The attack signatures indicate that an attack of a severe nature is being launched. There's little probability that the packets have a legitimate purpose.
Refer: https://learn.microsoft.com/en-us/azure/firewall/premium-features#idps-signature-rules
And looks like the REST API doc has this reversed. I've shared this feedback as well to the Azure Firewall PG, so that they can update the same while updating the Directions.
Kindly let us know if the above helps or you need further assistance on this issue.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.