Add FAQ entry about TCP ping and logging behavior

hisriram1996 · web-flow · commit 7f3d266b93a2 · 2026-02-16T22:42:17.000+05:30
diff --git a/articles/firewall/firewall-faq.yml b/articles/firewall/firewall-faq.yml
@@ -333,6 +333,10 @@ sections:
           TCP ping is a unique use case where if there's no allowed rule, the Firewall itself responds to the client's TCP ping request even though the TCP ping doesn't reach the target IP address/FQDN. In this case, the event isn't logged. If there's a network rule that allows access to the target IP address/FQDN, then the ping request reaches the target server and its response is relayed back to the client. This event is logged in the Network rules log.
 
 
+      - question: Why the TCP ping and similar tools successfully connect to a target FQDN/IP address on ports 80, 443, and 1433 but are not observed in the logs of the Azure Firewall?
+        answer: |
+          The Azure Firewall acts as a passive listener for the ports 80, 443, and 1433. The TCP SYN packets on these ports are not logged unless there is application traffic. The HTTP GET request and TLS client hello will be logged in Azure Firewall.
+
       - question: Are there limits for the number of IP addresses supported by IP Groups?
         answer: |
           Yes. For more information, see [Azure subscription and service limits, quotas, and constraints](../azure-resource-manager/management/azure-subscription-service-limits.md#azure-firewall-limits)
