Question about how WAF works

Question

I'm curious about how the WAF rules get processed in relation to the network protection/firewall rules on the UTM. 
 If I set up a virtual webserver (redirecting traffic to a "real" webserver that's behind the UTM) then does traffic to that site automatically get whitelisted through the network protection firewall? Or to put it another way, if I want to set up a webserver protected by the UTMs WAF, but also want to restrict traffic to that webserver from only certain IP addresses, can I do that with firewall rules? 
 it *seems* like my WAF-protected website is completely ignoring other firewall rules I set up, but I wanted to throw this out to the group since I'm very new to use of the WAF part of the UTM and may be fundamentally misunderstanding how this is supposed to work.

vilic · Accepted Answer

Your conclusion is correct. There is no need for creating any firewall or DNAT rules when publishing internal web services with WAF. 
 For restricting access from only certain IP addresses use "Site Path Routing" WAF feature with access control enabled.

lprikockis · Answer

huh.. ok... after I posted this, I did a little further digging and also found this: https://community.sophos.com/products/unified-threat-management/f/57/t/50204 confirming my observation and suggesting a solution. 
 
 I had already enabled the access control under WAF, but really want traffic to https from non-whitelisted IPs to be just dropped right at the firewall rather than generating an 'access denied' message as the WAF control provides. 
 The solution is to use the approach in the link I posted. 
 It's a shame that the UTM doesn't function like a traditional packet filtering firewall in this case though where ALL traffic would be filtered through the firewall rules first before any of the other modules. 
 thanks for the quick response though!