That is correct. The only time, I recall, that the firewall will see the original, un-translated public destination IP is when you front end the firewall with a public standard load balancer and enable the "floating IP" option. In that configuration, you do reference the public IP associated with the load balancer in the NAT policy of the firewall. It wasn't clear from your original post that you were attempting to use the public IP in your NAT rule so sorry for that assumption on my part. When you associate a public IP to a private IP in Azure it handles the NAT. That is why you don't need a public IP configured on the management interface of the firewall, just like you don't need a public IP configured on the un-trust interface.
... View more