Merge pull request #313830 from duongau/firewall-freshness-review-564969-P1a

Azure Firewall freshness review — articles #9-18 (P1a)

Author: v-ccolin

articles/firewall/detect-malware-with-sentinel.md

@@ -1,12 +1,11 @@
 ---
 title: Azure Firewall DNS Proxy details
-description: Learn how Azure Firewall DNS Proxy works
-services: firewall
+description: Learn about Azure Firewall DNS proxy implementation details, including FQDN caching behavior, TTL handling, and how DNS proxy affects network rule filtering.
 author: duongau
+ms.author: duau
 ms.service: azure-firewall
 ms.topic: concept-article
-ms.date: 06/11/2024
-ms.author: duau
+ms.date: 03/28/2026
 # Customer intent: As a network administrator, I want to configure Azure Firewall as a DNS proxy, so that I can ensure consistent and reliable DNS resolution for client virtual machines in my network.
 ---
 
@@ -20,19 +19,19 @@ The following information describes some implementation details for Azure Firewa
 
 Azure Firewall acts as a standard DNS client. If multiple A records are in the response, the firewall stores all the records in cache and offers them to the client in the response. If there’s one record per response, the firewall stores only a single record. There's no way for a client to know ahead of time if it should expect one or multiple A records in responses.
 
-## FQDN Time to Live (TTL)
+## FQDN time to live (TTL)
 
-When a FQDN TTL (time-to-live) is about to expire,  records are cached and expired according to their TTLs. Pre-fetching isn't used, so the firewall doesn't do a lookup before TTL expiration to refresh the record.
+The firewall caches and expires records according to their TTLs. Because the firewall doesn't use prefetching, it doesn't do a lookup before TTL expiration to refresh the record.
 
 ## Clients not configured to use the firewall DNS proxy
 
-If a client computer is configured to use a DNS server that isn't the firewall DNS proxy, the results can be unpredictable.
+If you configure a client computer to use a DNS server that isn't the firewall DNS proxy, the results can be unpredictable.
 
-For example, assume a client workload is in US East, and uses a primary DNS server hosted in US East. Azure Firewall DNS server settings are configured for a secondary DNS server hosted in US West. The firewall’s DNS server hosted in US West results in a response different than that of the client in US East.
+For example, assume a client workload is in US East, and uses a primary DNS server hosted in US East. Azure Firewall DNS server settings are configured for a secondary DNS server hosted in US West. The firewall's DNS server hosted in US West results in a response different from that of the client in US East.
 
-This is a common scenario, and why clients should use the firewall’s DNS proxy functionality. Clients should use the  firewall as their resolver if you use FQDNs in Network rules. You can ensure IP address resolution consistency by clients and the firewall itself.
+This scenario is common, and why clients should use the firewall's DNS proxy functionality. Clients should use the firewall as their resolver if you use FQDNs in Network rules. You can ensure IP address resolution consistency by clients and the firewall itself.
 
-In this example, if an FQDN is configured in Network rules, the firewall resolves the FQDN to IP1 (IP address 1) and updates the network rules to allow access to IP1. If and when the client resolves the same FQDN to IP2 because of a difference in DNS response, its connection attempt won't match the rules on the firewall and is denied. 
+In this example, if an FQDN is configured in Network rules, the firewall resolves the FQDN to IP1 (IP address 1) and updates the network rules to allow access to IP1. If and when the client resolves the same FQDN to IP2 because of a difference in DNS response, its connection attempt doesn't match the rules on the firewall and is denied.
 
 For HTTP/S FQDNs in Application rules, the firewall parses out the FQDN from the host or SNI header, resolves it, and then connects to that IP address. The destination IP address the client was trying to connect to is ignored.
 

articles/firewall/dns-details.md

@@ -1,19 +1,19 @@
 ---
 title: Use Azure Policy to help secure your Azure Firewall deployments
-description: You can use Azure Policy to help secure your Azure Firewall deployments.
+description: Govern Azure Firewall configurations by applying Azure Policies that enforce security best practices and organizational compliance standards.
 author: duau
 ms.author: duau
 ms.service: azure-firewall
 ms.topic: how-to
-ms.date: 09/05/2024
+ms.date: 03/28/2026
 # Customer intent: "As a network administrator, I want to apply Azure Policies to govern Azure Firewall configurations, so that I can ensure compliance with security best practices and organizational standards."
 ---
 
 # Use Azure Policy to help secure your Azure Firewall deployments
 
-Azure Policy is a service in Azure that allows you to create, assign, and manage policies. These policies enforce different rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements. Azure Policy does this by evaluating your resources for noncompliance with assigned policies. For example, you can have a policy to allow only a certain size of virtual machines in your environment or to enforce a specific tag on resources. 
+Azure Policy is a service in Azure that you can use to create, assign, and manage policies. These policies enforce different rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements. Azure Policy evaluates your resources for noncompliance with assigned policies. For example, you can use a policy to allow only a certain size of virtual machines in your environment or to enforce a specific tag on resources.
 
-Azure Policy can be used to govern Azure Firewall configurations by applying policies that define what configurations are allowed or disallowed. This helps ensure that the firewall settings are consistent with organizational compliance requirements and security best practices. 
+You can use Azure Policy to govern Azure Firewall configurations by applying policies that define what configurations are allowed or disallowed. This approach helps ensure that the firewall settings are consistent with organizational compliance requirements and security best practices.
 
 ## Prerequisites
 
@@ -23,105 +23,64 @@ If you don't have an Azure subscription, create a [free account](https://azure.m
 
 The following policies are available for Azure Firewall:
 
-- **Enable Threat Intelligence in Azure Firewall Policy**
-
-   This policy makes sure that any Azure Firewall configuration without threat intel enabled is marked as noncompliant. 
-- **Deploy Azure Firewall across Multiple Availability Zones**
-
-   The policy restricts Azure Firewall deployment to be only allowed with Multiple Availability Zone configuration. 
-- **Upgrade Azure Firewall Standard to Premium**
-
-   This policy recommends upgrading Azure Firewall Standard to Premium so that all the Premium version advanced firewall features can be used. This further enhances the security of the network. 
-- **Azure Firewall Policy Analytics should be enabled**
-
-   This policy ensures that the Policy Analytics is enabled on the firewall to effectively tune and optimize firewall rules. 
-- **Azure Firewall should only allow Encrypted Traffic**
-   
-   This policy analyses existing rules and ports in Azure firewall policy and audits firewall policy to make sure that only encrypted traffic is allowed into the environment. 
-- **Azure Firewall should have DNS Proxy Enabled**
-   
-   This Policy Ensures that DNS proxy feature is enabled on Azure Firewall deployments. 
-- **Enable IDPS in Azure Firewall Premium Policy**
-   
-   This policy ensures that the IDPS feature is enabled on Azure Firewall deployments to effectively protect the environment from various threats and vulnerabilities. 
-- **Enable TLS inspection on Azure Firewall Policy**
-   
-   This policy mandates that TLS inspection is enabled to detect, alert, and mitigate malicious activity in HTTPS traffic. 
-- **Enforce Explicit Proxy Configuration for Firewall Policies**
-   
-   This policy ensures that all Azure Firewall policies have explicit proxy configuration enabled. It checks for the presence of the `explicitProxy.enableExplicitProxy` field and flags resources as noncompliant if this setting is missing. This helps maintain consistent proxy configurations across all firewall deployments. For the complete policy definition, see [Enforce Explicit Proxy Configuration for Firewall Policies](https://github.com/Azure/Azure-Network-Security/tree/master/Azure%20Firewall/Policy%20-%20Azure%20Policy%20Definitions/Policy%20-%20Enforce%20Explicit%20Proxy%20Configuration%20for%20Firewall%20Policies).
-- **Enable PAC file configuration while using Explicit Proxy on Azure Firewall**
-   
-   This policy audits Azure Firewall policies to ensure that when explicit proxy is enabled, the PAC (Proxy Auto-Configuration) file is also properly configured. It validates that if `explicitProxy.enableExplicitProxy` is true, then `explicitProxy.enablePacFile` should also be enabled to provide proper proxy auto-configuration capabilities. For the complete policy definition, see [Enable PAC file configuration while using Explicit Proxy on Azure Firewall](https://github.com/Azure/Azure-Network-Security/tree/master/Azure%20Firewall/Policy%20-%20Azure%20Policy%20Definitions/Policy%20-%20Enable%20PAC%20file%20configuration%20while%20using%20Explicit%20Proxy%20on%20Azure%20Firewall).
-- **Migrate from Azure Firewall Classic Rules to Firewall Policy**
-   
-   This policy recommends migrating from Firewall Classic Rules to Firewall Policy. 
-- **VNET with specific tag must have Azure Firewall Deployed**
-   
-   This policy finds all virtual networks with a specified tag and checks if there's an Azure Firewall deployed, and flags it as noncompliant if no Azure Firewall exists. 
-
-The following steps show how you can create an Azure Policy that enforces all Firewall Policies to have the Threat Intelligence feature enabled (either **Alert Only**, or **Alert and deny**). The Azure Policy scope is set to the resource group that you create.
+| Policy | Description |
+|--------|-------------|
+| **Enable Threat Intelligence in Azure Firewall Policy** | Marks any Azure Firewall configuration without threat intelligence enabled as noncompliant. |
+| **Deploy Azure Firewall across Multiple Availability Zones** | Restricts Azure Firewall deployment to only allow multiple Availability Zone configurations. |
+| **Upgrade Azure Firewall Standard to Premium** | Recommends upgrading Azure Firewall Standard to Premium to use advanced Premium features and enhance network security. |
+| **Azure Firewall Policy Analytics should be enabled** | Ensures Policy Analytics is enabled on the firewall to effectively tune and optimize firewall rules. |
+| **Azure Firewall should only allow Encrypted Traffic** | Audits firewall policy rules and ports to ensure only encrypted traffic is allowed into the environment. |
+| **Azure Firewall should have DNS Proxy Enabled** | Ensures the DNS proxy feature is enabled on Azure Firewall deployments. |
+| **Enable IDPS in Azure Firewall Premium Policy** | Ensures the IDPS feature is enabled on Azure Firewall deployments to protect against threats and vulnerabilities. |
+| **Enable TLS inspection on Azure Firewall Policy** | Requires TLS inspection to be enabled to detect, alert, and mitigate malicious activity in HTTPS traffic. |
+| **Enforce Explicit Proxy Configuration for Firewall Policies** | Ensures all Azure Firewall policies have explicit proxy configuration enabled by checking for the `explicitProxy.enableExplicitProxy` field. For the complete policy definition, see [Enforce Explicit Proxy Configuration for Firewall Policies](https://github.com/Azure/Azure-Network-Security/tree/master/Azure%20Firewall/Policy%20-%20Azure%20Policy%20Definitions/Policy%20-%20Enforce%20Explicit%20Proxy%20Configuration%20for%20Firewall%20Policies). |
+| **Enable PAC file configuration while using Explicit Proxy on Azure Firewall** | Audits firewall policies to ensure that when explicit proxy is enabled (`explicitProxy.enableExplicitProxy` is true), the PAC file (`explicitProxy.enablePacFile`) is also enabled. For the complete policy definition, see [Enable PAC file configuration while using Explicit Proxy on Azure Firewall](https://github.com/Azure/Azure-Network-Security/tree/master/Azure%20Firewall/Policy%20-%20Azure%20Policy%20Definitions/Policy%20-%20Enable%20PAC%20file%20configuration%20while%20using%20Explicit%20Proxy%20on%20Azure%20Firewall). |
+| **Migrate from Azure Firewall Classic Rules to Firewall Policy** | Recommends migrating from Firewall Classic Rules to Firewall Policy. |
+| **VNET with specific tag must have Azure Firewall Deployed** | Checks all virtual networks with a specified tag for an Azure Firewall deployment and flags the configuration as noncompliant if none exists. |
+
+The following steps show how you can create an Azure Policy that enforces all Firewall Policies to have the Threat Intelligence feature enabled (either **Alert Only** or **Alert and deny**). Set the Azure Policy scope to the resource group that you create.
 
 ## Create a resource group
 
-This resource group is set as the scope for the Azure Policy, and is where you create the Firewall Policy.
+Set this resource group as the scope for the Azure Policy. Create the Firewall Policy in this resource group.
 
-1. From the Azure portal, select **Create a resource**.
-1. In the search box, type **resource group** and press Enter.
-1. Select **Resource group** from the search results.
-1. Select **Create**.
-1. Select your subscription.
-1. Type a name for your resource group.
-1. Select a region.
-1. Select **Next : Tags**.
-1. Select **Next : Review + create**.
-1. Select **Create**.
+1. From the Azure portal, select **Create a resource**, search for `resource group`, and select **Resource group** from the results.
+1. Select **Create**, select your subscription, type a name for your resource group, and select a region.
+1. Select **Review + create**, and then select **Create**.
 
 ## Create an Azure Policy
 
-Now create an Azure Policy in your new resource group. This policy ensures that any firewall policies must have Threat Intelligence enabled.
+Now create an Azure Policy in your new resource group. This policy ensures that any firewall policies have Threat Intelligence enabled.
 
-1. From the Azure portal, select **All services**.
-1. In the filter box, type **policy** and press Enter.
-1. Select **Policy** in the search results.
-1. On the Policy page, select **Getting started**.
-1. Under **Assign policies**, select **View definitions**.
-1. On the Definitions page, type **firewall**, in the search box.
-1. Select **Azure Firewall Policy should enable Threat Intelligence**.
+1. From the Azure portal, search for `policy`, and select **Policy** from the results.
+1. In the left menu, expand **Authoring** and select **Definitions**.
+1. In the search box, type `firewall`, and then select **Azure Firewall Policy should enable Threat Intelligence**.
 1. Select **Assign policy**.
-1. For **Scope**, select you subscription and your new resource group.
-1. Select **Select**.
+1. For **Scope**, select your subscription and your new resource group, and then select **Select**.
 1. Select **Next**.
-1. On the **Parameters** page, clear the **Only show parameters that need input or review** check box.
-1. For **Effect**, select **Deny**.
-1. Select **Review + create**.
-1. Select **Create**.
+1. On the **Parameters** pane, clear the **Only show parameters that need input or review** check box, and then for **Effect**, select **Deny**.
+1. Select **Review + create**, then select **Create**.
 
-## Create a Firewall Policy
+## Create a firewall policy
 
-Now you attempt to create a Firewall Policy with Threat Intelligence disabled.
+Now, create a firewall policy with Threat Intelligence disabled.
 
-1. From the Azure portal, select **Create a resource**.
-1. In the search box, type **firewall policy** and press Enter.
-1. Select **Firewall Policy** in the search results.
-1. Select **Create**.
-1. Select your subscription.
-1. For **Resource group**, select the resource group that you created previously.
-1. In the **Name** text box, type a name for your policy.
-1. Select **Next : DNS Settings**.
-1. Continue selecting through to the **Threat intelligence** page.
+1. From the Azure portal, select **Create a resource**, search for `firewall policy`, and select **Firewall Policy** from the results.
+1. Select **Create**, and then select your subscription and the resource group that you created previously.
+1. In the **Name** box, type a name for your policy.
+1. Go to the **Threat intelligence** tab.
 1. For **Threat intelligence mode**, select **Disabled**.
 1. Select **Review + create**.
 
-You should see an error that says your resource was disallowed by policy, confirming that your Azure Policy doesn't allow firewall policies that have Threat Intelligence disabled.
+You see an error that says your resource was disallowed by policy, confirming that your Azure Policy doesn't allow firewall policies that have Threat Intelligence disabled.
 
 ## Additional Azure Policy definitions
 
 For more Azure Policy definitions specifically designed for Azure Firewall, including policies for explicit proxy configuration, see the [Azure Network Security GitHub repository](https://github.com/Azure/Azure-Network-Security/tree/master/Azure%20Firewall/Policy%20-%20Azure%20Policy%20Definitions). This repository contains community-contributed policy definitions that you can deploy in your environment.
 
 ## Related content
 
-- [What is Azure Policy?](../governance/policy/overview.md)
+- [What's Azure Policy?](../governance/policy/overview.md)
 - [Govern your Azure Firewall configuration with Azure Policies](https://techcommunity.microsoft.com/t5/azure-network-security-blog/govern-your-azure-firewall-configuration-with-azure-policies/ba-p/4189902)
 - [Azure Firewall Explicit proxy (preview)](explicit-proxy.md)