MicrosoftDocs
diff --git a/‎articles/firewall/compliance-certifications.md‎
Lines changed: 20 additions & 6 deletions b/‎articles/firewall/compliance-certifications.md‎
Lines changed: 20 additions & 6 deletions
diff --git a/‎articles/firewall/detect-malware-with-sentinel.md‎
Lines changed: 83 additions & 95 deletions b/‎articles/firewall/detect-malware-with-sentinel.md‎
Lines changed: 83 additions & 95 deletions
diff --git a/‎articles/firewall/dns-details.md‎
Lines changed: 9 additions & 10 deletions b/‎articles/firewall/dns-details.md‎
Lines changed: 9 additions & 10 deletions
diff --git a/‎articles/firewall/explicit-proxy.md‎
Lines changed: 19 additions & 20 deletions b/‎articles/firewall/explicit-proxy.md‎
Lines changed: 19 additions & 20 deletions
@@ -1,25 +1,39 @@
 ---
 title: Azure Firewall certifications
-description: A list of Azure Firewall certifications for PCI, SOC, and ISO.
-services: firewall
+description: Learn about Azure Firewall compliance certifications including CSA STAR, ISO, SOC, PCI DSS, HITRUST, FedRAMP, and DoD across global and industry-specific audit programs.
 author: duongau
 ms.service: azure-firewall
 ms.topic: concept-article
-ms.date: 04/28/2023
+ms.date: 03/28/2026
 ms.author: duau
 # Customer intent: "As a compliance officer in a regulated industry, I want to review the certifications of Azure Firewall, so that I can ensure it meets the necessary regulatory requirements for our organization."
 ---
 
 # Azure Firewall certifications
 
-To help you meet your own compliance obligations across regulated industries and markets worldwide, Azure maintains the largest compliance portfolio in the industry both in terms of breadth (total number of offerings) and depth (number of [customer-facing services](https://azure.microsoft.com/services/) in assessment scope). 
+To help you meet your own compliance obligations across regulated industries and markets worldwide, Azure maintains the largest compliance portfolio in the industry both in terms of breadth (total number of offerings) and depth (number of [customer-facing services](https://azure.microsoft.com/services/) in assessment scope).
 For service availability, see [Products available by region](https://azure.microsoft.com/global-infrastructure/services/).
 
 ## Azure Firewall audit scope
 
-Microsoft retains independent, third-party auditing firms to conduct audits of Microsoft cloud services. The resulting compliance assurances are applicable to both Azure and Azure Government cloud environments. Compliance offerings are grouped into four segments: globally applicable, US government, industry specific, and region/country specific. Azure compliance certificates and audit reports state clearly which cloud services are in scope for independent third-party audits. Different audits may have different cloud services in audit scope.
+Microsoft retains independent, third-party auditing firms to conduct audits of Microsoft cloud services. The resulting compliance assurances apply to both Azure and Azure Government cloud environments. Compliance offerings are grouped into four segments: globally applicable, US government, industry specific, and region or country/region specific. Azure compliance certificates and audit reports clearly state which cloud services are in scope for independent third-party audits. Different audits might have different cloud services in audit scope.
 
-Azure Firewall is included in many Azure compliance audits such as CSA STAR, ISO, SOC, PCI DSS, HITRUST, FedRAMP, DoD, and others. For the latest insight into Azure Firewall compliance audit scope, see [Cloud services in audit scope](/azure/compliance/offerings/cloud-services-in-audit-scope).
+Azure Firewall is included in many Azure compliance audits. The following list shows the key certifications by category:
+
+**Global, industry, and regional:**
+- CSA STAR
+- ISO/IEC 27001, 27017, and 27018
+- SOC 1 Type 2, SOC 2 Type 2, and SOC 3
+- PCI DSS Level 1
+- HIPAA BAA
+- HITRUST CSF
+- GSMA
+
+**US government:**
+- FedRAMP High
+- DoD IL2, IL4, IL5, and IL6 (Azure Government)
+
+For the authoritative and up-to-date list of which Azure services are in each audit scope, see [Cloud services in audit scope](/azure/compliance/offerings/cloud-services-in-audit-scope).
 
 ## Next steps
 
 
@@ -1,12 +1,11 @@
 ---
 title: Azure Firewall DNS Proxy details
-description: Learn how Azure Firewall DNS Proxy works
-services: firewall
+description: Learn about Azure Firewall DNS proxy implementation details, including FQDN caching behavior, TTL handling, and how DNS proxy affects network rule filtering.
 author: duongau
+ms.author: duau
 ms.service: azure-firewall
 ms.topic: concept-article
-ms.date: 06/11/2024
-ms.author: duau
+ms.date: 03/28/2026
 # Customer intent: As a network administrator, I want to configure Azure Firewall as a DNS proxy, so that I can ensure consistent and reliable DNS resolution for client virtual machines in my network.
 ---
 
@@ -20,19 +19,19 @@ The following information describes some implementation details for Azure Firewa
 
 Azure Firewall acts as a standard DNS client. If multiple A records are in the response, the firewall stores all the records in cache and offers them to the client in the response. If there’s one record per response, the firewall stores only a single record. There's no way for a client to know ahead of time if it should expect one or multiple A records in responses.
 
-## FQDN Time to Live (TTL)
+## FQDN time to live (TTL)
 
-When a FQDN TTL (time-to-live) is about to expire,  records are cached and expired according to their TTLs. Pre-fetching isn't used, so the firewall doesn't do a lookup before TTL expiration to refresh the record.
+The firewall caches and expires records according to their TTLs. Because the firewall doesn't use prefetching, it doesn't do a lookup before TTL expiration to refresh the record.
 
 ## Clients not configured to use the firewall DNS proxy
 
-If a client computer is configured to use a DNS server that isn't the firewall DNS proxy, the results can be unpredictable.
+If you configure a client computer to use a DNS server that isn't the firewall DNS proxy, the results can be unpredictable.
 
-For example, assume a client workload is in US East, and uses a primary DNS server hosted in US East. Azure Firewall DNS server settings are configured for a secondary DNS server hosted in US West. The firewall’s DNS server hosted in US West results in a response different than that of the client in US East.
+For example, assume a client workload is in US East, and uses a primary DNS server hosted in US East. Azure Firewall DNS server settings are configured for a secondary DNS server hosted in US West. The firewall's DNS server hosted in US West results in a response different from that of the client in US East.
 
-This is a common scenario, and why clients should use the firewall’s DNS proxy functionality. Clients should use the  firewall as their resolver if you use FQDNs in Network rules. You can ensure IP address resolution consistency by clients and the firewall itself.
+This scenario is common, and why clients should use the firewall's DNS proxy functionality. Clients should use the firewall as their resolver if you use FQDNs in Network rules. You can ensure IP address resolution consistency by clients and the firewall itself.
 
-In this example, if an FQDN is configured in Network rules, the firewall resolves the FQDN to IP1 (IP address 1) and updates the network rules to allow access to IP1. If and when the client resolves the same FQDN to IP2 because of a difference in DNS response, its connection attempt won't match the rules on the firewall and is denied. 
+In this example, if an FQDN is configured in Network rules, the firewall resolves the FQDN to IP1 (IP address 1) and updates the network rules to allow access to IP1. If and when the client resolves the same FQDN to IP2 because of a difference in DNS response, its connection attempt doesn't match the rules on the firewall and is denied.
 
 For HTTP/S FQDNs in Application rules, the firewall parses out the FQDN from the host or SNI header, resolves it, and then connects to that IP address. The destination IP address the client was trying to connect to is ignored.
 
 
@@ -1,53 +1,52 @@
 ---
-title: Azure Firewall Explicit proxy (preview)
-description: Learn about Azure Firewall's Explicit Proxy setting.
-services: firewall
-author: duau
+title: Azure Firewall explicit proxy (preview)
+description: Learn about Azure Firewall's explicit proxy setting.
+author: duongau
 ms.service: azure-firewall
 ms.topic: concept-article
-ms.date: 03/30/2023
-ms.author: magakman
+ms.date: 03/28/2026
+ms.author: duau
 ms.custom: sfi-image-nochange
 # Customer intent: As a network administrator, I want to configure an explicit proxy on Azure Firewall, so that I can manage outbound traffic efficiently without using a user-defined route.
 ---
 
-# Azure Firewall Explicit proxy (preview)
+# Azure Firewall explicit proxy (preview)
 
 > [!IMPORTANT]
 > Explicit proxy is currently in PREVIEW.
 > See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
 
-Azure Firewall operates in a transparent proxy mode by default. In this mode, traffic is sent to the firewall using a user defined route (UDR) configuration. The firewall intercepts that traffic inline and passes it to the destination.
+Azure Firewall operates in a transparent proxy mode by default. In this mode, you use a user-defined route (UDR) configuration to send traffic to the firewall. The firewall intercepts that traffic inline and passes it to the destination.
 
-With Explicit proxy set on the outbound path, you can configure a proxy setting on the sending application (such as a web browser) with Azure Firewall configured as the proxy. As a result, traffic from the sending application goes to the firewall's private IP address and therefore egresses directly from the firewall without the using  a UDR.
+When you set up explicit proxy on the outbound path, you can configure a proxy setting on the sending application (such as a web browser) with Azure Firewall configured as the proxy. As a result, traffic from the sending application goes to the firewall's private IP address and therefore egresses directly from the firewall without using a UDR.
 
-With the Explicit proxy mode (supported for HTTP/S), you can define proxy settings in the browser to point to the firewall private IP address. You can manually configure the IP address on the browser or application, or you can configure a proxy auto config (PAC) file. The firewall can host the PAC file to serve the proxy requests after you upload it to the firewall.
+With the explicit proxy mode (supported for HTTP/S), you can define proxy settings in the browser to point to the firewall private IP address. You can manually configure the IP address on the browser or application, or you can configure a proxy auto config (PAC) file. The firewall can host the PAC file to serve the proxy requests after you upload it to the firewall.
 
 ## Configuration
 
-- Once the feature is enabled, the following screen shows on the portal:
+- After you enable the feature, the following screen appears on the portal:
 
    :::image type="content" source="media/explicit-proxy/enable-explicit-proxy.png" alt-text="Screenshot showing the Enable explicit proxy setting.":::
 
    > [!NOTE]
    > The HTTP and HTTPS ports can't be the same.
 
-- Next, to allow the traffic to pass through the Firewall, create an **application** rule in the Firewall policy to allow this traffic.
-   > [!IMPORTANT]
-   > You must use an application rule. A network rule won't work.
+1. Next, to allow the traffic through the firewall, create an **application** rule in the firewall policy to allow this traffic.
 
+   > [!IMPORTANT]
+   > You must use an application rule. A network rule doesn't work.
 
-- To use the Proxy autoconfiguration (PAC) file, select **Enable proxy auto-configuration**.
+- Select **Enable proxy auto-configuration** to use the Proxy autoconfiguration (PAC) file.
 
-- First, upload the PAC file to a storage container that you create. Then, on the **Enable explicit proxy** page, configure the shared access signature (SAS) URL. Configure the port where the PAC is served from, and then select **Apply** at the bottom of the page.
+1. First, upload the PAC file to a storage container that you create. Then, on the **Enable explicit proxy** pane, configure the shared access signature (SAS) URL. Configure the port where the PAC is served from, and then select **Apply** at the bottom of the page.
 
-   The SAS URL must have READ permissions so the firewall can download the file. If changes are made to the PAC file, a new SAS URL needs to be generated and configured on the firewall **Enable explicit proxy** page.
+   The SAS URL must have **READ** permissions so the firewall can download the file. If you make changes to the PAC file, you need to generate a new SAS URL and configure it on the firewall **Enable explicit proxy** page.
 
    :::image type="content" source="media/explicit-proxy/shared-access-signature.png" alt-text="Screenshot showing generate shared access signature.":::
 
 ## Governance and compliance
 
-To ensure consistent configuration of explicit proxy settings across your Azure Firewall deployments, you can use Azure Policy definitions. The following policies are available to govern explicit proxy configurations:
+To ensure consistent configuration of explicit proxy settings across your Azure Firewall deployments, use Azure Policy definitions. The following policies are available to govern explicit proxy configurations:
 
 - **Enforce Explicit Proxy Configuration for Firewall Policies**: Ensures that all Azure Firewall policies have explicit proxy configuration enabled.
 - **Enable PAC file configuration while using Explicit Proxy**: Audits that when explicit proxy is enabled, the PAC (Proxy Auto-Configuration) file is also properly configured.
@@ -56,5 +55,5 @@ For more information about these policies and how to implement them, see [Use Az
 
 ## Next steps
 
-- To learn more about Explicit proxy, see [Demystifying Explicit proxy: Enhancing Security with Azure Firewall](https://techcommunity.microsoft.com/t5/azure-network-security-blog/demystifying-explicit-proxy-enhancing-security-with-azure/ba-p/3873445).
-- To learn how to deploy an Azure Firewall, see [Deploy and configure Azure Firewall using Azure PowerShell](deploy-ps.md).
+- To learn more about explicit proxy, see [Demystifying Explicit proxy: Enhancing Security with Azure Firewall](https://techcommunity.microsoft.com/t5/azure-network-security-blog/demystifying-explicit-proxy-enhancing-security-with-azure/ba-p/3873445).
+- To learn how to deploy an Azure Firewall, see [Deploy and configure Azure Firewall by using Azure PowerShell](deploy-ps.md).