Merge pull request #313827 from duongau/firewall-freshness-review-564969-P0

Azure Firewall P0 freshness review - 8 articles updated

Author: v-ccolin

articles/firewall/compliance-certifications.md

@@ -1,25 +1,39 @@
 ---
 title: Azure Firewall certifications
-description: A list of Azure Firewall certifications for PCI, SOC, and ISO.
-services: firewall
+description: Learn about Azure Firewall compliance certifications including CSA STAR, ISO, SOC, PCI DSS, HITRUST, FedRAMP, and DoD across global and industry-specific audit programs.
 author: duongau
 ms.service: azure-firewall
 ms.topic: concept-article
-ms.date: 04/28/2023
+ms.date: 03/28/2026
 ms.author: duau
 # Customer intent: "As a compliance officer in a regulated industry, I want to review the certifications of Azure Firewall, so that I can ensure it meets the necessary regulatory requirements for our organization."
 ---
 
 # Azure Firewall certifications
 
-To help you meet your own compliance obligations across regulated industries and markets worldwide, Azure maintains the largest compliance portfolio in the industry both in terms of breadth (total number of offerings) and depth (number of [customer-facing services](https://azure.microsoft.com/services/) in assessment scope). 
+To help you meet your own compliance obligations across regulated industries and markets worldwide, Azure maintains the largest compliance portfolio in the industry both in terms of breadth (total number of offerings) and depth (number of [customer-facing services](https://azure.microsoft.com/services/) in assessment scope).
 For service availability, see [Products available by region](https://azure.microsoft.com/global-infrastructure/services/).
 
 ## Azure Firewall audit scope
 
-Microsoft retains independent, third-party auditing firms to conduct audits of Microsoft cloud services. The resulting compliance assurances are applicable to both Azure and Azure Government cloud environments. Compliance offerings are grouped into four segments: globally applicable, US government, industry specific, and region/country specific. Azure compliance certificates and audit reports state clearly which cloud services are in scope for independent third-party audits. Different audits may have different cloud services in audit scope.
+Microsoft retains independent, third-party auditing firms to conduct audits of Microsoft cloud services. The resulting compliance assurances apply to both Azure and Azure Government cloud environments. Compliance offerings are grouped into four segments: globally applicable, US government, industry specific, and region or country/region specific. Azure compliance certificates and audit reports clearly state which cloud services are in scope for independent third-party audits. Different audits might have different cloud services in audit scope.
 
-Azure Firewall is included in many Azure compliance audits such as CSA STAR, ISO, SOC, PCI DSS, HITRUST, FedRAMP, DoD, and others. For the latest insight into Azure Firewall compliance audit scope, see [Cloud services in audit scope](/azure/compliance/offerings/cloud-services-in-audit-scope).
+Azure Firewall is included in many Azure compliance audits. The following list shows the key certifications by category:
+
+**Global, industry, and regional:**
+- CSA STAR
+- ISO/IEC 27001, 27017, and 27018
+- SOC 1 Type 2, SOC 2 Type 2, and SOC 3
+- PCI DSS Level 1
+- HIPAA BAA
+- HITRUST CSF
+- GSMA
+
+**US government:**
+- FedRAMP High
+- DoD IL2, IL4, IL5, and IL6 (Azure Government)
+
+For the authoritative and up-to-date list of which Azure services are in each audit scope, see [Cloud services in audit scope](/azure/compliance/offerings/cloud-services-in-audit-scope).
 
 ## Next steps
 

articles/firewall/explicit-proxy.md

@@ -1,53 +1,52 @@
 ---
-title: Azure Firewall Explicit proxy (preview)
-description: Learn about Azure Firewall's Explicit Proxy setting.
-services: firewall
-author: duau
+title: Azure Firewall explicit proxy (preview)
+description: Learn about Azure Firewall's explicit proxy setting.
+author: duongau
 ms.service: azure-firewall
 ms.topic: concept-article
-ms.date: 03/30/2023
-ms.author: magakman
+ms.date: 03/28/2026
+ms.author: duau
 ms.custom: sfi-image-nochange
 # Customer intent: As a network administrator, I want to configure an explicit proxy on Azure Firewall, so that I can manage outbound traffic efficiently without using a user-defined route.
 ---
 
-# Azure Firewall Explicit proxy (preview)
+# Azure Firewall explicit proxy (preview)
 
 > [!IMPORTANT]
 > Explicit proxy is currently in PREVIEW.
 > See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
 
-Azure Firewall operates in a transparent proxy mode by default. In this mode, traffic is sent to the firewall using a user defined route (UDR) configuration. The firewall intercepts that traffic inline and passes it to the destination.
+Azure Firewall operates in a transparent proxy mode by default. In this mode, you use a user-defined route (UDR) configuration to send traffic to the firewall. The firewall intercepts that traffic inline and passes it to the destination.
 
-With Explicit proxy set on the outbound path, you can configure a proxy setting on the sending application (such as a web browser) with Azure Firewall configured as the proxy. As a result, traffic from the sending application goes to the firewall's private IP address and therefore egresses directly from the firewall without the using  a UDR.
+When you set up explicit proxy on the outbound path, you can configure a proxy setting on the sending application (such as a web browser) with Azure Firewall configured as the proxy. As a result, traffic from the sending application goes to the firewall's private IP address and therefore egresses directly from the firewall without using a UDR.
 
-With the Explicit proxy mode (supported for HTTP/S), you can define proxy settings in the browser to point to the firewall private IP address. You can manually configure the IP address on the browser or application, or you can configure a proxy auto config (PAC) file. The firewall can host the PAC file to serve the proxy requests after you upload it to the firewall.
+With the explicit proxy mode (supported for HTTP/S), you can define proxy settings in the browser to point to the firewall private IP address. You can manually configure the IP address on the browser or application, or you can configure a proxy auto config (PAC) file. The firewall can host the PAC file to serve the proxy requests after you upload it to the firewall.
 
 ## Configuration
 
-- Once the feature is enabled, the following screen shows on the portal:
+- After you enable the feature, the following screen appears on the portal:
 
    :::image type="content" source="media/explicit-proxy/enable-explicit-proxy.png" alt-text="Screenshot showing the Enable explicit proxy setting.":::
 
    > [!NOTE]
    > The HTTP and HTTPS ports can't be the same.
 
-- Next, to allow the traffic to pass through the Firewall, create an **application** rule in the Firewall policy to allow this traffic.
-   > [!IMPORTANT]
-   > You must use an application rule. A network rule won't work.
+1. Next, to allow the traffic through the firewall, create an **application** rule in the firewall policy to allow this traffic.
 
+   > [!IMPORTANT]
+   > You must use an application rule. A network rule doesn't work.
 
-- To use the Proxy autoconfiguration (PAC) file, select **Enable proxy auto-configuration**.
+- Select **Enable proxy auto-configuration** to use the Proxy autoconfiguration (PAC) file.
 
-- First, upload the PAC file to a storage container that you create. Then, on the **Enable explicit proxy** page, configure the shared access signature (SAS) URL. Configure the port where the PAC is served from, and then select **Apply** at the bottom of the page.
+1. First, upload the PAC file to a storage container that you create. Then, on the **Enable explicit proxy** pane, configure the shared access signature (SAS) URL. Configure the port where the PAC is served from, and then select **Apply** at the bottom of the page.
 
-   The SAS URL must have READ permissions so the firewall can download the file. If changes are made to the PAC file, a new SAS URL needs to be generated and configured on the firewall **Enable explicit proxy** page.
+   The SAS URL must have **READ** permissions so the firewall can download the file. If you make changes to the PAC file, you need to generate a new SAS URL and configure it on the firewall **Enable explicit proxy** page.
 
    :::image type="content" source="media/explicit-proxy/shared-access-signature.png" alt-text="Screenshot showing generate shared access signature.":::
 
 ## Governance and compliance
 
-To ensure consistent configuration of explicit proxy settings across your Azure Firewall deployments, you can use Azure Policy definitions. The following policies are available to govern explicit proxy configurations:
+To ensure consistent configuration of explicit proxy settings across your Azure Firewall deployments, use Azure Policy definitions. The following policies are available to govern explicit proxy configurations:
 
 - **Enforce Explicit Proxy Configuration for Firewall Policies**: Ensures that all Azure Firewall policies have explicit proxy configuration enabled.
 - **Enable PAC file configuration while using Explicit Proxy**: Audits that when explicit proxy is enabled, the PAC (Proxy Auto-Configuration) file is also properly configured.
@@ -56,5 +55,5 @@ For more information about these policies and how to implement them, see [Use Az
 
 ## Next steps
 
-- To learn more about Explicit proxy, see [Demystifying Explicit proxy: Enhancing Security with Azure Firewall](https://techcommunity.microsoft.com/t5/azure-network-security-blog/demystifying-explicit-proxy-enhancing-security-with-azure/ba-p/3873445).
-- To learn how to deploy an Azure Firewall, see [Deploy and configure Azure Firewall using Azure PowerShell](deploy-ps.md).
+- To learn more about explicit proxy, see [Demystifying Explicit proxy: Enhancing Security with Azure Firewall](https://techcommunity.microsoft.com/t5/azure-network-security-blog/demystifying-explicit-proxy-enhancing-security-with-azure/ba-p/3873445).
+- To learn how to deploy an Azure Firewall, see [Deploy and configure Azure Firewall by using Azure PowerShell](deploy-ps.md).

articles/firewall/firewall-best-practices.md

@@ -1,11 +1,10 @@
 ---
 title: Azure Firewall best practices for performance
-description: Learn how to configure Azure Firewall to maximize performance
-services: firewall
+description: Learn how to configure Azure Firewall to maximize performance and minimize latency using best practices for rules, SNAT, IDPS, and monitoring.
 author: duongau
 ms.service: azure-firewall
 ms.topic: concept-article
-ms.date: 01/13/2025
+ms.date: 03/28/2026
 ms.author: duau
 # Customer intent: As a network administrator, I want to implement best practices for Azure Firewall configuration, so that I can optimize its performance and ensure efficient network traffic management while maintaining security.
 ---
@@ -14,39 +13,39 @@ ms.author: duau
 
 To maximize the [performance](firewall-performance.md) of your Azure Firewall and Firewall policy, it’s important to follow best practices. However, certain network behaviors or features can affect the firewall’s performance and latency, despite its performance optimization capabilities.
 
-## Performance issues common causes
+## Common causes of performance problems
 
 - **Exceeding rule limitations**
 
-   If you exceed limitations, such as using over 20,000 unique source/destination combinations in rules, it can affect firewall traffic processing and cause latency. Even though this is a soft limit, if you surpass this value it can affect overall firewall performance. For more information, see the [documented limits](../azure-resource-manager/management/azure-subscription-service-limits.md#azure-firewall-limits).
+   If you exceed limitations, such as using more than 20,000 unique source or destination combinations in rules, you can affect firewall traffic processing and cause latency. Even though this limit is soft, surpassing it can affect overall firewall performance. For more information, see the [documented limits](../azure-resource-manager/management/azure-subscription-service-limits.md#azure-firewall-limits).
 
 - **High traffic throughput**
 
-    Azure Firewall Standard supports up to 30 Gbps, while Premium supports up to 100 Gbps. For more information, see the [throughput limitations](firewall-performance.md#performance-data). You can monitor your throughput or data processing in Azure Firewall metrics. For more information, see [Azure Firewall metrics and alerts](metrics.md).
+    Azure Firewall Standard supports up to 30 Gbps, while Premium supports up to 100 Gbps. For more information, see the [throughput limitations](firewall-performance.md#performance-data). You can monitor your throughput or data processing in Azure Firewall metrics. For more information, see [Azure Firewall metrics and alerts](monitor-firewall-reference.md).
 
-- **High Number of Connections**
+- **High number of connections**
 
    An excessive number of connections passing through the firewall can lead to SNAT (Source Network Address Translation) port exhaustion.
 
-- **IDPS Alert + Deny Mode**
+- **IDPS Alert + Deny mode**
 
-   If you enable IDPS Alert + Deny Mode, the firewall drops packets that match an IDPS signature. This affects performance.
+   If you enable IDPS Alert + Deny mode, the firewall drops packets that match an IDPS signature. This action affects performance.
 
 ## Recommendations
 
 - **Optimize rule configuration and processing**
 
-   - Organize rules using firewall policy into Rule Collection Groups and Rule Collections, prioritizing them based on their use frequency.
+   - Organize rules by using firewall policy into Rule Collection Groups and Rule Collections, and prioritize them based on how often they're used.
    - Use [IP Groups](ip-groups.md) or IP prefixes to reduce the number of IP table rules.
    - Prioritize rules with the highest number of hits.
-   - Ensure that you are within the following [rule limitations](../azure-resource-manager/management/azure-subscription-service-limits.md#azure-firewall-limits).
+   - Make sure you're within the following [rule limitations](../azure-resource-manager/management/azure-subscription-service-limits.md#azure-firewall-limits).
 - **Use or migrate to Azure Firewall Premium**
    - Azure Firewall Premium uses advanced hardware and offers a higher-performing underlying engine.
-   - Best for heavier workloads and higher traffic volumes. 
+   - It's best for heavier workloads and higher traffic volumes.
    - It also includes built-in accelerated networking software, which can achieve throughput of up to 100 Gbps, unlike the Standard version.
 - **Add multiple public IP addresses to the firewall to prevent SNAT port exhaustion**
-   - To prevent SNAT port exhaustion, consider adding multiple public IP addresses (PIPs) to your firewall. Azure Firewall provides [2,496 SNAT ports per each additional PIP](../nat-gateway/tutorial-hub-spoke-nat-firewall.md). 
-   - If you prefer not to add more PIPs, you can add an Azure NAT Gateway to scale SNAT port usage. This provides advanced SNAT port allocation capabilities.
+   - To prevent SNAT port exhaustion, consider adding multiple public IP addresses (PIPs) to your firewall. Azure Firewall provides [2,496 SNAT ports per each additional PIP](../nat-gateway/tutorial-hub-spoke-nat-firewall.md).
+   - If you prefer not to add more PIPs, you can add an Azure NAT Gateway to scale SNAT port usage. This solution provides advanced SNAT port allocation capabilities.
 - **Start with IDPS Alert mode before you enable Alert + Deny mode**
    - While the *Alert + Deny* mode offers enhanced security by blocking suspicious traffic, it can also introduce more processing overhead. If you disable this mode, you might observe performance improvement, especially in scenarios where the firewall is primarily used for routing and not deep packet inspection.
    - It's essential to remember that traffic through the firewall is denied by default until you explicitly configure *allow* rules. Therefore, even when IDPS *Alert + Deny* mode is disabled, your network remains protected, and only explicitly permitted traffic is allowed to pass through the firewall. It can be a strategic choice to disable this mode to optimize performance without compromising the core security features provided by the Azure Firewall.
@@ -56,7 +55,7 @@ To maximize the [performance](firewall-performance.md) of your Azure Firewall an
 
 ## Testing and monitoring
 
-To ensure optimal performance for your Azure Firewall, you should continuously and proactively monitor it. It's crucial to regularly assess the health and key metrics of your firewall to identify potential issues and maintain efficient operation, especially during configuration changes. 
+To ensure optimal performance for your Azure Firewall, continuously and proactively monitor it. Regularly assess the health and key metrics of your firewall to identify potential issues and maintain efficient operation, especially during configuration changes.
 
 Use the following best practices for testing and monitoring:
 
@@ -65,13 +64,13 @@ Use the following best practices for testing and monitoring:
 - **Measure firewall latency using latency probe metrics**
    - Use the *latency probe* metric to measure the average latency of the Azure Firewall. This metric provides an indirect metric of the firewall’s performance. Remember that intermittent latency spikes are normal.
 - **Measure traffic throughput metric**
-   - Monitor the *traffic throughput* metric to understand how much data passes through the firewall. This helps you gauge the firewall’s capacity and its ability to handle the network traffic.
+   - Monitor the *traffic throughput* metric to understand how much data passes through the firewall. This metric helps you gauge the firewall's capacity and its ability to handle the network traffic.
 - **Measure data processed**
    - Keep track of the *data processed* metric to assess the volume of data processed by the firewall.
 - **Identify rule hits and performance spikes**
    - Look for spikes in network performance or latency. Correlate rule hit timestamps, such as application rules hit count and network rules hit count, to determine if rule processing is a significant factor contributing to performance or latency issues. By analyzing these patterns, you can identify specific rules or configurations that you might need to optimize.
 - **Add alerts to key metrics**
-   - In addition to regular monitoring, it's crucial to set up alerts for key firewall metrics. This ensures that you're promptly notified when specific metrics surpass predefined thresholds. To configure alerts, see [Azure Firewall logs and metrics](metrics.md#alert-on-azure-firewall-metrics) for detailed instructions about setting up effective alerting mechanisms. Proactive alerting enhances your ability to respond swiftly to potential issues and maintain optimal firewall performance.
+   - In addition to regular monitoring, set up alerts for key firewall metrics. This step ensures that you're promptly notified when specific metrics surpass predefined thresholds. To configure alerts, see [Azure Firewall logs and metrics](monitor-firewall.md#alert-on-azure-firewall-metrics) for detailed instructions about setting up effective alerting mechanisms. Proactive alerting enhances your ability to respond swiftly to potential issues and maintain optimal firewall performance.
 - **Implement governance and compliance**
    - Use [Azure Policy](firewall-azure-policy.md) to enforce consistent configuration standards across your Azure Firewall deployments, including explicit proxy settings and other security configurations.
    - Track configuration changes using [Azure Resource Graph](rule-set-change-tracking.md) to maintain compliance and operational visibility.