MicrosoftDocs
diff --git a/‎articles/firewall/central-management.md‎
Lines changed: 0 additions & 45 deletions b/‎articles/firewall/central-management.md‎
Lines changed: 0 additions & 45 deletions
diff --git a/‎articles/firewall/deploy-template.md‎
Lines changed: 2 additions & 2 deletions b/‎articles/firewall/deploy-template.md‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎articles/firewall/idps-signature-categories.md‎
Lines changed: 2 additions & 2 deletions b/‎articles/firewall/idps-signature-categories.md‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎articles/firewall/infrastructure-fqdns.md‎
Lines changed: 0 additions & 29 deletions b/‎articles/firewall/infrastructure-fqdns.md‎
Lines changed: 0 additions & 29 deletions
diff --git a/‎articles/firewall/premium-deploy-certificates-enterprise-ca.md‎
Lines changed: 22 additions & 22 deletions b/‎articles/firewall/premium-deploy-certificates-enterprise-ca.md‎
Lines changed: 22 additions & 22 deletions
diff --git a/‎articles/firewall/premium-portal.md‎
Lines changed: 2 additions & 2 deletions b/‎articles/firewall/premium-portal.md‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎articles/firewall/quick-create-ipgroup-template.md‎
Lines changed: 4 additions & 1 deletion b/‎articles/firewall/quick-create-ipgroup-template.md‎
Lines changed: 4 additions & 1 deletion
@@ -6,7 +6,7 @@ author: duongau
 ms.service: azure-firewall
 ms.topic: quickstart
 ms.custom: subject-armqs, mode-arm, devx-track-arm-template
-ms.date: 05/10/2021
+ms.date: 12/31/2025
 ms.author: duau
 # Customer intent: As a cloud architect, I want to deploy an Azure Firewall using an ARM template, so that I can quickly set up a secure network environment with high availability across multiple zones.
 ---
@@ -89,4 +89,4 @@ Don't remove the resource group and firewall if you plan to continue on to the f
 Next, you can monitor the Azure Firewall logs.
 
 > [!div class="nextstepaction"]
-> [Tutorial: Monitor Azure Firewall logs](./firewall-diagnostics.md)
+> [Monitor Azure Firewall logs and metrics](./monitor-firewall.md)
@@ -5,7 +5,7 @@ author: duongau
 ms.service: azure-firewall
 services: firewall
 ms.topic: overview
-ms.date: 12/15/2021
+ms.date: 12/31/2025
 ms.author: duau
 # Customer intent: "As a security analyst, I want to understand the Azure Firewall IDPS signature rule categories, so that I can effectively monitor and mitigate potential threats within my network."
 ---
@@ -25,7 +25,7 @@ You can override the action for most IDPS signatures to Off, Alert, or Deny. Som
 
 |Category |Description |
 |---------|---------|
-|3CORESec|This category is for signatures that are generated automatically from the 3CORESec team’s IP blocklists. These blocklists are generated by 3CORESec based on malicious activity from their Honeypots.|
+|3CORESec|This category is for signatures that are generated automatically from the 3CORESec team’s IP block lists. These blocklists are generated by 3CORESec based on malicious activity from their Honeypots.|
 |ActiveX|This category is for signatures that protect against attacks against Microsoft ActiveX controls and exploits targeting vulnerabilities in ActiveX controls.|
 |Adware-PUP|This category is for signatures to identify software that is used for ad tracking or other types of spyware related activity.|
 |Attack Response|This category is for signatures to identify responses indicative of intrusion—examples include but not limited to LMHost file download, presence of certain web banners and the detection of Metasploit Meterpreter kill command. These signatures are designed to catch the results of a successful attack. Things like *ID=root*, or error messages that indicate a compromise might have happened.|
 
@@ -5,7 +5,7 @@ author: duau
 ms.service: azure-firewall
 services: firewall
 ms.topic: how-to
-ms.date: 02/03/2022
+ms.date: 12/31/2025
 ms.author: duau
 ms.custom: sfi-image-nochange
 # Customer intent: "As a network administrator, I want to deploy and configure Enterprise CA certificates for Azure Firewall Premium, so that I can enable TLS inspection and ensure secure traffic management within my organization's network."
@@ -14,54 +14,54 @@ ms.custom: sfi-image-nochange
 # Deploy and configure Enterprise CA certificates for Azure Firewall
 
 
-Azure Firewall Premium includes a TLS inspection feature, which requires a certificate authentication chain. For production deployments, you should use an Enterprise PKI to generate the certificates that you use with Azure Firewall Premium. Use this article to create and manage an Intermediate CA certificate for Azure Firewall Premium.
+Azure Firewall Premium includes a TLS inspection feature, which requires a certificate authentication chain. For production deployments, use an Enterprise PKI to generate the certificates that you use with Azure Firewall Premium. Use this article to create and manage an Intermediate CA certificate for Azure Firewall Premium.
 
 For more information about certificates used by Azure Firewall Premium, see [Azure Firewall Premium certificates](premium-certificates.md).
 
 ## Prerequisites
 
 If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/pricing/purchase-options/azure-account?cid=msft_learn) before you begin.
 
-To use an Enterprise CA to generate a certificate to use with Azure Firewall Premium, you must have the following resources: 
+To use an Enterprise CA to generate a certificate to use with Azure Firewall Premium, you need the following resources: 
 
 - an Active Directory Forest 
 - an Active Directory Certification Services Root CA with Web Enrollment enabled 
 - an Azure Firewall Premium with Premium tier Firewall Policy 
 - an [Azure Key Vault](premium-certificates.md#azure-key-vault) 
 - a Managed Identity with Read permissions to **Certificates and Secrets** defined in the Key Vault Access Policy 
 
-## Create a new Subordinate Certificate Template
+## Create a new subordinate certificate template
 
 1. Run `certtmpl.msc` to open the Certificate Template Console.
-2. Find the **Subordinate Certification Authority** template in the console.
-3. Right-click on the **Subordinate Certification Authority** template and select **Duplicate Template**.
-4. In the **Properties of New Template** window, go to the **Compatibility** tab and set the appropriate compatibility settings or leave them as default.
-5. Go to the **General** tab, set the **Template Display Name** (for example: `My Subordinate CA`), and adjust the validity period if necessary. Optionally, select the **Publish certificate in Active Directory** checkbox.
-6. In the **Settings** tab, ensure the required users and groups have read and `enroll` permissions.
-7. Navigate to the **Extensions** tab, select **Key Usage**, and select **Edit**.
+1. Find the **Subordinate Certification Authority** template in the console.
+1. Right-click on the **Subordinate Certification Authority** template and select **Duplicate Template**.
+1. In the **Properties of New Template** window, go to the **Compatibility** tab and set the appropriate compatibility settings or leave them as default.
+1. Go to the **General** tab, set the **Template Display Name** (for example: `My Subordinate CA`), and adjust the validity period if necessary. Optionally, select the **Publish certificate in Active Directory** checkbox.
+1. In the **Settings** tab, ensure the required users and groups have read and `enroll` permissions.
+1. Navigate to the **Extensions** tab, select **Key Usage**, and select **Edit**.
    - Ensure that the **Digital signature**, **Certificate signing**, and **CRL signing** checkboxes are selected.
    - Select the **Make this extension critical** checkbox and select **OK**.
 
    :::image type="content" source="media/premium-deploy-certificates-enterprise-ca/certificate-template-key-usage-extension.png" alt-text="Screenshot of certificate template key usage extensions.":::
-8. Select **OK** to save the new certificate template.
-9. Ensure the new template is enabled so it can be used to issue certificates.
+1. Select **OK** to save the new certificate template.
+1. Ensure the new template is enabled so it can be used to issue certificates.
 
 ## Request and export a certificate
 
-1. Access the web enrollment site on the Root CA, usually `https://<servername>/certsrv` and select **Request a Certificate**.
+1. Access the web enrollment site on the Root CA, usually `https://<servername>/certsrv`, and select **Request a Certificate**.
 1. Select **Advanced Certificate Request**.
 1. Select **Create and Submit a Request to this CA**.
 1. Fill out the form using the Subordinate Certification Authority template created in the previous section.
    :::image type="content" source="media/premium-deploy-certificates-enterprise-ca/advanced-certificate-request.png" alt-text="Screenshot of advanced certificate request":::
 1. Submit the request and install the certificate.
-1. Assuming this request is made from a Windows Server using Internet Explorer, open **Internet Options**.
+1. Assuming you make this request from a Windows Server using Internet Explorer, open **Internet Options**.
 1. Navigate to the **Content** tab and select **Certificates**.
 
-1. Select the certificate that was just issued and then select **Export**.
+1. Select the certificate that the CA issued and then select **Export**.
 
 1. Select **Next** to begin the wizard. Select **Yes, export the private key**, and then select **Next**.
 
-1. .pfx file format is selected by default. Uncheck **Include all certificates in the certification path if possible**. If you export the entire certificate chain, the import process to Azure Firewall will fail.
+1. The wizard selects the .pfx file format by default. Uncheck **Include all certificates in the certification path if possible**. If you export the entire certificate chain, the import process to Azure Firewall fails.
 
 1. Assign and confirm a password to protect the key, and then select **Next**.
 
@@ -71,23 +71,23 @@ To use an Enterprise CA to generate a certificate to use with Azure Firewall Pre
 
 ## Add the certificate to a Firewall Policy
 
-1. In the Azure portal, navigate to the Certificates page of your Key Vault, and select **Generate/Import**.
+1. In the Azure portal, go to the Certificates page of your Key Vault, and select **Generate/Import**.
 
-1. Select **Import** as the method of creation, name the certificate, select the exported .pfx file, enter the password, and then select **Create**.
+1. Select **Import** as the creation method. Enter a name for the certificate, select the exported .pfx file, enter the password, and then select **Create**.
 
-1. Navigate to the **TLS Inspection** page of your Firewall policy and select your Managed identity, Key Vault, and certificate.
+1. Go to the **TLS Inspection** page of your Firewall policy and select your Managed identity, Key Vault, and certificate.
 
 1. Select **Save**.
 
 ## Validate TLS inspection
 
-1. Create an Application Rule using TLS inspection to the destination URL or FQDN of your choice.  For example: `*bing.com`.
+1. Create an Application Rule that uses TLS inspection for the destination URL or FQDN of your choice. For example: `*bing.com`.
 
-1. From a domain-joined machine within the Source range of the rule, navigate to your Destination and select the lock symbol next to the address bar in your browser. The certificate should show that it was issued by your Enterprise CA rather than a public CA.
+1. From a domain-joined machine within the source range of the rule, go to your destination and select the lock symbol next to the address bar in your browser. The certificate should show that your Enterprise CA issued it rather than a public CA.
    :::image type="content" source="media/premium-deploy-certificates-enterprise-ca/browser-certificate.png" alt-text="Screenshot showing the browser certificate":::
 1. Show the certificate to display more details, including the certificate path.
    :::image type="content" source="media/premium-deploy-certificates-enterprise-ca/certificate-details.png" alt-text="certificate details":::
-1. In Log Analytics, run the following KQL query to return all requests that have been subject to TLS Inspection:
+1. In Log Analytics, run the following KQL query to return all requests that are subject to TLS Inspection:
    ```
    AzureDiagnostics 
    | where ResourceType == "AZUREFIREWALLS" 
 
@@ -5,21 +5,21 @@ author: duongau
 ms.service: azure-firewall
 services: firewall
 ms.topic: how-to
-ms.date: 07/15/2021
+ms.date: 12/31/2025
 ms.author: duau
 ms.custom: sfi-image-nochange
 # Customer intent: "As a security administrator, I want to implement Azure Firewall Premium for my organization's network, so that I can enhance our security posture with advanced features like TLS inspection, IDPS, and URL filtering for regulated environments."
 ---
 
 # Azure Firewall Premium in the Azure portal
 
-
 Azure Firewall Premium is an advanced firewall designed for highly sensitive and regulated environments. It offers enhanced security features, including:
 
 - **TLS inspection**: Decrypts outbound traffic, inspects it for threats, then re-encrypts the data before sending it to its destination.
 - **IDPS (Intrusion Detection and Prevention System)**: Monitors network activity for malicious behavior, logs and reports incidents, and can block threats in real time.
 - **URL filtering**: Filters traffic based on the full URL path (for example, `www.contoso.com/a/c`), not just the domain name.
 - **Web categories**: Lets administrators control access to websites by category, such as social media, gambling, and more.
+- **Enhanced performance**: Uses a more powerful virtual machine SKU and can scale up to 100 Gbps with 10 Gbps fat flow support. The Premium SKU also complies with Payment Card Industry Data Security Standard (PCI DSS) requirements.
 
 For more information, see [Azure Firewall Premium features](premium-features.md).
 
 
@@ -5,7 +5,7 @@ services: firewall
 author: duau
 ms.service: azure-firewall
 ms.topic: quickstart
-ms.date: 05/10/2021
+ms.date: 12/31/2025
 ms.author: duau
 ms.custom:
   - subject-armqs
@@ -19,6 +19,9 @@ ms.custom:
 
 In this quickstart, you use an Azure Resource Manager template (ARM template) to deploy an Azure Firewall with sample IP Groups used in a network rule and application rule. An IP Group is a top-level resource that allows you to define and group IP addresses, ranges, and subnets into a single object. This is useful for managing IP addresses in Azure Firewall rules. You can either manually enter IP addresses or import them from a file.
 
+> [!NOTE]
+> The template used in this quickstart deploys Ubuntu 18.04 LTS virtual machines, which reached end of standard support on May 31, 2023. For production deployments, consider using [Ubuntu 20.04 LTS](https://azuremarketplace.microsoft.com/marketplace/apps/canonical.0001-com-ubuntu-server-focal) or [Ubuntu 22.04 LTS](https://azuremarketplace.microsoft.com/marketplace/apps/canonical.0001-com-ubuntu-server-jammy) images, or enable [Ubuntu Pro](https://ubuntu.com/azure/pro) for extended security maintenance.
+
 [!INCLUDE [About Azure Resource Manager](~/reusable-content/ce-skilling/azure/includes/resource-manager-quickstart-introduction.md)]
 
 If your environment meets the prerequisites and you're familiar with using ARM templates, select the **Deploy to Azure** button. The template will open in the Azure portal.