MicrosoftDocs
diff --git a/‎articles/firewall/dns-settings.md
Lines changed: 0 additions & 2 deletions b/‎articles/firewall/dns-settings.md
Lines changed: 0 additions & 2 deletions
diff --git a/‎articles/firewall/explicit-proxy.md
Lines changed: 0 additions & 2 deletions b/‎articles/firewall/explicit-proxy.md
Lines changed: 0 additions & 2 deletions
diff --git a/‎articles/firewall/firewall-azure-policy.md
Lines changed: 0 additions & 2 deletions b/‎articles/firewall/firewall-azure-policy.md
Lines changed: 0 additions & 2 deletions
diff --git a/‎articles/firewall/firewall-copilot.md
Lines changed: 0 additions & 6 deletions b/‎articles/firewall/firewall-copilot.md
Lines changed: 0 additions & 6 deletions
diff --git a/‎articles/firewall/ip-groups.md
Lines changed: 7 additions & 12 deletions b/‎articles/firewall/ip-groups.md
Lines changed: 7 additions & 12 deletions
diff --git a/‎articles/firewall/premium-deploy-certificates-enterprise-ca.md
Lines changed: 10 additions & 8 deletions b/‎articles/firewall/premium-deploy-certificates-enterprise-ca.md
Lines changed: 10 additions & 8 deletions
diff --git a/‎articles/firewall/premium-deploy.md
Lines changed: 19 additions & 20 deletions b/‎articles/firewall/premium-deploy.md
Lines changed: 19 additions & 20 deletions
diff --git a/‎articles/firewall/premium-features.md
Lines changed: 0 additions & 8 deletions b/‎articles/firewall/premium-features.md
Lines changed: 0 additions & 8 deletions
diff --git a/‎articles/firewall/premium-migrate.md
Lines changed: 0 additions & 2 deletions b/‎articles/firewall/premium-migrate.md
Lines changed: 0 additions & 2 deletions
@@ -31,8 +31,6 @@ A DNS server maintains and resolves domain names to IP addresses. By default, Az
 
 The firewall now directs DNS traffic to the specified DNS servers for name resolution.
 
-:::image type="content" source="../firewall/media/dns-settings/dns-servers.png" alt-text="Screenshot showing settings for DNS servers.":::
-
 #### [CLI](#tab/azure-devops-cli)
 
 The following example updates Azure Firewall with custom DNS servers by using the Azure CLI.
 
@@ -37,8 +37,6 @@ With the Explicit proxy mode (supported for HTTP/S), you can define proxy settin
 
 - To use the Proxy autoconfiguration (PAC) file, select **Enable proxy auto-configuration**.
 
-   :::image type="content" source="media/explicit-proxy/proxy-auto-configuration.png" alt-text="Screenshot showing the proxy autoconfiguration file setting.":::
-
 - First, upload the PAC file to a storage container that you create. Then, on the **Enable explicit proxy** page, configure the shared access signature (SAS) URL. Configure the port where the PAC is served from, and then select **Apply** at the bottom of the page.
 
    The SAS URL must have READ permissions so the firewall can download the file. If changes are made to the PAC file, a new SAS URL needs to be generated and configured on the firewall **Enable explicit proxy** page.
 
@@ -108,8 +108,6 @@ Now you attempt to create a Firewall Policy with Threat Intelligence disabled.
 
 You should see an error that says your resource was disallowed by policy, confirming that your Azure Policy doesn't allow firewall policies that have Threat Intelligence disabled.
 
-:::image type="content" source="media/firewall-azure-policy/azure-policy.png" lightbox="media/firewall-azure-policy/azure-policy.png" alt-text="Screenshot showing policy create denial.":::
-
 ## Related content
 
 - [What is Azure Policy?](../governance/policy/overview.md)
 
@@ -96,8 +96,6 @@ Get **log information** about the traffic intercepted by the IDPS feature instea
 - What are the top 20 IDPS hits from the last seven days for Firewall _\<Firewall name\>_ in resource group _\<resource group name\>_?
 - Show me in tabular form the top 50 attacks that targeted Firewall _\<Firewall name\>_ in subscription _\<subscription name\>_ in the past month.
 
-    :::image type="content" source="media/firewall-copilot/copilot-capability-1-embedded.png" alt-text="Screenshot showing the Retrieve the top IDPS signature hits for an Azure Firewall capability." lightbox="media/firewall-copilot/copilot-capability-1-embedded.png":::
-
 ### Enrich the threat profile of an IDPS signature beyond log information
 
 Get **additional details** to enrich the threat information/profile of an IDPS signature instead of compiling it yourself manually.
@@ -108,8 +106,6 @@ Get **additional details** to enrich the threat information/profile of an IDPS s
 - What can you tell me about this attack? What are the other attacks this attacker is known for?
 - I see that the third signature ID is associated with CVE _\<CVE number\>_, tell me more about this CVE.
 
-    :::image type="content" source="media/firewall-copilot/copilot-capability-2-embedded.png" alt-text="Screenshot showing the Enrich the threat profile of an IDPS signature beyond log information capability." lightbox="media/firewall-copilot/copilot-capability-2-embedded.png":::
-
 > [!NOTE]
 > The Microsoft Threat Intelligence plugin is another source that Security Copilot may use to provide threat intelligence for IDPS signatures.
 
@@ -123,8 +119,6 @@ Perform a **fleet-wide search** (over any scope) for a threat across all your Fi
 - Was the top hit seen by any other Firewall in the subscription _\<subscription name\>_?
 - Over the past week did any Firewall in resource group _\<resource group name\>_ see signature ID _\<ID number\>_?
 
-    :::image type="content" source="media/firewall-copilot/copilot-capability-3-embedded.png" alt-text="Screenshot showing the Look for a given IDPS signature across your tenant, subscription, or resource group capability." lightbox="media/firewall-copilot/copilot-capability-3-embedded.png":::
-
 ### Generate recommendations to secure your environment using Azure Firewall's IDPS feature
 
 Get **information from documentation** about using Azure Firewall's IDPS feature to secure your environment instead of having to look up this information manually.
 
@@ -6,7 +6,7 @@ author: vhorne
 ms.service: azure-firewall
 ms.custom: devx-track-azurepowershell
 ms.topic: concept-article
-ms.date: 10/10/2023
+ms.date: 02/10/2025
 ms.author: victorh
 ---
 
@@ -37,18 +37,17 @@ An IP Group can be created using the Azure portal, Azure CLI, or REST API. For m
 
 ## Browse IP Groups
 1. In the Azure portal search bar, type **IP Groups** and select it. You can see the list of the IP Groups, or you can select **Add** to create a new IP Group.
-2. Select an IP Group to open the overview page. You can edit, add, or delete IP addresses or IP Groups.
+1. Select an IP Group to open the overview page. You can edit, add, or delete IP addresses or IP Groups.
 
-   ![IP Groups overview](media/ip-groups/overview.png)
 
 ## Manage an IP Group
 
 You can see all the IP addresses in the IP Group and the rules or resources that are associated with it. To delete an IP Group, you must first dissociate the IP Group from the resource that is using it.
 
 1. To view or edit the IP addresses, select **IP Addresses** under **Settings** on the left pane.
-2. To add a single or multiple IP address(es), select **Add IP Addresses**. This opens the **Drag or Browse** page for an upload, or you can enter the address manually.
-3.    Selecting the ellipses (**…**) to the right to edit or delete IP addresses. To edit or delete multiple IP addresses, select the boxes and select **Edit** or **Delete** at the top.
-4. Finally, can export the file in the CSV file format.
+1. To add a single or multiple IP address(es), select **Add IP Addresses**. This opens the **Drag or Browse** page for an upload, or you can enter the address manually.
+1.    Selecting the ellipses (**…**) to the right to edit or delete IP addresses. To edit or delete multiple IP addresses, select the boxes and select **Edit** or **Delete** at the top.
+1. Finally, can export the file in the CSV file format.
 
 > [!NOTE]
 > If you delete all the IP addresses in an IP Group while it is still in use in a rule, that rule is skipped.
@@ -58,8 +57,6 @@ You can see all the IP addresses in the IP Group and the rules or resources that
 
 You can now select **IP Group** as a **Source type** or **Destination type** for the IP address(es) when you create Azure Firewall DNAT, application, or network rules.
 
-![IP Groups in Firewall](media/ip-groups/fw-ipgroup.png)
-
 ## Parallel IP Group updates (preview)
 
 You can now update multiple IP Groups in parallel at the same time. This is particularly useful for administrators who want to make configuration changes more quickly and at scale, especially when making those changes using a dev ops approach (templates, ARM, CLI, and Azure PowerShell).
@@ -92,10 +89,8 @@ It can take several minutes for this to take effect. Once the feature is complet
 ### Azure portal
 
 1. Navigate to **Preview features** in the Azure portal.
-2. Search and register **AzureFirewallParallelIPGroupUpdate**.
-3. Ensure the feature is enabled.
-
-:::image type="content" source="media/ip-groups/preview-features-parallel.png" alt-text="Screenshot showing the parallel IP groups feature.":::
+1. Search and register **AzureFirewallParallelIPGroupUpdate**.
+1. Ensure the feature is enabled.
 
 ## Region availability
 
 
@@ -54,31 +54,33 @@ To use an Enterprise CA to generate a certificate to use with Azure Firewall Pre
 1. Submit the request and install the certificate.
 1. Assuming this request is made from a Windows Server using Internet Explorer, open **Internet Options**.
 1. Navigate to the **Content** tab and select **Certificates**.
-   :::image type="content" source="media/premium-deploy-certificates-enterprise-ca/internet-properties.png" alt-text="Screenshot of Internet properties":::
+
 1. Select the certificate that was just issued and then select **Export**.
-   :::image type="content" source="media/premium-deploy-certificates-enterprise-ca/export-certificate.png" alt-text="Screenshot of export certificate":::
+
 1. Select **Next** to begin the wizard. Select **Yes, export the private key**, and then select **Next**.
-   :::image type="content" source="media/premium-deploy-certificates-enterprise-ca/export-private-key.png" alt-text="Screenshot showing export private key":::
+
 1. .pfx file format is selected by default. Uncheck **Include all certificates in the certification path if possible**. If you export the entire certificate chain, the import process to Azure Firewall will fail.
-   :::image type="content" source="media/premium-deploy-certificates-enterprise-ca/export-file-format.png" alt-text="Screenshot showing export file format":::
+
 1. Assign and confirm a password to protect the key, and then select **Next**.
-   :::image type="content" source="media/premium-deploy-certificates-enterprise-ca/certificate-security.png" alt-text="Screenshot showing certificate security":::
+
 1. Choose a file name and export location and then select **Next**.
+
 1. Select **Finish** and move the exported certificate to a secure location.
 
 ## Add the certificate to a Firewall Policy
 
 1. In the Azure portal, navigate to the Certificates page of your Key Vault, and select **Generate/Import**.
+
 1. Select **Import** as the method of creation, name the certificate, select the exported .pfx file, enter the password, and then select **Create**.
-   :::image type="content" source="media/premium-deploy-certificates-enterprise-ca/create-a-certificate.png" alt-text="Screenshot showing Key Vault create a certificate":::
+
 1. Navigate to the **TLS Inspection** page of your Firewall policy and select your Managed identity, Key Vault, and certificate.
-   :::image type="content" source="media/premium-deploy-certificates-enterprise-ca/tls-inspection-certificate.png" alt-text="Screenshot showing Firewall Policy TLS Inspection configuration":::
+
 1. Select **Save**.
 
 ## Validate TLS inspection
 
 1. Create an Application Rule using TLS inspection to the destination URL or FQDN of your choice.  For example: `*bing.com`.
-   :::image type="content" source="media/premium-deploy-certificates-enterprise-ca/edit-rule-collection.png" alt-text="Screenshot showing edit rule collection":::
+
 1. From a domain-joined machine within the Source range of the rule, navigate to your Destination and select the lock symbol next to the address bar in your browser. The certificate should show that it was issued by your Enterprise CA rather than a public CA.
    :::image type="content" source="media/premium-deploy-certificates-enterprise-ca/browser-certificate.png" alt-text="Screenshot showing the browser certificate":::
 1. Show the certificate to display more details, including the certificate path.
 
@@ -5,7 +5,7 @@ author: vhorne
 ms.service: azure-firewall
 services: firewall
 ms.topic: how-to
-ms.date: 02/28/2022
+ms.date: 02/10/2025
 ms.author: victorh
 ---
 
@@ -62,11 +62,11 @@ Now you can test IDPS, TLS Inspection, Web filtering, and Web categories.
 To collect firewall logs, you need to add diagnostics settings to collect firewall logs.
 
 1. Select the **DemoFirewall** and under **Monitoring**, select **Diagnostic settings**.
-2. Select **Add diagnostic setting**.
-3. For **Diagnostic setting name**, type *fw-diag*.
-4. Under **log**, select **AzureFirewallApplicationRule**, and **AzureFirewallNetworkRule**.
-5. Under **Destination details**, select **Send to Log Analytics workspace**.
-6. Select **Save**.
+1. Select **Add diagnostic setting**.
+1. For **Diagnostic setting name**, type *fw-diag*.
+1. Under **log**, select **AzureFirewallApplicationRule**, and **AzureFirewallNetworkRule**.
+1. Under **Destination details**, select **Send to Log Analytics workspace**.
+1. Select **Save**.
 
 ### IDPS tests
 
@@ -77,11 +77,11 @@ You can use `curl` to control various HTTP headers and simulate malicious traffi
 #### To test IDPS for HTTP traffic:
 
 1. On the WorkerVM virtual machine, open an administrator command prompt window.
-2. Type the following command at the command prompt:
+1. Type the following command at the command prompt:
 
    `curl -A "HaxerMen" <your web server address>`
-3. You'll see your Web server response.
-4. Go to the Firewall Network rule logs on the Azure portal to find an alert similar to the following message:
+1. You'll see your Web server response.
+1. Go to the Firewall Network rule logs on the Azure portal to find an alert similar to the following message:
 
    ```
    { “msg” : “TCP request from 10.0.100.5:16036 to 10.0.20.10:80. Action: Alert. Rule: 2032081. IDS: 
@@ -91,7 +91,7 @@ You can use `curl` to control various HTTP headers and simulate malicious traffi
 
    > [!NOTE]
    > It can take some time for the data to begin showing in the logs. Give it at least a couple minutes to allow for the logs to begin showing the data.
-5. Add a signature rule for signature 2032081:
+1. Add a signature rule for signature 2032081:
 
    1. Select the **DemoFirewallPolicy** and under **Settings** select **IDPS**.
    1. Select the **Signature rules** tab.
@@ -102,15 +102,15 @@ You can use `curl` to control various HTTP headers and simulate malicious traffi
 
 
 
-6. On WorkerVM, run the `curl` command again:
+1. On WorkerVM, run the `curl` command again:
 
    `curl -A "HaxerMen" <your web server address>`
 
    Since the HTTP request is now blocked by the firewall, you'll see the following output after the connection timeout expires:
 
    `read tcp 10.0.100.5:55734->10.0.20.10:80: read: connection reset by peer`
 
-7. Go to the Monitor logs in the Azure portal and find the message for the blocked request.
+1. Go to the Monitor logs in the Azure portal and find the message for the blocked request.
 <!---8. Now you can bypass the IDPS function using the **Bypass list**.
 
    1. On the **IDPS (preview)** page, select the **Bypass list** tab.
@@ -132,8 +132,8 @@ Use the following steps to test TLS Inspection with URL filtering.
 
 1. Edit the firewall policy application rules and add a new rule called `AllowURL` to the `AllowWeb` rule collection. Configure the target URL `www.nytimes.com/section/world`, Source IP address **\***, Destination type **URL**, select **TLS Inspection**, and protocols **http, https**.
 
-3. When the deployment completes, open a browser on WorkerVM and go to `https://www.nytimes.com/section/world` and validate that the HTML response is displayed as expected in the browser.
-4. In the Azure portal, you can view the entire URL in the Application rule Monitoring logs:
+1. When the deployment completes, open a browser on WorkerVM and go to `https://www.nytimes.com/section/world` and validate that the HTML response is displayed as expected in the browser.
+1. In the Azure portal, you can view the entire URL in the Application rule Monitoring logs:
 
       :::image type="content" source="media/premium-deploy/alert-message-url.png" alt-text="Alert message showing the URL":::
 
@@ -150,13 +150,12 @@ Some HTML pages may look incomplete because they refer to other URLs that are de
 
 Let's create an application rule to allow access to sports web sites.
 1. From the portal, open your resource group and select **DemoFirewallPolicy**.
-2. Select **Application Rules**, and then **Add a rule collection**.
-3. For **Name**, type *GeneralWeb*, **Priority** *103*, **Rule collection group** select **DefaultApplicationRuleCollectionGroup**.
-4. Under **Rules** for **Name** type *AllowSports*, **Source** *\**, **Protocol** *http, https*, select **TLS Inspection**, **Destination Type** select *Web categories*, **Destination** select *Sports*.
-5. Select **Add**.
+1. Select **Application Rules**, and then **Add a rule collection**.
+1. For **Name**, type *GeneralWeb*, **Priority** *103*, **Rule collection group** select **DefaultApplicationRuleCollectionGroup**.
+1. Under **Rules** for **Name** type *AllowSports*, **Source** *\**, **Protocol** *http, https*, select **TLS Inspection**, **Destination Type** select *Web categories*, **Destination** select *Sports*.
+1. Select **Add**.
 
-      :::image type="content" source="media/premium-deploy/web-categories.png" alt-text="Sports web category":::
-6. When the deployment completes, go to  **WorkerVM** and open a web browser and browse to `https://www.nfl.com`.
+1. When the deployment completes, go to  **WorkerVM** and open a web browser and browse to `https://www.nfl.com`.
 
    You should see the NFL web page, and the Application rule log shows that a **Web Category: Sports** rule was matched and the request was allowed.
 
 
@@ -85,14 +85,10 @@ IDPS allows you to detect attacks in all ports and protocols for nonencrypted tr
 
 The IDPS Bypass List is a configuration that allows you to not filter traffic to any of the IP addresses, ranges, and subnets specified in the bypass list. The IDPS Bypass list isn't intended to be a way to improve throughput performance, as the firewall is still subject to the performance associated with your use case. For more information, see [Azure Firewall performance](firewall-performance.md#performance-data).
 
-:::image type="content" source="media/premium-features/idps-bypass-list.png" alt-text="Screenshot showing the IDPS Bypass list screen." lightbox="media/premium-features/idps-bypass-list.png":::
-
 ### IDPS Private IP ranges
 
 In Azure Firewall Premium IDPS, private IP address ranges are used to identify if traffic is inbound, outbound, or internal (East-West). Each signature is applied on specific traffic direction, as indicated in the signature rules table. By default, only ranges defined by IANA RFC 1918 are considered private IP addresses. So, traffic sent from a private IP address range to a private IP address range is considered internal. To modify your private IP addresses, you can now easily edit, remove, or add ranges as needed.
 
-:::image type="content" source="media/premium-features/idps-private-ip.png" alt-text="Screenshot showing IDPS private IP address ranges.":::
-
 ### IDPS signature rules
 
 IDPS signature rules allow you to:
@@ -122,8 +118,6 @@ IDPS signature rules have the following properties:
 |Source/Destination Ports     |The ports associated with this signature.|
 |Last updated     |The last date that this signature was introduced or modified.|
 
-:::image type="content" source="media/idps-signature-categories/firewall-idps-signature.png" alt-text="Screenshot showing the IDPS signature rule columns." lightbox="media/idps-signature-categories/firewall-idps-signature.png":::
-
 For more information about IDPS, see [Taking Azure Firewall IDPS on a Test Drive](https://techcommunity.microsoft.com/t5/azure-network-security-blog/taking-azure-firewall-idps-on-a-test-drive/ba-p/3872706).
 
 ## URL filtering
@@ -157,8 +151,6 @@ You can create exceptions to your web category rules. Create separate allow or d
 
 You can identify what category a given FQDN or URL is by using the **Web Category Check** feature. To use this, select the **Web Categories** tab under **Firewall Policy Settings**. This is useful when defining your application rules for destination traffic.
 
-:::image type="content" source="media/premium-features/firewall-category-search.png" alt-text="Firewall category search dialog":::
-
 > [!IMPORTANT]
 > To use the **Web Category Check** feature, the user must have an access of Microsoft.Network/azureWebCategories/* for **subscription** level, not resource group level.
 
 
@@ -50,8 +50,6 @@ During your migration process, you may need to migrate your Classic firewall rul
 
 1. From the Azure portal, select your standard firewall. On the **Overview** page, select **Migrate to firewall policy**.
 
-   :::image type="content" source="media/premium-migrate/firewall-overview-migrate.png" lightbox="media/premium-migrate/firewall-overview-migrate.png" alt-text="Screenshot showing migrate to firewall policy.":::
-
 1. On the **Migrate to firewall policy** page, select **Review + create**.
 1. Select **Create**.