add note for trace logs

vhorne · vhorne · commit 54d835cc5d43 · 2024-03-14T14:06:11.000-07:00
diff --git a/articles/firewall/enable-top-ten-and-flow-trace.md b/articles/firewall/enable-top-ten-and-flow-trace.md
@@ -1,6 +1,6 @@
 ---
 title: Enable Top flows and Flow trace logs in Azure Firewall 
-description: Learn how to enable the Top flows and Flow trace logs in Azure Firewall
+description: Learn how to enable the Top flows and Flow trace logs in Azure Firewall.
 services: firewall
 author: vhorne
 ms.service: firewall
@@ -25,7 +25,7 @@ The Top flows log (known in the industry as Fat Flows), shows the top connection
 > Activate Top flows logs only when troubleshooting a specific issue to avoid excessive CPU usage of Azure Firewall.
 > 
 
-The flow rate is defined as the data transmission rate (in Megabits per second units). In other words, it is a measure of the amount of digital data that can be transmitted over a network in a period of time through the firewall. The Top Flows protocol runs periodically every three minutes. The minimum threshold to be considered a Top Flow is 1 Mbps.
+The flow rate is defined as the data transmission rate (in Megabits per second units). In other words, it's a measure of the amount of digital data that can be transmitted over a network in a period of time through the firewall. The Top Flows protocol runs periodically every three minutes. The minimum threshold to be considered a Top Flow is 1 Mbps.
 
 ### Prerequisites
 
@@ -67,7 +67,7 @@ There are a few ways to verify the update was successful, but you can navigate t
 1. In the Diagnostic settings tab, select **Add diagnostic setting**.
 2. Type a Diagnostic setting name.
 3. Select **Azure Firewall Fat Flow Log** under **Categories** and any other logs you want to be supported in the firewall.
-4. In Destination details, select  **Send to Log Analytics** workspace
+4. In Destination details, select  **Send to Log Analytics** workspace.
    1. Choose your desired Subscription and preconfigured Log Analytics workspace.
    1. Enable **Resource specific**.
    :::image type="content" source="media/enable-top-ten-and-flow-trace/log-destination-details.png" alt-text="Screenshot showing log destination details.":::
@@ -82,21 +82,22 @@ There are a few ways to verify the update was successful, but you can navigate t
 
 ## Flow trace
 
-Currently, the firewall logs show traffic through the firewall in the first attempt of a TCP connection, known as the *syn* packet. However, this doesn't show the full journey of the packet in the TCP handshake. As a result, it's difficult to troubleshoot if a packet is dropped, or asymmetric routing has occurred.
+Currently, the firewall logs show traffic through the firewall in the first attempt of a TCP connection, known as the *SYN* packet. However, this doesn't show the full journey of the packet in the TCP handshake. As a result, it's difficult to troubleshoot if a packet is dropped, or asymmetric routing occurred.
+
 
 > [!TIP]
 > To avoid excessive disk usage caused by Flow trace logs in Azure Firewall with many short-lived connections, activate the logs only when troubleshooting a specific issue for diagnostic purposes.
 
 The following additional properties can be added: 
 - SYN-ACK
 
-   Ack flag that indicates acknowledgment of SYN packet. 
+   ACK flag that indicates acknowledgment of SYN packet. 
 - FIN
 
    Finished flag of the original packet flow. No more data is transmitted in the TCP flow. 
 - FIN-ACK
 
-   Ack flag that indicates acknowledgment of FIN packet. 
+   ACK flag that indicates acknowledgment of FIN packet. 
 
 - RST
 
@@ -109,12 +110,14 @@ The following additional properties can be added:
    For example: 
    - A TCP packet lands on a Virtual Machine Scale Sets instance, which doesn't have any prior history for this packet
    - Bad CheckSum packets
-   - Connection Tracking table entry is full and new connections cannot be accepted
+   - Connection Tracking table entry is full and new connections can't be accepted
    - Overly delayed ACK packets
 
+Flow Trace logs, such as SYN-ACK and ACK, are exclusively logged for network traffic. In addition, SYN packets aren't logged by default. However, you can access the initial SYN packets within the network rule logs.
+
 ### Prerequisites
 
-- Enable [structured logs](firewall-structured-logs.md#enable-structured-logs)
+- Enable [structured logs](firewall-structured-logs.md#enable-structured-logs).
 - Use the Azure Resource Specific Table format in [Diagnostic Settings](firewall-diagnostics.md#enable-diagnostic-logging-through-the-azure-portal).
 
 ### Enable the log
@@ -128,7 +131,7 @@ Register-AzProviderFeature -FeatureName AFWEnableTcpConnectionLogging -ProviderN
 Register-AzResourceProvider -ProviderNamespace Microsoft.Network
 ```
 
-It can take several minutes for this to take effect. Once the feature is completely registered, consider performing an update on Azure Firewall for the change to take effect immediately.
+It can take several minutes for this to take effect. Once the feature is registered, consider performing an update on Azure Firewall for the change to take effect immediately.
 
 To check the status of the AzResourceProvider registration, you can run the Azure PowerShell command:
 
@@ -146,7 +149,7 @@ To disable the log, you can unregister it using the following command or select
 1. In the Diagnostic settings tab, select **Add diagnostic setting**.
 2. Type a Diagnostic setting name.
 3. Select **Azure Firewall Flow Trace Log** under **Categories** and any other logs you want to be supported in the firewall.
-4. In Destination details, select  **Send to Log Analytics** workspace
+4. In Destination details, select  **Send to Log Analytics** workspace.
    1. Choose your desired Subscription and preconfigured Log Analytics workspace.
    1. Enable **Resource specific**.
    :::image type="content" source="media/enable-top-ten-and-flow-trace/log-destination-details.png" alt-text="Screenshot showing log destination details.":::
