Hi,
Azure Firewall decrypts outbound TLS traffic, inspects it, then encrypts it again and sends it to the destination.
For example, a user browses to a secure website such as amazon .com. Instead of the encrypted traffic going straight to amazon's server unchanged and being decrypted there, it is first decrypted by Azure Firewall, inspected for any malware/etc., then re-encrypted and sent on to amazon's server. This process is transparent to the user and is facilitated by Azure Firewall generating certificates on the fly for each destination server (amazon .com in this example).
-TP