diff --git a/docs/CNI/cilium.md b/docs/CNI/cilium.md
index e0a230062656d66401872ab641e2aea18c0f4089..ad42f88bf85b6a609a2b6c94148c56d6b33db020 100644
--- a/docs/CNI/cilium.md
+++ b/docs/CNI/cilium.md
@@ -170,14 +170,14 @@ Kubespray currently supports Linux distributions with Wireguard Kernel mode on L
 
 ## Bandwidth Manager
 
-Cilium’s bandwidth manager supports the kubernetes.io/egress-bandwidth Pod annotation.
+Cilium's bandwidth manager supports the kubernetes.io/egress-bandwidth Pod annotation.
 
 Bandwidth enforcement currently does not work in combination with L7 Cilium Network Policies.
 In case they select the Pod at egress, then the bandwidth enforcement will be disabled for those Pods.
 
 Bandwidth Manager requires a v5.1.x or more recent Linux kernel.
 
-For further information, make sure to check the official [Cilium documentation.](https://docs.cilium.io/en/v1.12/gettingstarted/bandwidth-manager/)
+For further information, make sure to check the official [Cilium documentation](https://docs.cilium.io/en/latest/network/kubernetes/bandwidth-manager/)
 
 To use this function, set the following parameters
 
@@ -185,6 +185,26 @@ To use this function, set the following parameters
 cilium_enable_bandwidth_manager: true
 ```
 
+## Host Firewall
+
+Host Firewall enforces security policies for Kubernetes nodes. It is disable by default, since it can break the cluster connectivity.
+
+```yaml
+cilium_enable_host_firewall: true
+```
+
+For further information, check [host firewall documentation](https://docs.cilium.io/en/latest/security/host-firewall/)
+
+## Policy Audit Mode
+
+When _Policy Audit Mode_ is enabled, no network policy is enforced. This feature helps to validate the impact of host policies before enforcing them.
+
+```yaml
+cilium_policy_audit_mode: true
+```
+
+It is disable by default, and should not be enabled in production.
+
 ## Install Cilium Hubble
 
 k8s-net-cilium.yml:
diff --git a/inventory/sample/group_vars/k8s_cluster/k8s-net-cilium.yml b/inventory/sample/group_vars/k8s_cluster/k8s-net-cilium.yml
index a583540bad24156c250f9f47fdc2da4ba7424658..da56c46e3ee4866f81eb8f97e8725fea87f8d9f0 100644
--- a/inventory/sample/group_vars/k8s_cluster/k8s-net-cilium.yml
+++ b/inventory/sample/group_vars/k8s_cluster/k8s-net-cilium.yml
@@ -145,6 +145,10 @@ cilium_l2announcements: false
 ### A time interval at which the agent attempts to reload config from disk
 # cilium_ip_masq_resync_interval: 60s
 
+### Host Firewall and Policy Audit Mode
+# cilium_enable_host_firewall: false
+# cilium_policy_audit_mode: false
+
 # Hubble
 ### Enable Hubble without install
 # cilium_enable_hubble: false
diff --git a/roles/network_plugin/cilium/defaults/main.yml b/roles/network_plugin/cilium/defaults/main.yml
index 7e65e7faf7a6115fcd6db1c35d3e4f9f8502cf18..fae0ceeae562cf8635f2de927d3a1115463f81e3 100644
--- a/roles/network_plugin/cilium/defaults/main.yml
+++ b/roles/network_plugin/cilium/defaults/main.yml
@@ -322,3 +322,5 @@ cilium_certgen_args:
 #       resourceNames:
 #       - toto
 cilium_clusterrole_rules_operator_extra_vars: []
+cilium_enable_host_firewall: false
+cilium_policy_audit_mode: false
diff --git a/roles/network_plugin/cilium/templates/cilium/config.yml.j2 b/roles/network_plugin/cilium/templates/cilium/config.yml.j2
index ed37f122f2717685f3c18af1140e804bbacee898..38f3baede294b9a4fc48f7f315fb64d44d459537 100644
--- a/roles/network_plugin/cilium/templates/cilium/config.yml.j2
+++ b/roles/network_plugin/cilium/templates/cilium/config.yml.j2
@@ -138,7 +138,7 @@ data:
   enable-l2-announcements: "{{ cilium_l2announcements }}"
 
   # Enable Bandwidth Manager
-  # Cilium’s bandwidth manager supports the kubernetes.io/egress-bandwidth Pod annotation.
+  # Cilium's bandwidth manager supports the kubernetes.io/egress-bandwidth Pod annotation.
   # Bandwidth enforcement currently does not work in combination with L7 Cilium Network Policies.
   # In case they select the Pod at egress, then the bandwidth enforcement will be disabled for those Pods.
   # Bandwidth Manager requires a v5.1.x or more recent Linux kernel.
@@ -146,6 +146,10 @@ data:
   enable-bandwidth-manager: "true"
 {% endif %}
 
+  # Host Firewall and Policy Audit Mode
+  enable-host-firewall: "{{ cilium_enable_host_firewall | capitalize }}"
+  policy-audit-mode: "{{ cilium_policy_audit_mode | capitalize }}"
+
   # Name of the cluster. Only relevant when building a mesh of clusters.
   cluster-name: "{{ cilium_cluster_name }}"