Identify and Prioritize Best Practices
Run the BPA to measure security best practice adoption
on your firewalls and to prioritize actions to take to increase
security by applying best practices.
Palo Alto Networks’ Best Practice Assessment
(BPA) uses your Tech Support File to analyze Panorama and next-generation
firewall configuration settings and compares the configuration to
Palo Alto Networks best practices. The BPA shows the current state
of best practice security adoption and suggests specific changes
to align the configuration with security best practices. Running
the BPA not only gives you an understanding of where to improve
your security posture, it also sets a baseline for later comparison
and provides links to technical documentation that shows you how
to transition the BPA’s recommendations into
a best practice configuration.
Using an iterative, prioritized
approach, you can transform your security posture to a best practice
state, one step at a time, measuring progress as you go at your
pace and level of comfort:
- Upload a Tech Support File on Customer Support Portal and Access and Run the BPA yourself, or contact your Palo Alto Networks SE or partner to run the BPA on Panorama or your next-generation firewalls.If you run the BPA yourself, we recommend that you contact your Palo Alto Networks SE or partner to help interpret the results and discuss the next steps.
- Identify and prioritize the first area of improvement to begin the transition to best practices.Whether your Palo Alto Networks SE or partner runs the BPA or you run the BPA, your SE or partner can help you formulate a prioritized plan to safely phase in best practices. Plan to start with the safest, easiest, highest impact changes first, such as applying Antivirus, Anti-Spyware, Vulnerability Protection, and WildFire Analysis profiles to your Security policy allow rules.
- Use the BPA’s links to technical documentation to configure the best practices you prioritize.Downloading the BPA report gives you a .zip file that contains the detailed HMTL report, an Executive Summary, and an Excel spreadsheet that lists failed best practice checks. You link to technical documentation in two ways:
- From the spreadsheet—The Documentation tab provides links for each failed check. In addition, the identification number in the Check ID column on the Policies, Objects, Network, and Device tabs links directly to the relevant line on the Documentation tab.
- From the HTML report—When you open the HTML report, you see an Adoption Heatmap that summarizes best practice adoption. SelectBest Practice Assessmentto access the report.
You can viewPolicies,Objects,Network, andDevicedetailed reports for the selected configuration assessment.
From a detailed report, clickLearn Morefor descriptions and rationales for the configuration check and links to technical documentation for best practice configurations.
For Security profiles (Vulnerability Protection, Antivirus, Anti-Spyware, URL Filtering, File Blocking), use the safe transition advice to ensure availability of business-critical applications as you move to best practice Security profiles.
- After you implement the first set of best practice changes, run the BPA again to measure progress and help verify that the changes work as expected.Compare the first BPA output and the next BPA output to see the improvements in your security posture. Identify and prioritize the next area of improvement to address.
- Use the BPA’s links to technical documentation to configure the next set of best practices you prioritized.
- At your own pace, repeat the process of running the BPA to measure progress and identify and prioritize next steps, and then configure best practices using the technical documentation.
- Get started now—Access and Run the BPA or contact your Palo Alto Networks SE or partner and begin the transition to a more secure network today!
