Identify and Prioritize Best Practices

Run the BPA to measure security best practice adoption on your firewalls and to prioritize actions to take to increase security by applying best practices.
Palo Alto Networks’ Best Practice Assessment (BPA) uses your Tech Support File to analyze Panorama and next-generation firewall configuration settings and compares the configuration to Palo Alto Networks best practices. The BPA shows the current state of best practice security adoption and suggests specific changes to align the configuration with security best practices. Running the BPA not only gives you an understanding of where to improve your security posture, it also sets a baseline for later comparison and provides links to technical documentation that shows you how to transition the BPA’s recommendations into a best practice configuration.
Using an iterative, prioritized approach, you can transform your security posture to a best practice state, one step at a time, measuring progress as you go at your pace and level of comfort:
  1. Upload a Tech Support File on Customer Support Portal and Access and Run the BPA yourself, or contact your Palo Alto Networks SE or partner to run the BPA on Panorama or your next-generation firewalls.
    If you run the BPA yourself, we recommend that you contact your Palo Alto Networks SE or partner to help interpret the results and discuss the next steps.
  2. Identify and prioritize the first area of improvement to begin the transition to best practices.
    Whether your Palo Alto Networks SE or partner runs the BPA or you run the BPA, your SE or partner can help you formulate a prioritized plan to safely phase in best practices. Plan to start with the safest, easiest, highest impact changes first, such as applying Antivirus, Anti-Spyware, Vulnerability Protection, and WildFire Analysis profiles to your Security policy allow rules.
  3. Use the BPA’s links to technical documentation to configure the best practices you prioritize.
    Downloading the BPA report gives you a .zip file that contains the detailed HMTL report, an Executive Summary, and an Excel spreadsheet that lists failed best practice checks. You link to technical documentation in two ways:
    • From the spreadsheet—The Documentation tab provides links for each failed check. In addition, the identification number in the Check ID column on the Policies, Objects, Network, and Device tabs links directly to the relevant line on the Documentation tab.
    • From the HTML report—When you open the HTML report, you see a heatmap that summarizes best practice adoption.
      Go to BPA
      to access the report.
      bpa-self-service-go-to-bpa-button.png
      From the BPA summary page, view
      Policies
      ,
      Objects
      ,
      Network
      , or
      Device
      detailed reports for the selected configuration assessment.
      bpa-self-service-summary-page.png
      From a detailed report, click the circled blue
      ?
      for descriptions and rationales for the configuration check and links to technical documentation for the best practice configuration.
      bpa-self-service-blue-question-mark-for-docs.png
      For Security profiles (Vulnerability Protection, Antivirus, Anti-Spyware, URL Filtering, File Blocking), use the safe transition advice to ensure availability of business-critical applications as you move to best practice Security profiles.
  4. After you implement the first set of best practice changes, run the BPA again to measure progress and help verify that the changes work as expected.
    Compare the first BPA output and the next BPA output to see the improvements in your security posture. Identify and prioritize the next area of improvement to address.
  5. Use the BPA’s links to technical documentation to configure the next set of best practices you prioritized.
  6. At your own pace, repeat the process of running the BPA to measure progress and identify and prioritize next steps, and then configure best practices using the technical documentation.
  7. Get started now—Access and Run the BPA or contact your Palo Alto Networks SE or partner and begin the transition to a more secure network today!

Recommended For You