Use the Best Practice Assessment (BPA) tool to check
your policy (security, decryption, DoS, etc.) configuration to identify
weaknesses you can improve.
Best Practice
Assessment
Policies
shows
all checks related to different types of firewall policies and begins
on the
Security Rulebase checks
page.
Security
Rulebase checks
summarizes the best practice check results
by device group, with a pass/fail status and recommendations for
what to do about failed checks. Click help (
) to
view the description of and rationale for each result, along with
a link to technical documentation for reference.
Select the type of policy you want to review from
the left menu to identify potential rule improvements. For example,
Security
Rule Checks
displays rule-based check results. Click
Local
Filters
to configure filters that narrow the results
to rules that failed one or more particular checks. You can
Export
Data
to export the list to a .csv file for remediation
analysis.
When you review
Policy
information, at
a minimum, review the following items to help understand the scope
of policy remediation (switch between views):
Security
—Identify rules
that fail the
Source/Destination !=any/any
check.
Security
—Identify rules that fail the
App-ID
with Service
check.
Security
—Identify User-ID rules that fail the
User-ID
Rules without User ID enabled on Zone
check.
Decryption Rulebase
—SSH Proxy decryption checks.
Decryption
—Each Decryption policy rule should have
an associated Decryption profile.
The exception is TLSv1.3
traffic that you choose not to decrypt by applying a No Decryption
policy to the traffic. When you attach a No Decryption profile to
the policy, the profile checks certificate information and blocks
decryption sessions that use bad certificates. However, because
TLSv1.3 encrypts certificate information, the firewall cannot block
undecrypted traffic based on certificate information, so there is
no point to attaching the profile to the policy.
Application Override
—Application Override rules that
use a simple custom application bypass Layer 7 inspection for matching
traffic. Reduce or eliminate Application Override rules that use
a simple custom application so you can Improve Visibility into Traffic and inspect
the applications and content these rules control.