Use the Best Practice Assessment (BPA) tool to check
your policy (security, decryption, DoS, etc.) configuration to identify
weaknesses you can improve.
shows all checks related to different types of firewall policies.
Select the type of policy you want to review to identify potential
rule improvements. The
policy view displays
rule-based check results (
Security Rule Checks
to configure filters that narrow the results
to rules that failed one or more particular checks. You can
export the list to a .csv file for remediation analysis.
Click help (
view the description of and rationale for each check, along with
a link to technical documentation about the capability each check
Security Rule Checks
summarize the best practice check results
by device group, with a pass/fail status and recommendations for
what to do about failed checks. Click help to view the description
of and rationale for each result, along with a link to technical
When you review
a minimum, review the following items to help understand the scope
of policy remediation (switch between views):
that fail the
—Identify rules that fail the
—Identify User-ID rules that fail the
Rules without User ID enabled on Zone
—SSH Proxy decryption checks.
—Each Decryption policy rule should have
an associated Decryption profile.
The exception is TLSv1.3
traffic that you choose not to decrypt by applying a No Decryption
policy to the traffic. When you attach a No Decryption profile to
the policy, the profile checks certificate information and blocks
decryption sessions that use bad certificates. However, because
TLSv1.3 encrypts certificate information, the firewall cannot block
undecrypted traffic based on certificate information, so there is
no point to attaching the profile to the policy.
—Application Override rules that
use a simple custom application bypass Layer 7 inspection for matching
traffic. Reduce or eliminate Application Override rules that use
a simple custom application so you can Improve Visibility into Traffic and inspect
the applications and content these rules control.