Use the Best Practice Assessment (BPA) tool to check
your policy (security, decryption, DoS, etc.) configuration to identify
weaknesses you can improve.
all checks related to different types of firewall policies and begins
Security Rulebase checks
summarizes the best practice check results
by device group, with a pass/fail status and recommendations for
what to do about failed checks. Click help (
view the description of and rationale for each result, along with
a link to technical documentation for reference.
Select the type of policy you want to review from
the left menu to identify potential rule improvements. For example,
displays rule-based check results. Click
to configure filters that narrow the results
to rules that failed one or more particular checks. You can
to export the list to a .csv file for remediation
When you review
a minimum, review the following items to help understand the scope
of policy remediation (switch between views):
that fail the
—Identify rules that fail the
—Identify User-ID rules that fail the
Rules without User ID enabled on Zone
—SSH Proxy decryption checks.
—Each Decryption policy rule should have
an associated Decryption profile.
The exception is TLSv1.3
traffic that you choose not to decrypt by applying a No Decryption
policy to the traffic. When you attach a No Decryption profile to
the policy, the profile checks certificate information and blocks
decryption sessions that use bad certificates. However, because
TLSv1.3 encrypts certificate information, the firewall cannot block
undecrypted traffic based on certificate information, so there is
no point to attaching the profile to the policy.
—Application Override rules that
use a simple custom application bypass Layer 7 inspection for matching
traffic. Reduce or eliminate Application Override rules that use
a simple custom application so you can Improve Visibility into Traffic and inspect
the applications and content these rules control.