Review Best Practice Policy Configuration

Use the Best Practice Assessment (BPA) tool to check your policy (security, decryption, DoS, etc.) configuration to identify weaknesses you can improve.
Best Practice Assessment
shows all checks related to different types of firewall policies and begins on the
Security Rulebase checks
Security Rulebase checks
summarizes the best practice check results by device group, with a pass/fail status and recommendations for what to do about failed checks. Click help ( ) to view the description of and rationale for each result, along with a link to technical documentation for reference.
Select the type of policy you want to review from the left menu to identify potential rule improvements. For example,
Security Rule Checks
displays rule-based check results. Click
Local Filters
to configure filters that narrow the results to rules that failed one or more particular checks. You can
Export Data
to export the list to a .csv file for remediation analysis.
When you review
information, at a minimum, review the following items to help understand the scope of policy remediation (switch between views):
  • Security
    —Identify rules that fail the
    Source/Destination !=any/any
  • Security
    —Identify rules that fail the
    App-ID with Service
  • Security
    —Identify User-ID rules that fail the
    User-ID Rules without User ID enabled on Zone
  • Decryption Rulebase
    —SSH Proxy decryption checks.
  • Decryption
    —Each Decryption policy rule should have an associated Decryption profile.
    The exception is TLSv1.3 traffic that you choose not to decrypt by applying a No Decryption policy to the traffic. When you attach a No Decryption profile to the policy, the profile checks certificate information and blocks decryption sessions that use bad certificates. However, because TLSv1.3 encrypts certificate information, the firewall cannot block undecrypted traffic based on certificate information, so there is no point to attaching the profile to the policy.
  • Application Override
    —Application Override rules that use a simple custom application bypass Layer 7 inspection for matching traffic. Reduce or eliminate Application Override rules that use a simple custom application so you can Improve Visibility into Traffic and inspect the applications and content these rules control.

Recommended For You