Identify Gaps in Adoption

The Adoption Heatmap options show where your security policy is strong and where there are gaps in security policy capability adoption that you can focus on improving. To gain maximum visibility into traffic and maximum protection against attacks, set goals for security capability adoption and use the following recommendations as a best practice baseline. Assess your current posture against the baseline to identify gaps in security policy capability adoption.

Adoption Heatmaps help identify devices, zones, and areas where you can improve security policy capability adoption. You can review adoption information by Device Group, Serial Number & Vsys, Zones, Areas of Architecture, Tags, Rule Details, and Zone Mappings.

Local Filters

filter on Device Group, Source Area of Architecture, Destination Area of Architecture, Target, Source Zone, Destination Zone, and Tags to narrow the scope and identify gaps. The following shows the Adoption Heatmap by Area of Architecture (

Adoption Heatmap

Areas of Architecure

):

In

Adoption Heatmap

Summary

, click Adoption Summary to check the adoption rates of the following capabilities. Use the recommendations as gap identification criteria—if the actual adoption rate doesn’t match the recommendations, plan to close the gap:

Apply WildFire, Antivirus, Anti-Spyware, Vulnerability Protection, and File Blocking security profiles to all rules that allow traffic, with a target of 100% or almost 100% adoption. If you don’t apply a profile to an allow rule, ensure that there is a good business reason not to apply the profile.
Configuring security profiles on all allow rules enables the firewall to inspect decrypted traffic for threats, regardless of application or service/port. After updating the configuration, run the BPA to measure progress and to catch new rules that don’t have security profiles attached.
You can apply WildFire profiles to rules without a WildFire license. Coverage is limited to PE files, but this still provides useful visibility into unknown malicious files.
In the Anti-Spyware profile, apply DNS Sinkhole to all rules to prevent compromised internal hosts from sending DNS queries for malicious and custom domains, to identify and track the potentially compromised hosts, and to avoid gaps in DNS inspection. Enabling DNS Sinkhole protects your network without affecting availability, so you can and should enable it right away.
Apply URL Filtering and Credential Theft (phishing) Protection to all outbound internet traffic.

In the Adoption Summary’s Application & User Control Adoption Summary, check the adoption rates of the following capabilities. Use the recommendations as gap identification criteria—if the actual adoption rate doesn’t match the recommendations, plan to close the gap:

Apply App-ID to as close to 100% of the rules as possible. Apply User-ID to all rules with source zones or address ranges that have a user presence (some zones may not have user sources; for example, sources in data center zones should be servers and not users). Leverage App-ID and User-ID to create policies that allow appropriate users to sanctioned (and tolerated) applications. Explicitly block malicious and unwanted applications.
Target 100% or close to 100% service/port adoption—don’t allow applications on non-standard ports unless there’s a good business reason for it.

In the Adoption Summary’s Logging & Zone Protection Adoption Summary, check the adoption rates of the following capabilities. Use the recommendations as gap identification criteria—if the actual adoption rate doesn’t match the recommendations, plan to close the gap:

Target at or close to 100% adoption for Logging and Log Forwarding.
Configure Zone protection profiles on all zones.

In summary:

Feature	Adoption Goal
WildFire	As close to 100% of Security policy rules as possible
Antivirus	As close to 100% of Security policy rules as possible
Anti-Spyware	As close to 100% of Security policy rules as possible
Vulnerability	As close to 100% of Security policy rules as possible
File Blocking	As close to 100% of Security policy rules as possible
URL Filtering and Credential Theft	All outbound internet traffic
App-ID	As close to 100% of Security policy rules as possible
User-ID	All rules with source zones or address ranges that have a user presence
Service/port	As close to 100% of Security policy rules as possible
Logging	As close to 100% of Security policy rules as possible
Log Forwarding	As close to 100% of Security policy rules as possible
Zone protection	All zones

When viewing Adoption Heatmaps, use

Local Filters

to narrow the scope. Use the resulting information to identify gaps in security policy capability, measure against gap-identification criteria, and refine or establish new gap-identification criteria for further investigation. For example, to create a filter that displays adoption of rules that control traffic to the internet Area of Architecture:

Select
Adoption Heatmap
Areas of Architecture
.
Click
Local Filters
to expand the filter options.
Set the
Destination Area of Architecture
to
Internet
.
Click
Apply
.
The BPA filters the results:

Interpret the results based on your security goals and criteria. For example, if your goal is to apply WildFire to 100% of your allow rules, the filtered Adoption Heatmap reveals that only 50% of your DMZ allow rules have WildFire profiles, so you have identified a gap to target for improvement.
Next: Identify Rules to Improve.