Review the Adoption Summary
Use the Best Practice Assessment tool to measure adoption
of security capabilities such as Security profiles, App-ID, User-ID,
Logging, Zone Protection, and Decryption.
After you or your Palo Alto Networks representative run the BPA, the resulting
HTML report opens on the Adoption Heatmap page, in the Adoption
Summary. The Adoption Summary view provides an overview of your
device’s overall adoption of security capabilities. The report shows
the current adoption percentage for each metric (except Industry
Average, which provides the adoption averages in your industry),
and in parentheses, the percentage change in adoption since the
last time you ran the BPA on the device’s configuration file (or
No
change
if the value is the same as the last time you
ran the BPA).
Overall Adoption
—Adoption of Security profiles in Security
policy allow rules. Percentages are based on the number of allow
rules that have one or more profiles enabled as part of the rule.
The BPA doesn’t count disabled rules or block rules.Industry Average
—Average adoption of Security profiles
in allow rules for your company’s industry.Best Practice Mode
—Adoption of Security profiles configured
in the recommended best practice manner in allow rules. The BPA
only counts rules with profiles that pass all best practice checks.
App-ID Adoption
—Adoption of App-ID across Security policy
rules. The percentage value is based on the total number of allow
rules with one or more defined application (the Application is not any
).
The BPA doesn’t count disabled rules. User-ID Adoption
—Adoption of User-ID across Security policy
rules. The percentage value is based on the total number of allow
rules with users (including the values known-user
and unknown
)
or user groups. The BPA doesn’t count disabled rules.Service/Port Adoption
—Adoption of service/port across
Security policy rules. The percentage value is based on the total
number of allow rules with a defined service or port (the Service
is not any
). The BPA doesn’t count disabled
rules.The BPA doesn’t count App-ID, User-ID, or Service/Port
adoption for block rules because the rationale for blocking differs
from business to business, so the BPA can’t make recommendations
based on block rules.
Logging Adoption
—Adoption of Log at Session
End
across Security policy rules. The percentage value
is based on the total number of rules with Log at Session
End
enabled. The BPA doesn’t count disabled rules.Log Forwarding Adoption
—Adoption of Log Forwarding profiles
across Security policy rules. The percentage value is based on the
total number of rules with a Log Forwarding profile configured.
The BPA doesn’t count disabled rules.Zone Protection Adoption
—Adoption of Zone protection across
Security policy allow rules. The percentage value is based on the
total number of allow rules in which the source zone has a Zone
Protection profile configured. The BPA doesn’t count disabled rules.For each of these metrics, the value in parentheses next to each
percentage is the percentage change in adoption since the last time
you ran the BPA on the device’s configuration file (or
No
change
if the value is the same as the last time you
ran the BPA).
Decryption Summary
—Shows if the configuration includes
Decryption policy rules for SSL Forward Proxy, SSL Inbound Inspection,
and SSH Proxy. The summary also shows if the configuration includes
Decryption profiles and identifies URL categories that the device
exempts from decryption.If you don’t decrypt a URL category (or individual applications),
you can’t inspect its traffic because the firewall can’t see what’s
inside the encrypted traffic. The firewall can only inspect traffic
you decrypt.
Next: Identify Gaps in Adoption to understand
where you can improve security.
