Run the Best Practice Assessment on a firewall Tech Support
File from the Customer Support Portal to generate a detailed report
of your best practice adoption.
Access the Best Practice Assessment (BPA)
from the Customer Support Portal. Super
User accounts automatically have access to the BPA and can assign
role to a Standard User’s profile so that the
Standard User can run the BPA. This procedure shows Super Users
how to give access to Standard Users and how to run the BPA. You
can also view short videos on how to run a BPA and how to understand the results.
addition, if you subscribe to the Premium (on or after Nov 1, 2019)
or Platinum Support Contract, you have the opportunity to prepare
for and activate Security Assurance. Security
Assurance provides access to Palo Alto Networks security experts
and tools to help with initial incident investigation. We strongly
recommend that you run the BPA to measure your adoption of seven key security
capabilities and to ensure that your adoption rate is at
least equal to your industry’s average adoption rate so that your
network is better protected. The combination of the Premium or Platinum
support contract and a recent BPA measurement that shows your adoption
rate for the seven key security capabilities meets your industry’s
average automatically activates Security Assurance.
Panorama-managed environments, Panorama may manage large numbers
of next-generation firewalls. Should you run the BPA on Panorama or
on each individual firewall? The tradeoffs are:
the BPA on Panorama is fast, convenient, and assesses most of the
capabilities of the managed firewalls, but does not examine local firewall
Running the BPA on each managed firewall assesses the complete
configuration (including local overrides) but takes much more time.
most practical method is to run the BPA on Panorama first. Examine
the results, decide if you need to focus on any particular managed
devices, and then run the BPA on those devices. This method saves
time while still focusing on relevant information that enables you
to improve your security posture.
Superusers can assign permission to Standard Users so
they can run the BPA any time from the Palo Alto Networks Technical
From the Customer Support Portal’s authentication
home screen, select
Click the pencil icon to edit the Standard User to whom
you want to assign BPA permissions.
role and then
click the update check mark to add the new role.
The Standard User now has the BPA User role privileges.
Super Users and Standard Users with the BPA User role
can log in to the Customer Support Portal to access and run the
Generate and Download a BPA Report
Generate a Best Practice Assessment any time from the
Palo Alto Networks Technical Support Portal to check and improve
your security posture.
After you gain access to the BPA, you can
generate a BPA report for a Panorama appliance or for a next-generation
If possible, generate BPA
reports for Panorama appliances instead of individual next-generation
firewalls to gain complete visibility into all of the firewalls
in your environment in one report. Generate reports on a regular
basis to measure progress toward adopting security capabilities
and security best practices.
Drag or drop a Tech Support File (.tgz
file) in the Customer Support Portal window or browse for a Tech
Super Users can create Tech Support Files (
Tech Support File
Optionally, map each zone to the area of architecture,
Skip this step
to run the BPA without
Drag and drop the architectural value from Architecture
Classification, use the
to select a value, or select multiple check boxes to select multiple
zones and then apply a value to all of the selected zones at one
Identify the industry mapped to your account, and generate
and download the BPA report (
Generate & Download Report
You can change the industry against which the BPA compares
your results using the drop-down. If you want to change anything
before you generate the report, you can also go back and make those
Generate & Download Report
the detailed BPA report, the Executive Summary report, and a spreadsheet
that shows failed best practice checks to the system from which
you accessed and ran the BPA.
The generated BPA displays the Executive Summary and
informs you that the detailed HTML report was downloaded to your
Now that you know how to run the BPA, go to the Customer Support Portal and try it out
today (or contact your Palo Alto Networks SE or partner to run the
BPA) to begin the transition to a more secure network.
If you subscribe to the Premium (on or after November
1, 2019) or Platinum Support Contract, use the BPA to prepare your
security posture to take advantage of Security Assurance, which
helps with initial incident investigation.