Table of Contents

Access and Run the BPA

Run the Best Practice Assessment on a firewall Tech Support File from the Customer Support Portal to generate a detailed report of your best practice adoption.
Access the Best Practice Assessment (BPA) from the Customer Support Portal. Super User accounts automatically have access to the BPA and can assign the
BPA User
role to a Standard User’s profile so that the Standard User can run the BPA. This procedure shows Super Users how to give access to Standard Users and how to run the BPA. You can also view short videos on how to run a BPA and how to understand the results.
In addition, if you subscribe to the Premium (on or after Nov 1, 2019) or Platinum Support Contract, you have the opportunity to prepare for and activate Security Assurance. Security Assurance provides access to Palo Alto Networks security experts and tools to help with initial incident investigation. We strongly recommend that you run the BPA to measure your adoption of seven key security capabilities and to ensure that your adoption rate is at least equal to your industry’s average adoption rate so that your network is better protected. The combination of the Premium or Platinum support contract and a recent BPA measurement that shows your adoption rate for the seven key security capabilities meets your industry’s average automatically activates Security Assurance.
In Panorama-managed environments, Panorama may manage large numbers of next-generation firewalls. Should you run the BPA on Panorama or on each individual firewall? The tradeoffs are:
  • Running the BPA on Panorama is fast, convenient, and assesses most of the capabilities of the managed firewalls, but does not examine local firewall overrides.
  • Running the BPA on each managed firewall assesses the complete configuration (including local overrides) but takes much more time.
The most practical method is to run the BPA on Panorama first. Examine the results, decide if you need to focus on any particular managed devices, and then run the BPA on those devices. This method saves time while still focusing on relevant information that enables you to improve your security posture.

Access the BPA from the Customer Support Portal

Superusers can assign permission to Standard Users so they can run the BPA any time from the Palo Alto Networks Technical Support Portal.
  1. From the Customer Support Portal’s authentication home screen, select
    Manage Users
  2. Click the pencil icon to edit the Standard User to whom you want to assign BPA permissions.
  3. Select the
    BPA User
    role and then click the update check mark to add the new role.
  4. The Standard User now has the BPA User role privileges.
  5. Super Users and Standard Users with the BPA User role can log in to the Customer Support Portal to access and run the BPA (
    Run Best Practice Assessment

Generate and Download a BPA Report

Generate a Best Practice Assessment any time from the Palo Alto Networks Technical Support Portal to check and improve your security posture.
After you gain access to the BPA, you can generate a BPA report for a Panorama appliance or for a next-generation firewall.
If possible, generate BPA reports for Panorama appliances instead of individual next-generation firewalls to gain complete visibility into all of the firewalls in your environment in one report. Generate reports on a regular basis to measure progress toward adopting security capabilities and security best practices.
  1. Drag or drop a Tech Support File (.tgz file) in the Customer Support Portal window or browse for a Tech Support File.
    Super Users can create Tech Support Files (
    Tech Support File
    Tech Support File
  2. Optionally, map each zone to the area of architecture, or click
    Skip this step
    to run the BPA without mapping zones.
    Drag and drop the architectural value from Architecture Classification, use the
    drop-down to select a value, or select multiple check boxes to select multiple zones and then apply a value to all of the selected zones at one time.
  3. Identify the industry mapped to your account, and generate and download the BPA report (
    Generate & Download Report
    You can change the industry against which the BPA compares your results using the drop-down. If you want to change anything before you generate the report, you can also go back and make those changes.
    Generate & Download Report
    downloads the detailed BPA report, the Executive Summary report, and a spreadsheet that shows failed best practice checks to the system from which you accessed and ran the BPA.
  4. The generated BPA displays the Executive Summary and informs you that the detailed HTML report was downloaded to your computer.
  5. Now that you know how to run the BPA, go to the Customer Support Portal and try it out today (or contact your Palo Alto Networks SE or partner to run the BPA) to begin the transition to a more secure network.
    If you subscribe to the Premium (on or after November 1, 2019) or Platinum Support Contract, use the BPA to prepare your security posture to take advantage of Security Assurance, which helps with initial incident investigation.

Recommended For You