Identify and Prioritize Best Practices
Run the BPA to measure security best practice adoption on your firewalls and to prioritize actions to take to increase security by applying best practices.
Palo Alto Networks’ Best Practice Assessment (BPA) uses your Tech Support File to analyze Panorama and next-generation firewall configuration settings and compares the configuration to Palo Alto Networks best practices. The BPA shows the current state of best practice security adoption and suggests specific changes to align the configuration with security best practices. Running the BPA not only gives you an understanding of where to improve your security posture, it also sets a baseline for later comparison and provides links to technical documentation that shows you how to transition the BPA’s recommendations into a best practice configuration.
In Panorama-managed environments, Panorama may manage large numbers of next-generation firewalls. Should you run the BPA on Panorama or on each individual firewall? The tradeoffs are:
- Running the BPA on Panorama is fast, convenient, and assesses most of the capabilities of the managed firewalls, but does not examine local firewall overrides.
- Running the BPA on each managed firewall assesses the complete configuration (including local overrides) but takes much more time.
The most practical method is to run the BPA on Panorama first. Examine the results, decide if you need to focus on any particular managed devices, and then run the BPA on those devices. This method saves time while still focusing on relevant information that enables you to improve your security posture.
Using an iterative, prioritized approach, you can transform your security posture to a best practice state, one step at a time, measuring progress as you go at your pace and level of comfort:
- Upload a Tech Support File on Customer Support Portal and Access and Run the BPA yourself, or contact your Palo Alto Networks SE or partner to run the BPA on Panorama or your next-generation firewalls.If you run the BPA yourself, we recommend that you contact your Palo Alto Networks SE or partner to help interpret the results and discuss the next steps.
- Identify and prioritize the first area of improvement to begin the transition to best practices.Whether your Palo Alto Networks SE or partner runs the BPA or you run the BPA, your SE or partner can help you formulate a prioritized plan to safely phase in best practices. Plan to start with the safest, easiest, highest impact changes first, such as applying Antivirus, Anti-Spyware, Vulnerability Protection, and WildFire Analysis profiles to your Security policy allow rules.
- Use the BPA’s links to technical documentation to configure the best practices you prioritize.Downloading the BPA report gives you a .zip file that contains the detailed HMTL report, an Executive Summary, and an Excel spreadsheet that lists failed best practice checks. You link to technical documentation in two ways:
- From the spreadsheet—The Documentation tab provides links for each failed check. In addition, the identification number in the Check ID column on the Policies, Objects, Network, and Device tabs links directly to the relevant line on the Documentation tab.
- From the HTML report—When you open the HTML report, you see an Adoption Heatmap that summarizes best practice adoption. SelectBest Practice Assessmentto access the report.You can viewPolicies,Objects,Network, andDevicedetailed reports for the selected configuration assessment.From a detailed report, clickLearn Morefor descriptions and rationales for the configuration check and links to technical documentation for best practice configurations.For Security profiles (Vulnerability Protection, Antivirus, Anti-Spyware, URL Filtering, File Blocking), use the safe transition advice to ensure availability of business-critical applications as you move to best practice Security profiles.
- After you implement the first set of best practice changes, run the BPA again to measure progress and help verify that the changes work as expected.Compare the first BPA output and the next BPA output to see the improvements in your security posture. Identify and prioritize the next area of improvement to address.
- Use the BPA’s links to technical documentation to configure the next set of best practices you prioritized.
- At your own pace, repeat the process of running the BPA to measure progress and identify and prioritize next steps, and then configure best practices using the technical documentation.
- Get started now—Access and Run the BPA or contact your Palo Alto Networks SE or partner and begin the transition to a more secure network today!
Recommended For You
Recommended videos not found.