Evaluate Best Practice Configuration
Measure your configuration against Security best practices
using the Best Practice Assessment (BPA) tool.
The Best Practice Assessment (BPA) tool helps you understand
the current level of best practice configuration in your Security
policy so you can assess the maturity of your security posture.
Watch the Introduction to the BPA video to
learn about the BPA, and take advantage of the BPA video library and
the BPA+ video library to
learn even more about the tool.
The BPA report opens first on the Adoption Heatmap page. Click
the
Best Practice Assessment
to view the
BPA section of the report, which focuses on the adoption of configuration
best practices for next-generation firewalls and Panorama. 
In addition to this documentation, you can view the BPA demo and a short video about how to run a BPA to learn
more about using the BPA.
A BPA report evaluates a next-generation firewall or Panorama
configuration file against more than 200 best practice checks. The
BPA groups the results of the evaluation by policies, objects, network,
and device/Panorama information, similar to the PAN-OS user interface.
In Panorama-managed environments, Panorama
may manage large numbers of next-generation firewalls. Should you
run the BPA on Panorama or on each individual firewall? The tradeoff
is speed and convenience versus completeness.
Running the
BPA on Panorama is fast, convenient, and assesses most of the capabilities
of the managed firewalls, but does not examine local firewall overrides.
Running
the BPA on each managed firewall assesses the complete configuration
(including local overrides) but takes much more time.
The
most practical method is to run the BPA on Panorama first. Examine
the results, decide if you need to focus on any particular managed
devices, and then run the BPA on those devices. This method saves
time while still focusing on relevant information that enables you
to improve your security posture.
Review and analyze the information to find areas to focus on
and improve:
