Review Best Practice Objects Configuration

Use the Best Practice Assessment (BPA) tool to check the objects configuration (Security and Decryption profiles, Tags, etc.) to identify weaknesses to improve.
Best Practice Assessment
shows all checks related to different types of firewall objects, and begins on the
Application Filters
page. Select the object you want to review to understand the existing configuration and to identify potential gaps in best practice configuration related to Application Filters, Tags, GlobalProtect, Security profiles, Log Forwarding, and Decryption profiles. The following example shows the result when you select the Antivirus Security profile object.
For each Antivirus profile, the report shows the current configuration and how many rules use the profile. The report shows the best practice check results below the current configuration with pass/fail status and recommendations for failed best practice checks. Click help ( ) for the rationale for each check and links to best practice documentation.
When one or more checks fail, the profile title turns red. The report lists profiles that aren’t in use at the bottom with a yellow title.
The “QS” button next to some of the profile page links on the left of the screen connect you to the QuickStart Service options. The
QuickStart Service
helps you increase your security capabilities and investments by helping you plan and execute your firewall-as-a-platform implementation. The
Self-guided Documents
help you understand, create, and deploy the object.
When you review the
tab, at a minimum, review the following items to help understand the potential scope of remediation:
  • Antivirus
    —Decoder actions for both Antivirus and WildFire.
  • Anti-Spyware
    —Strict Profile, DNS Sinkhole.
  • Vulnerability Protection
    —Strict Profile.
  • URL Filtering
    —Whether known bad categories are blocked.
  • WildFire Analysis
    —Profile File Types (all types should be sent to WildFire for analysis).
  • Log Forwarding
    —Whether all log types are forwarded (forward all log types).

Recommended For You