Review Best Practice Policy Configuration
Use the Best Practice Assessment (BPA) tool to check
your policy (security, decryption, DoS, etc.) configuration to identify
weaknesses you can improve.
shows
all checks related to different types of firewall policies and begins
on the 
) to
view the description of and rationale for each result, along with
a link to technical documentation for reference.
Security Rulebase checks
page. Security
Rulebase checks
summarizes the best practice check results
by device group, with a pass/fail status and recommendations for
what to do about failed checks. Click help (
) to
view the description of and rationale for each result, along with
a link to technical documentation for reference.
Select the type of policy you want to review from
the left menu to identify potential rule improvements. For example,
Security
Rule Checks
displays rule-based check results. Click Local
Filters
to configure filters that narrow the results
to rules that failed one or more particular checks. You can Export
Data
to export the list to a .csv file for remediation
analysis. 
When you review
Policy
information, at
a minimum, review the following items to help understand the scope
of policy remediation (switch between views):- Security—Identify rules that fail theSource/Destination !=any/anycheck.
- Security—Identify rules that fail theApp-ID with Servicecheck.
- Security—Identify User-ID rules that fail theUser-ID Rules without User ID enabled on Zonecheck.
- Decryption Rulebase—SSH Proxy decryption checks.
- Decryption—Each Decryption policy rule should have an associated Decryption profile.The exception is TLSv1.3 traffic that you choose not to decrypt by applying a No Decryption policy to the traffic. When you attach a No Decryption profile to the policy, the profile checks certificate information and blocks decryption sessions that use bad certificates. However, because TLSv1.3 encrypts certificate information, the firewall cannot block undecrypted traffic based on certificate information, so there is no point to attaching the profile to the policy.
- Application Override—Application Override rules that use a simple custom application bypass Layer 7 inspection for matching traffic. Reduce or eliminate Application Override rules that use a simple custom application so you can Improve Visibility into Traffic and inspect the applications and content these rules control.
