In Panorama-managed environments, Panorama
may manage large numbers of next-generation firewalls. Should you
run the BPA on Panorama or on each individual firewall? The tradeoff
is speed and convenience versus completeness.
BPA on Panorama is fast, convenient, and assesses most of the capabilities
of the managed firewalls, but does not examine local firewall overrides.
the BPA on each managed firewall assesses the complete configuration
(including local overrides) but takes much more time.
most practical method is to run the BPA on Panorama first. Examine
the results, decide if you need to focus on any particular managed
devices, and then run the BPA on those devices. This method saves
time while still focusing on relevant information that enables you
to improve your security posture.