Prioritize Best Practice Changes

Use the Best Practice Assessment (BPA) tool to prioritize security improvements and improve your security posture in an efficient manner.

The amount of information in a BPA report can be overwhelming. This chapter provides recommendations to help you prioritize improvement to your configuration so you can close security gaps, implement the highest-value enhancements first, and make progress toward achieving a best practice security posture.

In Panorama-managed environments, Panorama may manage large numbers of next-generation firewalls. Should you run the BPA on Panorama or on each individual firewall? The tradeoff is speed and convenience versus completeness.

Running the BPA on Panorama is fast, convenient, and assesses most of the capabilities of the managed firewalls, but does not examine local firewall overrides.

Running the BPA on each managed firewall assesses the complete configuration (including local overrides) but takes much more time.

The most practical method is to run the BPA on Panorama first. Examine the results, decide if you need to focus on any particular managed devices, and then run the BPA on those devices. This method saves time while still focusing on relevant information that enables you to improve your security posture.

The following topics focus on how to improve your security posture in the order in which new deployments are usually implemented, focusing on management first, then visibility, control, and enforcement. Existing deployments already may have achieved some maturity in each area.

Strengthen Device Management Posture

Improve Visibility into Traffic

Implement Initial Best Practice Controls

Fine-Tune and Enhance Best Practice Controls