Identify Gaps in Adoption

Discover weaknesses in security capability adoption using the Best Practice Assessment tool.
The Heatmap shows where your security policy is strong and where there are gaps in security policy capability adoption that you can focus on improving. To gain maximum visibility into traffic and maximum protection against attacks, set goals for security capability adoption and use the following recommendations as a best practice baseline. Assess your current posture against the baseline to identify gaps in security policy capability adoption.
Heatmaps help identify devices, zones, and areas where you can improve security policy capability adoption. You can review adoption information by Device Group, Serial Number & Vsys, Zones, Areas of Architecture, and Tags.
Column Filters
filter on device groups, devices, zones, areas of architecture, and tags to narrow the scope and identify gaps.
heatmaps.png
In the Heatmap’s Security Profile Adoption Summary, check the adoption rates of the following capabilities and use the recommendations as gap identification criteria—if the actual adoption rate doesn’t match the recommendations, plan to close the gap:.
security-profile-adoption-summary.png
  • Apply WildFire, Antivirus, Anti-Spyware, Vulnerability Protection, and File Blocking security profiles to all allow rules, with a target of 100% or almost 100% adoption. If you don’t apply a profile to an allow rule, ensure there is a good business reason not to apply the profile.
    Configuring security profiles on all allow rules enables the firewall to inspect all decrypted traffic for threats, regardless of application or service/port. After updating the configuration, run the BPA to measure progress and to catch new rules that don’t have security profiles attached.
    You can apply WildFire profiles to rules without a WildFire license. Coverage is limited to PE files, but this still provides useful visibility into unknown malicious files.
  • In the Anti-Spyware profile, apply DNS Sinkhole to all rules to prevent compromised internal hosts from sending DNS queries for malicious and custom domains, to identify and track the potentially compromised hosts, and to avoid gaps in DNS inspection. Enabling DNS Sinkhole protects your network without affecting availability, so you can and should enable it right away.
  • Apply URL Filtering and Credential Theft (phishing) Protection to all outbound internet traffic.
In the Heatmap’s Application & User Control Adoption Summary, check the adoption rates of the following capabilities. Use the recommendations as gap identification criteria—if the actual adoption rate doesn’t match the recommendations, plan to close the gap:
application-and-user-control-adoption-summary.png
  • Apply App-ID to as close to 100% of the rules as possible. Apply User-ID to all rules with source zones or address ranges that have a user presence (some zones may not have user sources; for example, sources in data center zones should be servers and not users). Leverage App-ID and User-ID to create whitelist (allow rule) policies that allow appropriate users to sanctioned (and tolerated) applications. Explicitly block malicious and unwanted applications.
  • Target 100% or close to 100% service/port adoption—don’t allow applications on non-standard ports unless there’s a good business reason for it.
In the Heatmap’s Logging & Zone Protection Adoption Summary, check the adoption rates of the following capabilities. Use the recommendations as gap identification criteria—if the actual adoption rate doesn’t match the recommendations, plan to close the gap:
logging-and-zone-protection-adoption-summary.png
  • Target at or close to 100% adoption for Logging and Log Forwarding.
  • Configure Zone protection profiles on all zones.
In summary:
Feature
Adoption Goal
WildFire
As close to 100% of Security policy rules as possible
Antivirus
As close to 100% of Security policy rules as possible
Anti-Spyware
As close to 100% of Security policy rules as possible
Vulnerability
As close to 100% of Security policy rules as possible
File Blocking
As close to 100% of Security policy rules as possible
URL Filtering and Credential Theft
All outbound internet traffic
App-ID
As close to 100% of Security policy rules as possible
User-ID
All rules with source zones or address ranges that have a user presence
Service/port
As close to 100% of Security policy rules as possible
Logging
As close to 100% of Security policy rules as possible
Log Forwarding
As close to 100% of Security policy rules as possible
Zone protection
All zones
Use
Column Filters
to narrow the scope. Use the resulting information to identify gaps in security policy capability, measure against gap identification criteria, and refine or establish new gap identification criteria for further investigation. For example, to create a filter that displays adoption of rules that control traffic to the internet Area of Architecture:
  1. In the Heatmaps section of the BPA, click
    Areas of Architecture
    .
  2. Click
    Column Filters
    to expand the filter options.
  3. Set the
    Destination Area of Architecture
    to
    Internet
    .
  4. Click
    Apply Filters
    .
    The BPA filters the results:
    heatmap-column-filters-example.png
    Interpret the results based on your security goals and criteria. For example, if your goal is to apply WildFire to 100% of your allow rules, the filtered Heatmap reveals that only 50% of your DMZ allow rules have WildFire profiles, so you have identified a gap to target for improvement.

Recommended For You