Review the Adoption Summary

Use the Best Practice Assessment tool to measure adoption of security capabilities such as Security profiles, App-ID, User-ID, Logging, Zone Protection, and Decryption.
After you or your Palo Alto Networks representative runs the BPA, the resulting HTML report opens on the Heatmap page, in the Adoption Summary. The Adoption Summary view provides an overview of your device’s overall adoption of security capabilities. The report shows the current adoption percentage for each metric (except Industry Average, which provides the adoption averages in your industry to compare against your adoption), and in parentheses, the percentage change in adoption since the last time you ran the BPA on the device’s configuration file (or
No change
if the value is the same as the last time you ran the BPA).
security-profile-adoption-summary.png
Overall Adoption
—Adoption of Security profiles in Security policy allow rules. Percentages are based on the number of allow rules that have one or more profiles enabled as part of the rule. The BPA doesn’t count disabled rules or block rules.
Industry Average
—Average adoption of Security profiles in allow rules for your company’s industry.
Best Practice Mode
—Adoption of Security profiles configured in the recommended best practice manner in allow rules. The BPA only counts rules with profiles that pass all best practice checks.
application-and-user-control-adoption-summary.png
App-ID Adoption
—Adoption of App-ID across Security policy rules. The percentage value is based on the total number of allow rules with one or more defined application (the Application is not
any
). The BPA doesn’t count disabled rules.
User-ID Adoption
—Adoption of User-ID across Security policy rules. The percentage value is based on the total number of allow rules with users (including the values
known-user
and
unknown
) or user groups. The BPA doesn’t count disabled rules.
Service/Port Adoption
—Adoption of service/port across Security policy rules. The percentage value is based on the total number of allow rules with a defined service or port (the Service is not
any
). The BPA doesn’t count disabled rules.
The BPA doesn’t count App-ID, User-ID, or Service/Port adoption for block rules because the rationale for blocking differs from business to business, so the BPA can’t make recommendations based on block rules.
logging-and-zone-protection-adoption-summary.png
Logging Adoption
—Adoption of
Log at Session End
across Security policy rules. The percentage value is based on the total number of rules with
Log at Session End
enabled. The BPA doesn’t count disabled rules.
Log Forwarding Adoption
—Adoption of Log Forwarding profiles across Security policy rules. The percentage value is based on the total number of rules with a Log Forwarding profile configured. The BPA doesn’t count disabled rules.
Zone Protection Adoption
—Adoption of Zone protection across Security policy allow rules. The percentage value is based on the total number of allow rules in which the source zone has a Zone Protection profile configured. The BPA doesn’t count disabled rules.
For each of these metrics, the value in parentheses next to each percentage is the percentage change in adoption since the last time you ran the BPA on the device’s configuration file (or
No change
if the value is the same as the last time you ran the BPA).
decryption-summary.png
Decryption Summary
—Shows if the configuration includes Decryption policy rules for SSL Forward Proxy, SSL Inbound Inspection, and SSH Proxy. The summary also shows if the configuration includes Decryption profiles and identifies URL categories that the device exempts from decryption.
If you don’t decrypt a URL category, you can’t inspect its traffic because the firewall can’t see what’s inside the encrypted traffic. The firewall can only inspect traffic you decrypt.
Next: Identify Gaps in Adoption to understand where you can improve security.

Recommended For You