Use the Best Practice Assessment (BPA) tool to check
the objects configuration (Security and Decryption profiles, Tags,
etc.) to identify weaknesses to improve.
shows all checks related to different types of firewall objects.
Select the type of object you want to review to understand the existing
configuration and to identify potential gaps in best practice configuration
related to Tags, GlobalProtect, Security profiles, Log Forwarding, and
Decryption profiles. The following example shows the result for
an Antivirus Security profile.
For each profile, the report shows the current configuration
and how many rules use the profile. The report shows the best practice
check results below the current configuration with pass/fail status
and recommendations for failed best practice checks. Click help
for the rationale for each check and links to best practice documentation.
When one or more checks fail, the profile title turns red. The
report lists profiles that aren’t in use at the bottom with a yellow
When you review the
tab, at a
minimum, review the following items to help understand the potential
scope of remediation:
for both Antivirus and WildFire.
—Strict Profile, DNS Sinkhole.
—Whether known bad categories are blocked.
—Profile File Types (all types should
be sent to WildFire for analysis).
—Whether all log types are forwarded
(forward all log types).