Review Best Practice Policy Configuration

Use the Best Practice Assessment (BPA) tool to check your policy (security, decryption, DoS, etc.) configuration to identify weaknesses you can improve.
The
Policies
tab shows all checks related to different types of firewall policies. Select the type of policy you want to review to identify potential rule improvements. The
Security
policy view displays rule-based check results (
Security Rule Checks
).
Show Filters
to configure filters that narrow the results to rules that failed one or more particular checks. You can
Export Data
to export the list to a .csv file for remediation analysis.
Click help ( help-question-mark-bpa-4.png ) to view the description of and rationale for each check, along with a link to technical documentation about the capability each check examines.
sec-rule-checks.png
Below the
Security Rule Checks
, the
Security Rulebase Checks
summarize the best practice check results by device group, with a pass/fail status and recommendations for what to do about failed checks. Click help to view the description of and rationale for each result, along with a link to technical documentation.
sec-rulebase-checks.png
When you review
Policy
information, at a minimum, review the following items to help understand the scope of policy remediation (switch between views):
  • Security
    —Identify rules that fail the
    Source/Destination !=any/any
    check.
  • Security
    —Identify rules that fail the
    App-ID with Service
    check.
  • Security
    —Identify User-ID rules that fail the
    User-ID Rules without User ID enabled on Zone
    check.
  • Decryption Rulebase
    —SSH Proxy decryption checks.
  • Decryption
    —Each Decryption policy rule should have an associated Decryption profile.
  • Application Override
    —Application Override rules that use a simple custom application bypass Layer 7 inspection for matching traffic. Reduce or eliminate Application Override rules that use a simple custom application so you can Improve Visibility into Traffic and inspect the applications and content these rules control.

Recommended For You