Identify Gaps in Adoption
Discover weaknesses in security capability adoption using
the Best Practice Assessment tool.
The Heatmap shows where your security policy
is strong and where there are gaps in security policy capability
adoption that you can focus on improving. To gain maximum visibility
into traffic and maximum protection against attacks, set goals for
security capability adoption and use the following recommendations
as a best practice baseline. Assess your current posture against
the baseline to identify gaps in security policy capability adoption.
Heatmaps
help identify devices, zones, and areas where you can improve security
policy capability adoption. You can review adoption information
by Device Group, Serial Number & Vsys, Zones, Areas of Architecture, and
Tags.
Column Filters
filter on device groups,
devices, zones, areas of architecture, and tags to narrow the scope
and identify gaps. 
In the
Heatmap’s Security Profile Adoption Summary,
check the adoption rates of the following capabilities and use the
recommendations as gap identification criteria—if the actual adoption
rate doesn’t match the recommendations, plan to close the gap:.
- Apply WildFire, Antivirus, Anti-Spyware, Vulnerability Protection, and File Blocking security profiles to all allow rules, with a target of 100% or almost 100% adoption. If you don’t apply a profile to an allow rule, ensure there is a good business reason not to apply the profile.Configuring security profiles on all allow rules enables the firewall to inspect all decrypted traffic for threats, regardless of application or service/port. After updating the configuration, run the BPA to measure progress and to catch new rules that don’t have security profiles attached.You can apply WildFire profiles to rules without a WildFire license. Coverage is limited to PE files, but this still provides useful visibility into unknown malicious files.
- In the Anti-Spyware profile, apply DNS Sinkhole to all rules to prevent compromised internal hosts from sending DNS queries for malicious and custom domains, to identify and track the potentially compromised hosts, and to avoid gaps in DNS inspection. Enabling DNS Sinkhole protects your network without affecting availability, so you can and should enable it right away.
- Apply URL Filtering and Credential Theft (phishing) Protection to all outbound internet traffic.
In the Heatmap’s
Application & User Control Adoption Summary,
check the adoption rates of the following capabilities. Use the
recommendations as gap identification criteria—if the actual adoption
rate doesn’t match the recommendations, plan to close the gap:
- Apply App-ID to as close to 100% of the rules as possible. Apply User-ID to all rules with source zones or address ranges that have a user presence (some zones may not have user sources; for example, sources in data center zones should be servers and not users). Leverage App-ID and User-ID to create whitelist (allow rule) policies that allow appropriate users to sanctioned (and tolerated) applications. Explicitly block malicious and unwanted applications.
- Target 100% or close to 100% service/port adoption—don’t allow applications on non-standard ports unless there’s a good business reason for it.
In the Heatmap’s Logging & Zone
Protection Adoption Summary,
check the adoption rates of the following capabilities. Use the
recommendations as gap identification criteria—if the actual adoption
rate doesn’t match the recommendations, plan to close the gap:
- Target at or close to 100% adoption for Logging and Log Forwarding.
- Configure Zone protection profiles on all zones.
In
summary:
Feature | Adoption Goal |
|---|---|
WildFire | As close to 100% of Security policy rules as
possible |
Antivirus | As close to 100% of Security policy rules as
possible |
Anti-Spyware | As close to 100% of Security policy rules as
possible |
Vulnerability | As close to 100% of Security policy rules as
possible |
File Blocking | As close to 100% of Security policy rules as
possible |
URL Filtering and Credential Theft | All outbound internet traffic |
App-ID | As close to 100% of Security policy rules as
possible |
User-ID | All rules with source zones or address ranges
that have a user presence |
Service/port | As close to 100% of Security policy rules as
possible |
Logging | As close to 100% of Security policy rules as
possible |
Log Forwarding | As close to 100% of Security policy rules as
possible |
Zone protection | All zones |
Use
Column Filters
to
narrow the scope. Use the resulting information to identify gaps
in security policy capability, measure against gap identification
criteria, and refine or establish new gap identification criteria
for further investigation. For example, to create a filter that
displays adoption of rules that control traffic to the internet
Area of Architecture:- In the Heatmaps section of the BPA, clickAreas of Architecture.
- ClickColumn Filtersto expand the filter options.
- Set theDestination Area of ArchitecturetoInternet.
- ClickApply Filters.The BPA filters the results:
Interpret the results based on your security goals and criteria. For example, if your goal is to apply WildFire to 100% of your allow rules, the filtered Heatmap reveals that only 50% of your DMZ allow rules have WildFire profiles, so you have identified a gap to target for improvement. - Next: Identify Rules to Improve.
