Focus

Strata Cloud Manager

Built-In Best Practices in Strata Cloud Manager

Table of Contents

Built-In Best Practices in Strata Cloud Manager

Best practices checks are built right in so that you can get a live evaluation of your configuration.

Where Can I Use This?	What Do I Need?
Prisma Access (Cloud Managed) Prisma Access (Panorama Managed) NGFW (PAN-OS or Panorama Managed) NGFW (Cloud Managed) VM-Series, funded with Software NGFW Credits Prisma SD-WAN	You must have at least one of these licenses to use `Strata Cloud Manager`: `Prisma Access` AIOps for NGFW Premium Prisma SD-WAN → See all licenses that enable additional`Strata Cloud Manager` features and capabilities

Palo Alto Networks best practices are designed to help you get the most secure network possible by streamlining the process of checking compliance on your network infrastructure. We’ve built best practice checks directly in to Strata Cloud Manager, so that you can get a live evaluation of your configuration. Tighten your security posture by aligning with best practices. You can leverage Strata Cloud Manager to assess your Panorama, NGFW, and Panorama Managed Prisma Access security configurations against best practices and remediate failed best practice checks.

Best practice guidance aims to help you bolster your security posture, but also to help you manage your environment efficiently and to best enable user productivity. Continually assess your configuration against these inline checks—and when you see an opportunity to improve your security, take action then and there.

Visibility into Best Practice Adoption and Compliance

To get started, you can quickly assess your overall security posture by checking the following Posture

Dashboards

See how you’re doing at a high-level and pinpoint areas where you might want to start taking action.

Check the Dashboard: Best Practices dashboard for daily best practices reports, and their mapping to the Center for Internet Security’s Critical Security Controls (CSC) checks, to help you identify areas where you can make changes to improve your best practices compliance. Share the best practice report as a PDF and schedule it to be regularly delivered to your inbox.

Check the Compliance Summary dashboard to view a history of changes to the security checks made up to 12 months in the past, grouped together by the Center for Internet Security (CIS) and National Institute of Standards and Technology (NIST) frameworks.

Monitor Dashboard: NGFW Feature Adoption and stay abreast of which security features you’re using in your deployment and potential gaps in coverage.

Monitor Dashboard: CDSS Adoption - View security services or feature subscriptions and their license usage in your devices to identify security gaps and harden the security posture of your enterprise.

Get visibility into the security status and trend of your deployment based on the security postures of the onboarded NGFW devices with Dashboard: Security Posture Insights and be alerted when incidents occur or your security settings may need a closer look.

Generate BPA reports for (non-telemetry) PAN-OS devices running versions 9.1 and above, now including feature adoption metrics.

Best Practice Tools to Strengthen Security Posture

Find a collection of tools to help you improve your security posture.

Customize security posture checks for your deployment to maximize relevant recommendations in Security Posture Settings

Use Config Cleanup to identify and remove unused configuration objects and policy rules.

Configure Policy Optimizer Settings to hone and optimize overly permissive security rules so that they only allow applications that are actually in use in your network.

Create your own Compliance Checks – Customize existing best practice checks and create and manage special exemptions to better align to your organization’s business requirements.

Use Policy Analyzer to quickly ensure that updates you make to your Security policy rules meet your requirements and don't introduce errors or misconfigurations (such as changes that result in duplicate or conflicting rules).

Live, Inline Best Practice Configuration Checks

Best Practice Scores

Best practice scores are displayed on a feature dashboard (Security policy, decryption, or URL Access Control, for example). These scores give you a quick view into your best practice progress. At a glance, you can identify areas for further investigation or where you want to take action to improve your security posture.

Best Practice Field Checks

Field-level checks show you exactly where your configuration does not align with a best practice. Best practice guidance is provided inline, so you can immediately take action.

Best Practice Assessment

Here, you can get a comprehensive view into how your implementation of a feature aligns with best practices. Examine failed checks to see where you can make improvements (you can also review passed checks). Rulebase checks highlight configuration changes you can make outside of individual rules, for example to a policy object that is used across several rules.

Best practice checks are available for:

Your security policy rulebase

Rulebase checks look at how security policy is organized and managed, including configuration settings that apply across many rules.

Security rules

Security profiles

Anti-Spyware

Vulnerability Protection

WildFire and Antivirus

URL Access Management

DNS Security

Authentication

Decryption

GlobalProtect

Looking for more on Palo Alto Networks best practices?

Here’s the best practices homepage, where you can find resources to help you transition to and implement best practices.

Get Started with Strata Cloud Manager

Dashboards in Strata Cloud Manager