Built-In Best Practices in Strata Cloud Manager

Strata Cloud Manager

Built-In Best Practices in Strata Cloud Manager

Table of Contents

Built-In Best Practices in Strata Cloud Manager

Best practices checks are built right in so that you can get a live evaluation of your configuration.
Where Can I Use This?
What Do I Need?
  • Strata Cloud Manager
  • Prisma Access
  • AIOps for NGFW Premium
  • AIOps for NGFW Free
Palo Alto Networks best practices are designed to help you get the securest network possible by streamlining the process of checking compliance on your network infrastructure. We’ve built best practice checks directly in to
Strata Cloud Manager
, so that you can get a live evaluation of your configuration. Tighten security posture by aligning with best practices. You can leverage
Strata Cloud Manager
to assess your Panorama, NGFW, and Panorama-managed Prisma Access security configurations against best practices and remediate failed best practice checks.
Best practice guidance aims to help you bolster your security posture, but also to help you manage your environment efficiently and to best enable user productivity. Continually assess your configuration against these inline checks—and when you see an opportunity to improve your security, take action then and there.
There are several different views
Strata Cloud Manager
provides you into your best practice adoption:


To get started, you can quickly assess your overall security posture by checking the following Posture
See how you’re doing at a high-level and pinpoint areas where you might want to start taking action.
  • Check the Dashboard: Best Practices dashboard for daily best practices reports, and their mapping to Center for Internet Security’s Critical Security Controls (CSC) checks, to help you identify areas where you can make changes to improve your best practices compliance. Share the best practice report as a PDF and schedule it to be regularly delivered to your inbox.
  • Check the Compliance Summary dashboard to view a history of changes to the security checks made up to 12 months in the past, grouped together by Center for Internet Security (CIS) and National Institute of Standards and Technology (NIST) frameworks.
  • Monitor Dashboard: NGFW Feature Adoption and stay abreast of which security features you’re using in your deployment and potential gaps in coverage.
  • Monitor Dashboard: CDSS Adoption - View security services or feature subscriptions and their license usage in your devices to identify security gaps and harden the security posture of your enterprise.
  • Get visibility into the security status and trend of your deployment based on the security postures of the onboarded NGFW devices with Dashboard: Security Posture Insights and be alerted when incidents occur or your security settings may need a closer look.
  • Generate BPA reports for (non-telemetry) PAN-OS devices running versions 9.1 and above, now including feature adoption metrics. If you’ve been using the BPA standalone tool to generate BPA reports, you might be wondering “Can I still Generate BPA Reports from the Customer Support Portal?” We’ve got you covered as well.

Security Posture

Find a collection of tools to help you improve your security posture.
  • Customize security posture checks for your deployment to maximize relevant recommendations in Manage: Panorama-Managed Settings
  • Use Config Cleanup to identify and remove unused configuration objects and policy rules.
  • Configure Policy Optimizer Settings to hone and optimize overly permissive security rules so that they only allow applications that are actually in use in your network.
  • Create your own Manage: Compliance Checks – Customize existing best practice checks and create and manage special exemptions to better align to your organization’s business requirements.
  • Use Manage: Policy Analyzer to quickly ensure that updates you make to your security policy rules meet your requirements and do not introduce errors or misconfigurations (such as changes that result in duplicate or conflicting rules).

In Your Security Policy Workflow

Get best-practice-based feedback about how your security policy is organized and managed, including configuration settings that apply across many rules.
  • Best Practice Scores
    Best practice scores are displayed on a feature dashboard (security policy, decryption, or URL Access Control, for example). These scores gives you a quick view into your best practice progress. At a glance, you can identify areas for further investigation or where you want to take action to improve your security posture.
  • Best Practice Field Checks
    Field-level checks show you exactly where your configuration does not align with a best practice. Best practice guidance is provided inline, so you can immediately take action.
  • Best Practice Assessment
    Here you can get a comprehensive view into how your implementation of feature aligns with best practices. Examine failed checks to see where you can make improvements (you can also review passed checks). Rulebase checks highlight configuration changes you can make outside of individual rules, for example to a policy object that is used across several rules.
Looking for more on Palo Alto Networks best practices?
Here’s the best practices homepage, where you can find resources to help you transition to and implement best practices.

Recommended For You