On-Demand BPA Report
Next-Generation Firewall

On-Demand BPA Report

Table of Contents

On-Demand BPA Report

Provides an overview about On-Demand BPA report.
Where Can I Use This?
What Do I Need?
  • NGFW (Managed by Strata Cloud Manager)
  • NGFW (Managed by PAN-OS or Panorama)
  • VM-Series, funded with Software NGFW Credits
  • AIOps for NGFW Free (use the AIOps for NGFW Free app)
  • AIOps for NGFW Premium license (use the Strata Cloud Manager app)
You can now run the Best Practice Assessment (BPA) and Feature Adoption summary directly from
Strata Cloud Manager
. Just upload a Tech Support File (TSF). You can generate the on-demand BPA report for devices that are not sending telemetry data or onboarded to AIOps for NGFW.
The BPA evaluates your security posture against Palo Alto Networks best practices and prioritizes improvements for devices. Security best practices prevent known and unknown threats, reduce the attack surface, and provide visibility into traffic, so you can know and control which applications, users, and content are on your network. Additionally, best practices include checks for the Center for Internet Security’s Critical Security Controls (CSC). See the best practices guidance to bolster security posture and implement improvements.

Can I Still Generate BPA Reports from the Customer Support Portal?

Transition to the new method of generating Best Practice Assessment reports.
Before AIOps existed, you went to the Customer Support Portal to access and run the BPA. Today, the preferred way to generate and download the Best Practice Assessment report for NGFW/Panorama Managed Prisma Access is from AIOps.
After July 17, 2023 you'll no longer be able to access and run the BPA from the Customer Support Portal.
  1. Go to the Hub and activate AIOps for NGFW. It’s free. You can activate without Cortex Data Lake if you don’t want to onboard devices with telemetry enabled at this time.
    The best practices dashboard, security alerts, and adoption summary features are not available for devices onboarded without Cortex Data Lake or telemetry enabled.
  2. Log in to your activated instance AIOps for NGFW. You’ll see the following tabs, even without Cortex Data Lake:
    • Posture
    • Activity
    • Settings
  3. Go to
    On Demand BPA
  4. Select
    Generate New BPA Report
    to upload a valid TSF from a device running PAN-OS version 9.1 or higher.
  5. Select
    View Report
    after the TSF is processed to view the generated BPA report from your device.

Recommended For You