Run the BPA to measure security best practice adoption
on your firewalls and to prioritize actions to take to increase
security by applying best practices.
Palo Alto Networks’ Best Practice Assessment
(BPA) uses your Tech Support File to analyze Panorama and next-generation
firewall configuration settings and compares the configuration to
Palo Alto Networks best practices. The BPA shows the current state
of best practice security adoption and suggests specific changes
to align the configuration with security
best practices. Running
the BPA not only gives you an understanding of where to improve
your security posture, it also sets a baseline for later comparison
and provides links to technical documentation that shows you how
to
transition the BPA’s recommendations
into a best practice configuration.
In Panorama-managed
environments, Panorama may manage large numbers of next-generation
firewalls. Should you run the BPA on Panorama or on each individual
firewall? The tradeoffs are:
Running the BPA on Panorama
is fast, convenient, and assesses most of the capabilities of the
managed firewalls, but does not examine local firewall overrides.
Running the BPA on each managed firewall assesses the complete
configuration (including local overrides) but takes much more time.
The
most practical method is to run the BPA on Panorama first. Examine
the results, decide if you need to focus on any particular managed
devices, and then run the BPA on those devices. This method saves
time while still focusing on relevant information that enables you
to improve your security posture.
Using an iterative,
prioritized approach, you can transform your security posture to
a best practice state, one step at a time, measuring progress as
you go at your pace and level of comfort: