: Identify and Prioritize Best Practices
Focus
Focus

Identify and Prioritize Best Practices

Table of Contents

Identify and Prioritize Best Practices

Run the BPA to measure security best practice adoption on your firewalls and to prioritize actions to take to increase security by applying best practices.
Palo Alto Networks’ Best Practice Assessment (BPA) uses your Tech Support File to analyze Panorama and next-generation firewall configuration settings and compares the configuration to Palo Alto Networks best practices. The BPA shows the current state of best practice security adoption and suggests specific changes to align the configuration with security best practices. Running the BPA not only gives you an understanding of where to improve your security posture, it also sets a baseline for later comparison and provides links to technical documentation that shows you how to transition the BPA’s recommendations into a best practice configuration.
In Panorama-managed environments, Panorama may manage large numbers of next-generation firewalls. Should you run the BPA on Panorama or on each individual firewall? The tradeoffs are:
  • Running the BPA on Panorama is fast, convenient, and assesses most of the capabilities of the managed firewalls, but does not examine local firewall overrides.
  • Running the BPA on each managed firewall assesses the complete configuration (including local overrides) but takes much more time.
The most practical method is to run the BPA on Panorama first. Examine the results, decide if you need to focus on any particular managed devices, and then run the BPA on those devices. This method saves time while still focusing on relevant information that enables you to improve your security posture.
Using an iterative, prioritized approach, you can transform your security posture to a best practice state, one step at a time, measuring progress as you go at your pace and level of comfort:
  1. Run an on-demand BPA or check the Best Practices Dashboards in Strata Cloud Manager to see and assess your current best practices security state.
  2. Identify and prioritize the first area of improvement to begin the transition to best practices.
    Whether your Palo Alto Networks SE or partner runs the BPA or you run the BPA, your SE or partner can help you formulate a prioritized plan to safely phase in best practices. Plan to start with the safest, easiest, highest impact changes first, such as applying Antivirus, Anti-Spyware, Vulnerability Protection, and WildFire Analysis profiles to your Security policy allow rules.
  3. Use the BPA’s links to technical documentation to configure the best practices you prioritize.
  4. After you implement the first set of best practice changes, check the Best Practices Dashboards or run the BPA again to measure progress, help verify that the changes work as expected, and identify the next area of improvement to prioritize.
  5. Repeat the process until you reach your security best practices goals.
  6. Get started now!