Strata Cloud Manager
Built-In Best Practices in Strata Cloud Manager
Table of Contents
Built-In Best Practices in Strata Cloud Manager
Best practices checks are built right in so that you can get a live evaluation of
your configuration.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
Each of these licenses include access to Strata Cloud
Manager:
→ The features and capabilities available to you in Strata Cloud Manager depend on which license(s) you are
using.
|
Palo Alto Networks best practices are designed to help you get the most secure
network possible by streamlining the process of checking compliance on your network
infrastructure. We’ve built best practice checks directly in to Strata Cloud Manager, so that you can get a live evaluation of your configuration. Tighten your security
posture by aligning with best practices. You can leverage Strata Cloud Manager to
assess your Panorama, NGFW, and Panorama Managed Prisma Access security configurations
against best practices and remediate failed best practice checks.
Best practice guidance aims to help you bolster your security posture, but also to help
you manage your environment efficiently and to best enable user productivity.
Continually assess your configuration against these inline checks—and when you see an
opportunity to improve your security, take action then and there.
Visibility into Best Practice Adoption and Compliance
To get started, you can quickly assess your overall security posture by checking the
following Posture Dashboards.
See how you’re doing at a high-level and pinpoint areas where you might want to start
taking action.
- Check the Dashboard: Best Practices dashboard for daily best practices reports, and their mapping to the Center for Internet Security’s Critical Security Controls (CSC) checks, to help you identify areas where you can make changes to improve your best practices compliance. Share the best practice report as a PDF and schedule it to be regularly delivered to your inbox.
![]()
- Check the Compliance Summary dashboard to view a history of changes to the security checks made up to 12 months in the past, grouped together by the Center for Internet Security (CIS) and National Institute of Standards and Technology (NIST) frameworks.
![]()
- Monitor Dashboard: Feature Adoption and stay abreast of which security features you’re using in your deployment and potential gaps in coverage.
![]()
- Monitor Dashboard: CDSS Adoption - View security services or feature subscriptions and their license usage in your devices to identify security gaps and harden the security posture of your enterprise.
![]()
- Get visibility into the security status and trend of your deployment based on the security postures of the onboarded NGFW devices with Dashboard: Security Posture Insights and be alerted when incidents occur or your security settings may need a closer look.
![]()
- Generate BPA reports for (non-telemetry) PAN-OS devices running versions 9.1 and above, now including feature adoption metrics.
![]()
Best Practice Tools to Strengthen Security Posture
Find a collection of tools to help you improve your security posture.
- Customize security posture checks for your deployment to maximize relevant recommendations in Manage: Security Posture Settings
- Use Config Cleanup to identify and remove unused configuration objects and policy rules.
- Configure Policy Optimizer Settings to hone and optimize overly permissive security rules so that they only allow applications that are actually in use in your network.
- Create your own Compliance Checks – Customize existing best practice checks and create and manage special exemptions to better align to your organization’s business requirements.
- Use Policy Analyzer to quickly ensure that updates you make to your Security policy rules meet your requirements and don't introduce errors or misconfigurations (such as changes that result in duplicate or conflicting rules).
Live, Inline Best Practice Configuration Checks
Best practice guidance aims to help you bolster your security posture, but also to
help you manage your environment efficiently and to best enable user productivity.
Continually assess your configuration against these inline checks—and when you see
an opportunity to improve your security, take action then and there.
- Best Practice ScoresBest practice scores are displayed on a feature dashboard (Security policy, decryption, or URL Access Control, for example). These scores give you a quick view into your best practice progress. At a glance, you can identify areas for further investigation or where you want to take action to improve your security posture.
- Field-level checks show you exactly where your configuration does not align with a best practice. Best practice guidance is provided inline, so you can immediately take action.
- Best Practice AssessmentHere, you can get a comprehensive view into how your implementation of a feature aligns with best practices. Examine failed checks to see where you can make improvements (you can also review passed checks). Rulebase checks highlight configuration changes you can make outside of individual rules, for example to a policy object that is used across several rules.
Best practice checks are available for the following objects:
- Your security policy rulebaseRulebase checks look at how security policy is organized and managed, including configuration settings that apply across many rules.
- Security rules
- Authentication
- AI Access Security
- Decryption
- Device Setup General
- Device Setup Authentication
- Device Setup Logging Reporting
- Device Setup Management Interface
- Device Setup Minimum Password Complexity
- Authentication Profile
- GlobalProtect
Looking for more on Palo Alto Networks best practices?
Here’s the best practices homepage, where you can
find resources to help you transition to and implement best practices.