Read about my BPA Adventure: Anti-Spyware and DNS Sinkhole. Like any good security engineer, I have my own PA-220 at home and I was (smugly) wondering how well I would score on a Palo Alto Networks Best Practice Assessment (BPA). The results were...interesting. Take a look at my results in this new blog on Live Community.
The Best Practice Assessment (BPA)
I accessed the CSP (Customer Support Portal) and uploaded my TechSupport File to the Best Practice Assessment Tool, designated my zones and ran the report. I felt pretty good about myself when the left half of the screen lit up bright apple green where the center (the average) is more lime and orange. I didn't really notice the horror on the right-hand side as nearly everything was white, except for one green bar which drew my attention and bruised my ego a little.
My adoption rates were great, but my BPA scores were horrible. All that smugness went out the window. I went ahead and downloaded the full report to see where I goofed up.
The downloaded .zip file contains a "Failed Best Practice Checks" .xlsx, and a "Best Practice Assessment" .html file.
The .xlsx file provides you with a short and sweet summary of all the detected failed checks and links to remediation plus an estimate of how much effort in time you'd need to rectify these (pretty cool, right?).
The HTML file has the same adoption heatmap and some other graphical report elements plus report sections for all the failed checks. Since I have been working on the new DNS Security service, I was a bit horrified to notice I had a failed check for DNS Sinkhole on my home device.
To get to the Anti-Spyware checks from the main page, do the following:
Making my Anti-Spyware profile better
So what can be done to make my profile better?
So I made the following changes:
After committing the changes, collecting a fresh TechSupport File, and re-running the BPA, I now have two bars extra on the Best Practice Mode!
Next time, we'll take a look at the other BPA results.