BPA Executive Summary
Overview
The BPA overview section provides the overall security posture of your Palo Alto Network Next-Generation Firewall, Panorama and Prisma Access. The three major components are:
The BPA system rating evaluates the device (Next-Generation Firewall, Panorama, or Prisma Access) security capabilities and feature adoption against best practices. It is the average percentage of following:
BPA System Rating = (Avg. of overall capability adoption + Avg. of mapping definitions) / 2
Example
|
Avg. of overall capability adoption |
Avg. of mapping definitions |
BPA System Rating |
|
600 / 9 = 66.66% |
52.3% |
(66.66 + 52.3) / 2 = 59.48%
|
The BPA system ratings are categorized in three different categories based on the score from the above calculation.
|
Severity |
Score Range |
Color in Box |
Description |
Conclusion |
|
Low |
0 - 39 |
Red |
Based on the results of the assessment, there are significant gaps in your overall capability adoption and passing percentage of BPA checks. |
It's recommended that users review each section and work through the results to understand gaps and where improvements can be made. |
|
Moderate |
40 - 79 |
Yellow |
The assessment results indicate that some security capabilities and best practice checks have been implemented. |
It's recommended that users review each section and work through the results to understand gaps that need to be addressed in order to fully ensure a consistent and secure approach. |
|
High |
80 - 100 |
Green |
The assessment results show a mature security capability approach. |
Review individual areas or questions that scored lower and continue to build on an otherwise strong platform. |
CDSS utilization score focuses on the efficiency of a company’s use of its network security assets. The score measures the extent to which companies have adopted services they have purchased.
CDSS Utilization Calculation
CDSS Utilization Score = (sum of average adoption percentages of each CDSS service category) / # of service categories
Example (using data from Serial Number & Vsys):
|
Average Adoption % |
WildFire = 85.7 % |
Threat Prevention (IPS) |
DNS Security = 0.0 % |
URL Filtering = (0.0 + 0.0) / 2 = 0/0% |
|
CDSS Utilization Score |
39.28 % = (85.7 + 71.425 + 0.0 + 0.0) / 4 |
|||
CDSS utilization score is categorized in three different categories based on the score from the above formula.
|
Severity |
Score Range |
Color in Box |
Description |
Conclusion |
|
Low |
0 - 39 |
Red |
The assessment indicates there are significant gaps in adoption of at least two of the CDSS utilization categories (Wildfire, Threat Prevention, DNS Security, URL Filtering). |
To ensure efficient, secure use of CDSS resources, it is recommended that users review the adoption percentage of each category to identify and resolve misconfigurations. |
|
Moderate |
40 - 79 |
Yellow |
The assessment indicates there are moderate to significant gaps in adoption of at least one of the CDSS utilization categories (Wildfire, Threat Prevention, DNS Security, URL Filtering). |
To ensure efficient, secure use of CDSS resources, it is recommended that users review the adoption percentage of each category to identify and resolve misconfigurations. |
|
High |
80 - 100 |
Green |
The assessment indicates there are no significant gaps in any of the CDSS utilization categories, suggesting an efficient use of resources. |
Review individual categories with lower adoption percentages to maximize use of best practices. |
The vulnerability protection score will measure the effectiveness of network security assets in responding to cyber attacks. Below is the list of BPA checks that must be counted when calculating vulnerability protection score.
|
Check ID |
BPA Check Name |
top_nav |
left_nav |
|
7 |
Log Forwarding |
Policies |
Security |
|
13 |
Intrazone Allow Rules with Logging |
Policies |
Security |
|
41 |
Vulnerability Protection Profile Threat Exceptions |
Objects |
Vulnerability Protection |
|
42 |
Vulnerability Protection Strict Profile |
Objects |
Vulnerability Protection |
|
51 |
Traffic Settings |
Objects |
Log Forwarding |
|
52 |
Threat Settings |
Objects |
Log Forwarding |
|
60 |
Zone Protection Profile Applied to Zone |
Network |
Zones |
|
86 |
Reconnaissance Protection |
Network |
Zone Protection |
|
87 |
Packet Based Attack Protection |
Network |
Zone Protection |
|
189 |
Apps & Threats |
Device |
Dynamic Updates |
|
192 |
Apps & Threats Sync to Peer |
Device |
Dynamic Updates |
|
200 |
Vulnerability Protection Low/Informational Profile |
Objects |
Vulnerability Protection |
|
237 |
Apps & Threats Content Update |
Device |
Dynamic Updates |
Formula will be based on the average of passing % of all the BPA checks as listed above.
Example - Here we will calculate the average percentage of all three checks passing %
Vulnerability Protection Score = (0 + 25 + 50) / 3 = 25% (Here, we will count all the above listed BPA checks in the table for actual calculation)
Below screen is from the Mapping definition under Best Practice Assessment tab.
Vulnerability Protection Score categorized in three different categories based on the score from the above formula.
|
Severity |
Score Range |
Color in Box |
Description |
Conclusion |
|
Low |
0 - 39 |
Red |
The assessment indicates there are significant gaps in adoption of at least two or more capabilities. |
To ensure efficient, secure use of resources, it is recommended that users review the adoption percentage of each category to identify and resolve misconfigurations. |
|
Moderate |
40 - 79 |
Yellow |
The assessment indicates there are moderate to significant gaps in adoption of at least one of the capabilities. |
To ensure efficient, secure use of resources, it is recommended that users review the adoption percentage of each category to identify and resolve misconfigurations. |
|
High |
80 - 100 |
Green |
The assessment indicates there are no significant gaps in any of the capabilities configured on the device, suggesting an efficient use of resources. |
Review individual categories with lower adoption percentages to maximize use of best practices.
|
This shows overall adoption across key capabilities and compares it against Industry benchmarks. Users will also be able to view capability adoption data for the current report and will also have a drop down list option to select and view capability adoption data for previously generated reports. We are already capturing Capability adoption data in a BPA report, we will use the same data and present it in the new format for Exec Summary.
The Coverage across key compliance standard section consists of following.
NIST Avg. - The calculation for NIST Security Controls can be obtained from the Best Practice Summary page (as shown below).
CIS Avg. - This will be the average percentage of all the CIS Critical Security Controls Summary listed under Best Practice Summary screen.
Capability Avg. - This represents the average of overall capability adoption percentage in best practice mode under adoption summary screen from a BPA report.
Contact BPA team at bpa@paloaltonetworks.com
Visit us at www.paloaltonetworks.com/
