The Best Practice Assessment (BPA) tool for NGFW and Panorama

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.
L7 Applicator



Whether you are new to Palo Alto Networks next-generation firewalls or a veteran user, one of the biggest challenges we face is knowing that your firewalls are configured properly to help protect your network.

Palo Alto Networks is pleased to announce the Best Practice Assessment (BPA) Tool to help meet that challenge.


Speaking of questions, here is a small set of questions about your current config:

  • Is your security strategy prevention oriented?
  • Are you adopting all of the capabilities in your existing deployment?
  • Are you leveraging “best practices” across your architecture?
  • Are you fully aware of what solutions are deployed, and where?


If you answered NO to any of these questions, then I recommend that you check out the BPA tool and see how it help improve your current posture.


What is the BPA?

The BPA consists of two components: A Security Policy Capability Adoption Heatmap and a Best Practice Assessment.

A Security Policy Capability Adoption Heatmap

BPA Heatmap showing adoption numbers and history to see if you are improving or areas that need attention.BPA Heatmap showing adoption numbers and history to see if you are improving or areas that need attention.
The Adoption Heatmap analyzes Panorama network security management and individual NGFW configurations to see how you are leveraging Palo Alto Networks prevention capabilities. Specifically, the tool analyzes your rule base to identify whether our capabilities are being leveraged where relevant. Shown in a historical matrix form, along with color coding, you can use the heatmap to help determine which security areas need attention.

Best Practice Assessment

BPA Best Practice summary showing Compatability, Control Category and Class Summaries.BPA Best Practice summary showing Compatability, Control Category and Class Summaries.

The Best Practice Assessment evaluates configurations, identifies risks and gives recommendations for how you can address any found issues. The assessment compares current configurations to best practices and produces a guide to which best practices are, and are not, being utilized. This guide includes details of best practice recommendations per feature.

Why should I use the BPA?

For existing customers, the Best Practice Assessment (BPA) tool For NGFW and Panorama allows you to measure what, where and how, you are applying capabilities across your Palo Alto Networks platform, and how these configurations compare to best practice.


See also:

For more information about the BPA tool, please see the following links:


Unit 42 has the following article that also includes 3 links to a 1 hour long expert-led workshop (Amer, AMEA and APAC links) about the BPA tool here:

Build Confidence in Your Security Controls with a Self-Service Best Practice Assessment


For a shorter method showing how to just run and use the BPA tool please see:
BPA Demo video


Tech Docs has some more info on the BPA tool here:

Use Palo Alto Networks Assessment and Review Tools




Q: How long does it take to generate a BPA for NGFW/Panorama?

A: The upload process of the tech support file can take longer on slower connections, but once the file is successfully uploaded, parsing should take fewer than 20 seconds.

Q: Why do I see zero-percent adoption on the Heatmap?

A: Zero-percent adoption on the Heatmap indicates that a security profile or feature is not configured properly on the rules.

Q: Is the tech support file saved on the server after it is uploaded?

A: No, the tech support file is deleted immediately after the BPA is generated.

Q: Is any of the BPA or Heatmap data stored in a database?

A: Yes, metadata is stored to track adoption trends and industry benchmarks. However, we do not store rule details or any sensitive customer information.

Q: What kind of information does the Best Practice Assessment (BPA) tool process?

A: The BPA tool processes a Tech Support File (TSF) generated and uploaded by End Users or by Resellers. The TSF contains logs, possibly including IP addresses or user ID’s, but the BPA tool only inspects the configuration file in the TSF, which does not contain personal data.


Q: What does Palo Alto Networks do with the HTML report?

A: We generate the HTML report and store it in a temporary directory on disk. After generating the HTML, we discard the configuration information from memory, we insert the HTML report into the password protected zip file and remove it from disk. We then send the password protected zip file to the user for download.

Q: Does Palo Alto Networks share the data with anyone?

A: No, we do not share any of the data outside Palo Alto Networks and we treat it as confidential.

Q: What PAN-OS versions does the BPA tool support?

A: The BPA tool officially supports PAN-OS 7.1+. Support for older versions is best effort and may produce inconsistent results.

Stay tuned for more information about the BPA tool, how to better use it, and what to do after you run it for the first time.


Thanks for taking time to read all about the new BPA tool. If you enjoyed this, please hit the Like (thumb up) button, don't forget to subscribe to the Live Community blog area, and as always, we welcome all comments and feedback in the comments section below.


Stay Secure,
Joe Delio
End of line