BPA Release Notes v3.15

Showing results for 
Search instead for 
Did you mean: 
L4 Transporter
Did you find this article helpful? Yes No
No ratings

New Apps with Application Filter

New Feature


Details: New App-IDs can cause a change in policy enforcement for traffic that is newly identified as belonging to a certain application. To mitigate any impact to security policy enforcement, you can use the new App-ID characteristic within the application filter in a security policy rule, so the rule always enforces the most recently introduced App-IDs without requiring you to make configuration changes when new App-IDs are installed. 


New App-IDs are released monthly, so a policy rule that allows the latest App-IDs gives you time (or if the firewall is not installing content updates on a schedule until the next time you manually install content) to assess how newly categorized applications might impact security policy enforcement and make any necessary adjustments.


Apply a security rule permitting traffic for new App-IDs only. Create an application filter with check enabled on new App-IDs only or necessary new App-IDs by filtering in application filter. Apply this application filter on a security policy with action set to "Allow." In Apps and Threats content Dynamic update, ensure the check for "Disable new apps in content update" is disabled.


View of App-filter-NewApps Interface.png


View of Security Rulebase in New App Filter.png

Script File Size 

New Feature


Details: Set the file size for script files to 20KB, so all script files that pass through the firewall are sent to WildFire for inspection. This file type was introduced in Apps and Threats content update 8101 and later. This file type is supported on PAN-OS version 8.1 and later.


View of Device WildFire Settings.png


Predefined Reports

New Feature


Details: The firewalls consume memory and compute resources in generating the predefined report results hourly (and forwarding it to Panorama where it is aggregated and compiled for viewing) to reduce memory usage. You can disable the reports that are not relevant to you. 

Before disabling a report, verify that there isn’t a "Group Report" or a "PDF Summary Report" feature using it. If you disable a predefined report assigned to a set of reports, the entire set of reports will have no data.


View of Device Logging Reporting Settings.png


BPA Summary with CIS Critical Security Controls version 7



Details: The Center for Internet Security released Critical Security Controls (CSC) version 7. The Best Practice Assessment Report was covering CSC version 6 until now. With this release, we have updated our Best Practice checks to align with CSC version 7.

The BPA Summary in the BPA report will now show Best Practice checks aligned with CSC version 7. In the failed Best Practice spreadsheet, we provide both CSC version 6 and CSC version 7, so you can reference to v6 details as needed.

View of CIS Critical Security Controls 7.0 Summary.png


Template Stack Label Update



Details: On PAN-OS versions 8.1 and later when referencing template stacks, the label in the BPA report was mentioning template. This has been corrected and the right label will be reflected now.


Rule Detail Tab Filters Update



Details: In the Heatmap component "Rule Detail" tab, when we want to select the available options for the filters and when we click the drop down, we made sure that the option "any" is available on the top so it is easily accessible to be selected. 


Decryption Summary Update



Details: In the Heatmap Summary view, we have Decryption Summary details. Here we also indicate if there are any URL Categories that are exempted from decryption rules. There was a bug where we use to show "any" as a category. With this update, we only show URL categories that are exempted.


Labels and Display in PDF Report



Details: There was a minor update made on a Label and Display to correct on the PDF chart in the PDF summary report.

Rate this article: