Best Practice Assessment Release Notes

  BPA Release Notes v5.2   Bugs 'IPSec Crypto Profile Encryption' check update  When a user selects GCM Encryption algorithm on IPSec crypto profiles as it inherently has Authentication capability too we would not fail if Authentication algorithm is not defined.   Improvements Added file size units for Wildfire file types  Wildfire File size units are added to understand the scope of file that needs sandbox. Wildfire File Types and its sizes   Update on 'Server Monitoring' BP check  Under User ID feature we were processing server monitors redundancy under 'server monitoring' section only. Now we also factor User ID agents configured in addition to Server Monitoring section. As far as there are 2 methods of obtaining User ID information as redundancy the check would pass.   New Feature Added SD-Wan configuration for visibility We have added SD-Wan configuration objects from Policies, Objects and Network Tabs respectively.   SD-WAN Policies Traffic Distribution profile under SD-Wan Link Management SD-WAN Interface Profiles      

  BPA Release Notes v5.1   Bugs Rule Detail tab Export option not exporting the list properly In the BPA report, "Rule Detail" tab - Export option at the bottom was not exporting all the Security rules. This issue has been fixed and the export captures all the rules.   'Enable Packet Buffer Protection' BP Check failing On 10.0 PanOS versions the best practice check 'Enable Packet Buffer Protection' was failing. This was happening due to change in xpath config and we have updated so this check is processed as expected and provide the correct result.   New Feature Tracking DNS Security as a new capability in Adoption Heatmap We have added a new column for DNS Security feature so a user can validate if the necessary security rules have DNS Security enabled and identify the security gaps.   DNS Security capability in Adoption Heatmaps  

  BPA Release Notes v4.0   This is a major feature release. Below are the highlights of the release,   Complete UI styleguide redesign aligning with other company products. Front end tech stack has been upgraded for improved performance and scalability. Created almost 200 short videos for each Best Practice Check that is embedded within the BPA HTML report. Developed a new splash page to enable users to learn about any new capabilities within the product. Created a usability improvement by linking different sections with in the BPA report to take customers from the summary graphs to individual checks - this guides the customer focus to the priority improvement areas. The spreadsheet has been updated to not only show the failed checks but also including the passed checks with added column for BPA Verdict. On a Panorama run BPA report, we now can show a Heatmap adoption for selected Device group in relation to their device group hierarchy so that total context is clear and evident.

  BPA Release Notes v3.36   Bugs Fixed an issue on BP check "PanOS Release Date" PanOS Release date in certain conditions was not being accurately getting the right value and inaccurately reporting the analysis.   Fixed an issue on BP check "Local Admins" Local Admins BP check will validate minimum password complexity check but it was failing for this check. The criteria needed to be updated.   Fixed an issue on BP check "Authentication Profile" Local admin count was not being calculated as expected and the Authentication Profile BP check was failing. This has been corrected and we have added new field for Local Admin user count.    

  BPA Release Notes v3.35   Bugs Fixed 'Inbound Malicious IP Address' BP Check with Hierarchy An issue was identified that was not taking into account for a security rule configured in the hierarchical device groups and failing.  

  BPA Release Notes v3.34   Bugs   Intrazone Rule with Action Deny We have fixed this best practice check now. If the Intrazone rule is set with Action=Deny then that security rule is excluded from this check analysis.      

  BPA Release Notes v3.33   New Features   Improvements on 'Mapping Definitions' section  We have added, a - 'Passing Occurence' column - Now we can know how many number of times a single BP check has been parsed in a configuration and check how many times it has passed out of total occurrences seen in the configuration. b - On mouse over the '?' button we can identify the details on how the calculation is made for Passing %, Previous Passing % and Passing Occurence c - Total - How the total value is derived and its calculation on the filtered results.   Passing Occurence and details on calculation for Passing % and Total values      HTTP/2 Protocol inspection We have added a new check to ensure if customer expecting HTTP/2 protocol traffic then they have the right configuration in place to permit this traffic through the firewall.   'Security Profile Verdict' New filter in 'Rule Detail' Tab Now we can have the ability to filter security rules which have security profiles with pass or fail BP check verdicts. We can export the list of rules to fix them or scope the work.   Security Profile Verdict - Filter in BPA   Bugs   Fixed some text typos in BPA informational section  

  BPA Release Notes v3.32   Bugs Quic App Deny rule BP check This BP check was failing in a scenario when it was supposed to pass. Needed an update ordering of pre-rulebase, post-rulebase to resolve the issue.   User ID timeout BP check update This BP check was failing due to overwriting of data. This has been fixed and correct configuration value is parsed and BP check verdict is created.   BPA report generation issue There was an encoding issue that needed to be updated that fixed the issue and user could generate the BPA report.  

Read about the recent BPA Release Notes in v3.31. See what improvements have been made and what bugs have been resolved.

Read the BPA Release Notes v3.30 and see what's new. Find out if there were any new features or bugs that were addressed in the release notes.

Review the new BPA Release Notes for v3.27. See how the new features and bug fixes can help you with checking your system for vulnerabilities. 

Review the improvements and bug fixes for the BPA. See how the fixed BP Mode Summary Graph can help you.

   BPA Release Notes v3.29   Improvements   Update to NIST Security Controls We have renamed 'Control Category Summary' graph to 'NIST Security Controls' in the BPA Summary report, PDF Executive reports and other places as needed.   Bugs   BPA report bundle generation through API Fixed an error where a large file could not be processed to generate the BPA report bundle through BPA API.    

Read about the new features in this BPA release notes v3.26, which includes: Filter option added in BPA for Pass/Fail checks.

Read about the new features, updates, and bug fixes in the BPA Release Notes v3.25.

Review BPA Release Notes v3.24 to learn about the new features, improvements, and current bug fixes that will help improve the BPA tool experience. 

Review the BPA release notes for V3.23. Learn how we added managed devices count on the Panorama report and a forwarding decryption check. We also explain some of the bugs that were fixed.

Review BPA Release Notes for V3.21. Learn about the updates to bug fixes such as updated file blocking profile check, updated Intrazone rule check, and an Xpath evaluation error update.

View the BPA Release Notes for V3.22. Learn about the added new URL category Grayware part of blocked categories and a check for DNS Security License. We also corrected a bug about parsing accurately.

  New Features   Number of Managed Devices on Panorama Now we can start tracking how many firewalls are being managed by the Panorama. At times, our adoption percentage values may change due to addition/removal of firewalls, and having the ability to know a change in the managed devices helps explain the change in adoption values.   BPA tracking columns for firewalls managed by Panorama.   New link added in CIS Critical Security Controls The second link that is added helps map CIS Critical Security Controls to other security controls and frameworks.   CIS Critical Security Controls 7.0 Summary with a highlighted section for a link to frameworks and standards information.   Class Summary Documentation Added the Class Summary reference to Control Category   Class Summary reference in Control Category   Bug Fixes Wildfire Profile File Types: Fixed a bug on Wildfire profile if customer defined specific file types then validate if all the relevant file types are defined to ensure all zero-day file types are inspected in sandbox.   Failed Attempts: Fixed a bug where Admin user login failed attempt was passing when the value was set at 0. Failed attempt for admin users should be a fixed value in the range 1 - 5   Idle Timeout: Fixed a bug where Admin user Idle timeout was passing when the value was set at 0. Idle timeout for admin users should be a fixed value in the range 1 - 10   Included Networks: Fixed a bug for Included Networks check where it needed an update on the error message and that is updated now.   Interface Management Profile: Fixed a bug where the protocols enabled for Interface management profile are correctly parsed on a Template configuration.   Mapping Definitions Control Category: Fixes a calculation error for Risk Assessment control category under Mapping Definitions  

v3.19.0 - Released on 9/9/2019   In addition to the enhancements and bug fixes included in this release, the team is hard at work on a major update of the HTML report to be more consistent with the company’s product style guide. Stay tuned for more!   Enhancements Updated check #207 – Credential Theft feature now ensures that business credentials compromising URL categories are set to “Block”   Update logic for WildFire file size checks on PAN-OS < 8.1 to provide a note if the file sizes exceed the recommended value   Added logic to rename "Captive Portal Policy" to "Authentication Policy" if PAN-OS 8.0+   Bug Fixes Updated formula for Zone Protection Profile Adoption calculation to use all enabled rules Fixed a bug with the Rules using Profile % calculations v3.19.1 (Hotfix) - Released on 9/13/2019 Fixed a display issue where Interface Mgmt Network Profiles were missing from the HTML report v3.19.2 (Hotfix) - Released on 9/19/2019 Fixed a bug related to parsing template variables

v3.18.0 - Released on 8/26/2019 At face value, this release squashes several bugs from our backlog. Behind the scenes, however, we are refactoring the codebase to support a larger re-write of the HTML report. More to follow in future releases!   Bug Fixes Fixed GRE Tunnel Keep Alive default values Fixed location of BPA check #71 – GP Portal Agent Config – App Configurations: Enforce GlobalProtect Connection for Network Access in the HTML report

Go here to see the release notes from the June 24, 2019 release. 

Observe the BPA Release Notes for v3.15 released on July 16, 2019. This reveals updates, fixed bugs, and enhancements made to the Best Practice Assessment.

v3.17.0 - Released on 8/13/2019   New Features   Log Forwarding URL Settings Details: When you create Log Forwarding profiles, forward URL logs to Panorama or another logging system, such as a syslog, SNMP, email, or HTTP server, so you can ensure URL activity logs are retained for a certain duration for compliance reasons, identifying URL activity that was not expected, and any web traffic pattern of compromised systems.     Log Forwarding Authentication Settings Details: When you create Log Forwarding profiles, forward Authentication logs to Panorama or another external logging space, such as a syslog, SNMP, email, or HTTP server, so you can ensure any resources accessed through authentication is recorded and saved for compliance, identifying and correcting authentication policies if extra resources are provided than needed and if any future incident handling.     Security Policy Inbound Malicious IP Feed Details: Before you allow and block traffic by application, it is advisable to block traffic from IP addresses that Palo Alto Networks and trusted third-party sources have proven to be malicious. The rule will ensure that your network is always protected against the IP addresses from the Palo Alto Networks malicious IP address feeds and other feeds, which are compiled and dynamically updated based on the latest threat intelligence.     Security Policy Outbound Malicious IP Address Feed Details: Before you allow and block traffic by application, it is advisable to block traffic from IP addresses that Palo Alto Networks and trusted third-party sources have proven to be malicious. The security rule will ensure that your network is always protected against the IP addresses from the Palo Alto Networks malicious IP address feeds and other feeds, which are compiled and dynamically updated based on the latest threat intelligence. Ensure the security rule is logging at session end and log forwarding profile is applied to track activity.     Security Policy Inbound High Risk IP Address Feed Details: Before you allow and block traffic by application, it is advisable to block traffic from IP addresses that Palo Alto Networks and trusted third-party sources have proven to be High risk in nature. The security rule will ensure that your network is always protected against the IP addresses from the Palo Alto Networks malicious IP address feeds and other feeds, which are compiled and dynamically updated based on the latest threat intelligence. Ensure the security rule is logging at session end and log forwarding profile is applied to track activity.     Security Policy Outbound High Risk IP Address Feed Details: Before you allow and block traffic by application, it is advisable to block traffic from IP addresses that Palo Alto Networks and trusted third-party sources have proven to be high risk in nature. The security rule will ensure that your network is always protected against the IP addresses from the Palo Alto Networks malicious IP address feeds and other feeds, which are compiled and dynamically updated based on the latest threat intelligence. Ensure the security rule is logging at session end and log forwarding profile is applied to track activity.     HA Content Versions Details: This check ensures both the pairs in High Availability (HA) setup are the latest content versions. The content versions checked are Apps and Threat, Antivirus, and URL database. Both pairs in HA will work at optimal levels if the content versions are the same between the devices. The firewall will take same action on traffic if the devices have same content version, so the expected behavior is same across.     Enhancements Added Industry Average trending for ZPP, Log forwarding, and Credential Phishing prevention Added "Rules using Profile" and "Rules using Profile Pct" for Log-forwarding profile, Decryption profile, and DoS protection profiles Added logic to resolve Panorama template variables Improved logic for check #222 – Content-Based Critical System Logs Bug Fixes Fixed a display issue in the HTML report for Application Tags Fixed a calculation bug with the "Rules using Profile Pct" values v3.17.1 (Hotfix) - Released on 8/16/2019 Fixed a parsing issue with Decryption Policies and DoS Protection Policies

      Adoption capability with License details New feature   Details: When a license is expired or inactive its respective features do not work at their best. For instance if URL filtering license is expired then URL filtering capability, Credential Phishing protection capability gets outdated and may not provide effective security coverage. With this addition now we can see a notification if license is expired so that we can identify if the adoption is effective or not.   DNS Security Service New feature   Details: When the DNS security license is active we ensure the DNS security service is configured according to best practice. In the DNS Signature tab in Anti-spyware profile we can select the DNS securit service EDL and set to action = sinnkhole and single packet capture to pass the best practice.   License validation based on enabled features New feature   Details: When using certain features that need license to be active and if license gets expired this new check will indicate the necessity of license to run the feature at optimal and as expected. Ex: If Anti-spyware is enabled on firewall policies but the license is not active or expired then the check would provide an indication to enable the license to ensure the feature works as intended.   Updated BPA Mapping Definitions Table  Bug   Details: Updated the BPA Mapping definition table under BPA component with new checks and its respective columns pertaining to security controls such a Capability Summary, CIS Critical Security controls.   Updated Wildfire file sizes for Pdf and MSoffice file types Bug   Details: Wildfire file size values for types Pdf and Msoffice was not accurate and had been rounded. These values were updated as per the recommendation.