New Ransomware URL Filtering Category   Starting September 27, 2022, Palo Alto Networks started to publish URLs into the newly introduced category “Ransomware” available with content release version 8592 and above.   Action: (If the content release version is 8592 and above) Ransomware category “Site Access” action set to “block” only for the default profile. If customer has multiple URL Filtering security profiles, they will need to update “Site Access” action to “BLOCK” for each profiles. This applies to all versions of PAN-OS software.   More information can be found at New Advanced URL Filtering/PANDB Category: Ransomware   This new category was added in BPA version 7.3.0

 BPA Release Notes (Version 6.4.0)   Starting BPA Version 6.0.0 Prisma Access BPA report will provide Health Check information about your Prisma Access. Health checks are essential in establishing a solid foundation upon which cybersecurity infrastructure is built, it will help to identify weakest security areas, and will also recommend the best practice actions to mitigate any potential risks.   The Service Health option under Best Practice Assessment tab will provide you with the detailed information about each health check and the necessary actions that are required to pass each one of them.    Figure 1: Service Health under Best Practice Assessment To learn more about health checks in Prisma Access BPA report please click here   Health Checks added to BPA in BPA V6.4.0 Category Health Checks Security  UserID Remote Network Redistribution UserID Agent from On-Prem  Mobile Users Authentication SAML Connectivity Mobile Users Authentication Sequence       Review the latest Known Issues Severity Description S2 HTML Report > Deployment Type missing from Mapping Definitions: Deployment Type showing as undefined, whereas it should actually show the correct mapping definitions S2 - Major Action on DNS Queries for DNS Sinkhole is not set to “sinkhole” and still passes S3 - Minor Reloading the HTML Report will repeatedly show New Features pop up S3 - Minor SNMP tab text not matching main screen text Enhancement Distinguish between authentication profile and profiles and authentication sequence and sequences for better user experience S3-Minor Device management license should have the same SN as host SN S3 - Minor Target Device is being set as none instead of the serial number of the device S3 - Minor Filter is capitalization sensitive - The local filters are capitalization sensitive when typing in a search query. The filter should be able to take in both capitalized words and non capitalized words. Review the Addressed Issues from the last release Severity Description S3-Minor Authentication tab text not matching main screen text S2-Major Change to ECMP Load Balancing tag in 10.1 caused issue processing TSF file S1-Critical Error while running BPA Report for Prisma Access. Authentication Cookie timeout is not set for customer S3-Minor Batch license info shows empty even if there are batch licenses. S2-Major When we generate a BPA report for strata we need to exclude any PA HC. S3-Minor Global Protect Checks fails due to incorrect SAML flag S3-Minor BPA API HTML Issue which prevented downloading and viewing a report offline For BPA support, please contact us at bpa@paloaltonetworks.com   Resources   How to generate a Prisma Access BPA Report How to Generate a BPA Report Health Check Demo Video BPA Solution Brief  Best Practice Assessment (BPA) Tool LIVEcommunity Page   Configuration Wizard Demos Best Practice Assessment Plus (BPA+) Overview Video Best Practice Assessment Video Playlist  

 BPA Release Notes (Version 6.3.0)   Starting BPA Version 6.0.0 Prisma Access BPA report will provide Health Check information about your Prisma Access. Health checks are essential in establishing a solid foundation upon which cybersecurity infrastructure is built, it will help to identify weakest security areas, and will also recommend the best practice actions to mitigate any potential risks.   The Service Health option under Best Practice Assessment tab will provide you with the detailed information about each health check and the necessary actions that are required to pass each one of them.    Figure 1: Service Health under Best Practice Assessment To learn more about health checks in Prisma Access BPA report please click here Health Checks added to BPA in BPA V6.3.0   Category Health Checks Security Mobile Users Policy Security Policy zones untrust Remote Network Policy Security Policy zones untrust Mobile Users Security Policy UserID Mobile Users Policy Security Policy Sensitive Traffic Remote Network Policy Security Policy Sensitive Traffic  Infrastructure Mobile User Deployment Service Connection Presence Mobile Users Gateway Regions Mobile User Deployment IP Pool Allocation Mobile Users Onboarding Prisma Access Subnet Service Connection Onboarding Prisma Access Service Subnet Connectivity QoS Remote Network     Review the latest Known Issues Severity Description S2 HTML Report > Deployment Type missing from Mapping Definitions. Deployment Type showing as undefined, whereas it should actually show the correct mapping definitions. S2 - Major Action on DNS Queries for DNS Sinkhole is not set to “sinkhole” and still passes S3 - Minor Reloading the HTML Report will repeatedly show New Features pop up S3-Minor Authentication tab text not matching main screen text S3 - Minor SNMP tab text not matching main screen text S3-Minor Device management license should have the same SN as host SN S3 - Minor Target Device is being set as none instead of the serial number of the device S3 - Minor The local filters are capitalization sensitive when typing in a search query. The filter should be able to take in both capitalized words and non capitalized words.    Review the Addressed Issues from the last release Severity Description S2 Error After Uploading TSF to CSS S3-Minor Batch license info showing empty S1 Error while running BPA Report for Prisma Access. Authentication Cookie timeout is not set for customer S2 Report generation is failing for strata  S3 Global Protect Checks fails For BPA support, please contact us at bpa@paloaltonetworks.com Resources   How to generate a Prisma Access BPA Report How to Generate a BPA Report Health Check Demo Video BPA Solution Brief  Best Practice Assessment (BPA) Tool LIVEcommunity Page Configuration Wizard Demos Best Practice Assessment Plus (BPA+) Overview Video Best Practice Assessment Video Playlist  

BPA Release Notes (Version 6.2.0) Starting BPA Version 6.0.0 Prisma Access BPA report will provide Health Check information about your Prisma Access. Health checks are essential in establishing a solid foundation upon which cybersecurity infrastructure is built, it will help to identify weakest security areas, and will also recommend the best practice actions to mitigate any potential risks.   The Service Health option under Best Practice Assessment tab will provide you with the detailed information about each health check and the necessary actions that are required to pass each one of them.  Figure 1: Service Health under Best Practice Assessment   To learn more about health checks in Prisma Access BPA report please click here Health Checks added to BPA in BPA V6.2.0   Category Health Checks Security MU_Security_Policy_zones RN_Security_Policy_zones UserID_MU_Groupmapping_include_list UserID_RN_Groupmapping_include_list RN_Security_Policy_userid MU_Security_Policy_userid MU_Cookie_Lifetime Connectivity RN_Routing_overlapping_subnets MU_VPN_Protocol MU_APP_Connection_Timers MU_Authentication_LDAP_Bindtime     Review the latest Known Issues Severity Description S2 Error After Uploading TSF to Customer Success Site and Customer Support Portal S2 Under HMTL report "Deployment Type" missing from the Mapping Definitions S2 Action on DNS Queries for DNS Sinkhole is not set to “sinkhole” still passes S3 Reloading the HTML report will repeatedly show New Features pop up S3 Batch license info showing empty S3 Authentication tab text not matching main screen text     For BPA support, please contact us at bpa@paloaltonetworks.com   Resources How to generate a Prisma Access BPA Report How to Generate a BPA Report Health Check Demo Video BPA Solution Brief  Best Practice Assessment (BPA) Tool LIVEcommunity Page   Configuration Wizard Demos Best Practice Assessment Plus (BPA+) Overview Video Best Practice Assessment Video Playlist

Starting BPA Version 6.0.0 Prisma Access BPA report will provide Health Check information about your Prisma Access. Health checks are essential in establishing a solid foundation upon which cybersecurity infrastructure is built, it will help to identify weakest security areas, and will also recommend the best practice actions to mitigate any potential risks.   The Service Health option under Best Practice Assessment tab will provide you with the detailed information about each health check and the necessary actions that are required to pass each one of them.    Figure 1: Service Health under Best Practice Assessment   To learn more about health checks in Prisma Access BPA report please click here   Health Checks added to BPA in BPA V6.1.2   Category Health Checks Security MU_Log_Forwarding_Policy RN_Log_Forwarding_Policy RN_Log_Forwarding_Profile MU_APP_Invalid_Portal_Cert MU_Authentication_LDAP_SSL Connectivity SC_VPN_Monitoring_Dead_peer_all_enable SC_VPN_Monitoring_Tunnel_BGP RN_VPN_Monitoring_Tunnel_BGP SC_VPN_Monitoring_Tunnel_all_enable MU_App_Pre_Logon_Tunnel_Rename_Timeout MU_APP_Disable_GlobalProtect_App MU_App_TCP_Connection_Timeout MU_App_Portal_Connection_Timeout MU_App_Preserve_Tunnel_on_User_Logoff_Timeout Review the latest Known Issues Severity Description S2 HMTL Report > Deployment Type missing from Mapping Definitions  S2 Action on DNS Queries for DNS Sinkhole is not set to “sinkhole” still passes S3 Reloading the HTML Report will repeatedly show New Features pop up For BPA support, please contact us at bpa@paloaltonetworks.com     Resources   How to generate a Prisma Access BPA Report How to Generate a BPA Report Health Check Demo Video BPA Solution Brief  Best Practice Assessment (BPA) Tool LIVEcommunity Page   Configuration Wizard Demos Configuration Wizard Overview Video Best Practice Assessment Video Playlist

BPA Release Notes (Version 6.0.0)     New Feature   Prisma Access BPA report will provide Health Check information about your Prisma Access. Health checks become essential in establishing a solid foundation upon which cybersecurity infrastructure is built, it will help to identify weakest security areas, and will also recommend the best practice actions to mitigate any potential risks.   The Service Health option under Best Practice Assessment tab will provide you with the detailed information about each health check and the necessary actions that are required to pass each one of them.      Figure 1: Service Health under Best Practice Assessment To learn more about health checks in Prisma Access BPA report please click here Review the latest Known Issues Severity Description S2 - Major Action on DNS Queries for DNS Sinkhole is not set to “sinkhole” still passes. S3 - Minor Reloading the HTML Report will repeatedly show New Features pop up. For BPA support, please contact us at bpa@paloaltonetworks.com Resources   How to generate a Prisma Access BPA Report How to Generate a BPA Report BPA Solution Brief  Best Practice Assessment (BPA) Tool LIVEcommunity Page   BPA+ (Configuration Wizard) Demos Best Practice Assessment Plus (BPA+) Overview Video Best Practice Assessment Video Playlist  

Read the BPA Release Notes v3.30 and see what's new. Find out if there were any new features or bugs that were addressed in the release notes.

Review the new BPA Release Notes for v3.27. See how the new features and bug fixes can help you with checking your system for vulnerabilities. 

Review the improvements and bug fixes for the BPA. See how the fixed BP Mode Summary Graph can help you.

Read about the new features, updates, and bug fixes in the BPA Release Notes v3.25.

Review BPA Release Notes v3.24 to learn about the new features, improvements, and current bug fixes that will help improve the BPA tool experience. 

Review the BPA release notes for V3.23. Learn how we added managed devices count on the Panorama report and a forwarding decryption check. We also explain some of the bugs that were fixed.

Review BPA Release Notes for V3.21. Learn about the updates to bug fixes such as updated file blocking profile check, updated Intrazone rule check, and an Xpath evaluation error update.

View the BPA Release Notes for V3.22. Learn about the added new URL category Grayware part of blocked categories and a check for DNS Security License. We also corrected a bug about parsing accurately.

v3.19.0 - Released on 9/9/2019   In addition to the enhancements and bug fixes included in this release, the team is hard at work on a major update of the HTML report to be more consistent with the company’s product style guide. Stay tuned for more!   Enhancements Updated check #207 – Credential Theft feature now ensures that business credentials compromising URL categories are set to “Block”   Update logic for WildFire file size checks on PAN-OS < 8.1 to provide a note if the file sizes exceed the recommended value   Added logic to rename "Captive Portal Policy" to "Authentication Policy" if PAN-OS 8.0+   Bug Fixes Updated formula for Zone Protection Profile Adoption calculation to use all enabled rules Fixed a bug with the Rules using Profile % calculations v3.19.1 (Hotfix) - Released on 9/13/2019 Fixed a display issue where Interface Mgmt Network Profiles were missing from the HTML report v3.19.2 (Hotfix) - Released on 9/19/2019 Fixed a bug related to parsing template variables

v3.18.0 - Released on 8/26/2019 At face value, this release squashes several bugs from our backlog. Behind the scenes, however, we are refactoring the codebase to support a larger re-write of the HTML report. More to follow in future releases!   Bug Fixes Fixed GRE Tunnel Keep Alive default values Fixed location of BPA check #71 – GP Portal Agent Config – App Configurations: Enforce GlobalProtect Connection for Network Access in the HTML report

Go here to see the release notes from the June 24, 2019 release. 

Observe the BPA Release Notes for v3.15 released on July 16, 2019. This reveals updates, fixed bugs, and enhancements made to the Best Practice Assessment.

v3.17.0 - Released on 8/13/2019   New Features   Log Forwarding URL Settings Details: When you create Log Forwarding profiles, forward URL logs to Panorama or another logging system, such as a syslog, SNMP, email, or HTTP server, so you can ensure URL activity logs are retained for a certain duration for compliance reasons, identifying URL activity that was not expected, and any web traffic pattern of compromised systems.     Log Forwarding Authentication Settings Details: When you create Log Forwarding profiles, forward Authentication logs to Panorama or another external logging space, such as a syslog, SNMP, email, or HTTP server, so you can ensure any resources accessed through authentication is recorded and saved for compliance, identifying and correcting authentication policies if extra resources are provided than needed and if any future incident handling.     Security Policy Inbound Malicious IP Feed Details: Before you allow and block traffic by application, it is advisable to block traffic from IP addresses that Palo Alto Networks and trusted third-party sources have proven to be malicious. The rule will ensure that your network is always protected against the IP addresses from the Palo Alto Networks malicious IP address feeds and other feeds, which are compiled and dynamically updated based on the latest threat intelligence.     Security Policy Outbound Malicious IP Address Feed Details: Before you allow and block traffic by application, it is advisable to block traffic from IP addresses that Palo Alto Networks and trusted third-party sources have proven to be malicious. The security rule will ensure that your network is always protected against the IP addresses from the Palo Alto Networks malicious IP address feeds and other feeds, which are compiled and dynamically updated based on the latest threat intelligence. Ensure the security rule is logging at session end and log forwarding profile is applied to track activity.     Security Policy Inbound High Risk IP Address Feed Details: Before you allow and block traffic by application, it is advisable to block traffic from IP addresses that Palo Alto Networks and trusted third-party sources have proven to be High risk in nature. The security rule will ensure that your network is always protected against the IP addresses from the Palo Alto Networks malicious IP address feeds and other feeds, which are compiled and dynamically updated based on the latest threat intelligence. Ensure the security rule is logging at session end and log forwarding profile is applied to track activity.     Security Policy Outbound High Risk IP Address Feed Details: Before you allow and block traffic by application, it is advisable to block traffic from IP addresses that Palo Alto Networks and trusted third-party sources have proven to be high risk in nature. The security rule will ensure that your network is always protected against the IP addresses from the Palo Alto Networks malicious IP address feeds and other feeds, which are compiled and dynamically updated based on the latest threat intelligence. Ensure the security rule is logging at session end and log forwarding profile is applied to track activity.     HA Content Versions Details: This check ensures both the pairs in High Availability (HA) setup are the latest content versions. The content versions checked are Apps and Threat, Antivirus, and URL database. Both pairs in HA will work at optimal levels if the content versions are the same between the devices. The firewall will take same action on traffic if the devices have same content version, so the expected behavior is same across.     Enhancements Added Industry Average trending for ZPP, Log forwarding, and Credential Phishing prevention Added "Rules using Profile" and "Rules using Profile Pct" for Log-forwarding profile, Decryption profile, and DoS protection profiles Added logic to resolve Panorama template variables Improved logic for check #222 – Content-Based Critical System Logs Bug Fixes Fixed a display issue in the HTML report for Application Tags Fixed a calculation bug with the "Rules using Profile Pct" values v3.17.1 (Hotfix) - Released on 8/16/2019 Fixed a parsing issue with Decryption Policies and DoS Protection Policies