Go here to see the release notes from the June 24, 2019 release. 

Observe the BPA Release Notes for v3.15 released on July 16, 2019. This reveals updates, fixed bugs, and enhancements made to the Best Practice Assessment.

v3.17.0 - Released on 8/13/2019   New Features   Log Forwarding URL Settings Details: When you create Log Forwarding profiles, forward URL logs to Panorama or another logging system, such as a syslog, SNMP, email, or HTTP server, so you can ensure URL activity logs are retained for a certain duration for compliance reasons, identifying URL activity that was not expected, and any web traffic pattern of compromised systems.     Log Forwarding Authentication Settings Details: When you create Log Forwarding profiles, forward Authentication logs to Panorama or another external logging space, such as a syslog, SNMP, email, or HTTP server, so you can ensure any resources accessed through authentication is recorded and saved for compliance, identifying and correcting authentication policies if extra resources are provided than needed and if any future incident handling.     Security Policy Inbound Malicious IP Feed Details: Before you allow and block traffic by application, it is advisable to block traffic from IP addresses that Palo Alto Networks and trusted third-party sources have proven to be malicious. The rule will ensure that your network is always protected against the IP addresses from the Palo Alto Networks malicious IP address feeds and other feeds, which are compiled and dynamically updated based on the latest threat intelligence.     Security Policy Outbound Malicious IP Address Feed Details: Before you allow and block traffic by application, it is advisable to block traffic from IP addresses that Palo Alto Networks and trusted third-party sources have proven to be malicious. The security rule will ensure that your network is always protected against the IP addresses from the Palo Alto Networks malicious IP address feeds and other feeds, which are compiled and dynamically updated based on the latest threat intelligence. Ensure the security rule is logging at session end and log forwarding profile is applied to track activity.     Security Policy Inbound High Risk IP Address Feed Details: Before you allow and block traffic by application, it is advisable to block traffic from IP addresses that Palo Alto Networks and trusted third-party sources have proven to be High risk in nature. The security rule will ensure that your network is always protected against the IP addresses from the Palo Alto Networks malicious IP address feeds and other feeds, which are compiled and dynamically updated based on the latest threat intelligence. Ensure the security rule is logging at session end and log forwarding profile is applied to track activity.     Security Policy Outbound High Risk IP Address Feed Details: Before you allow and block traffic by application, it is advisable to block traffic from IP addresses that Palo Alto Networks and trusted third-party sources have proven to be high risk in nature. The security rule will ensure that your network is always protected against the IP addresses from the Palo Alto Networks malicious IP address feeds and other feeds, which are compiled and dynamically updated based on the latest threat intelligence. Ensure the security rule is logging at session end and log forwarding profile is applied to track activity.     HA Content Versions Details: This check ensures both the pairs in High Availability (HA) setup are the latest content versions. The content versions checked are Apps and Threat, Antivirus, and URL database. Both pairs in HA will work at optimal levels if the content versions are the same between the devices. The firewall will take same action on traffic if the devices have same content version, so the expected behavior is same across.     Enhancements Added Industry Average trending for ZPP, Log forwarding, and Credential Phishing prevention Added "Rules using Profile" and "Rules using Profile Pct" for Log-forwarding profile, Decryption profile, and DoS protection profiles Added logic to resolve Panorama template variables Improved logic for check #222 – Content-Based Critical System Logs Bug Fixes Fixed a display issue in the HTML report for Application Tags Fixed a calculation bug with the "Rules using Profile Pct" values v3.17.1 (Hotfix) - Released on 8/16/2019 Fixed a parsing issue with Decryption Policies and DoS Protection Policies

      Adoption capability with License details New feature   Details: When a license is expired or inactive its respective features do not work at their best. For instance if URL filtering license is expired then URL filtering capability, Credential Phishing protection capability gets outdated and may not provide effective security coverage. With this addition now we can see a notification if license is expired so that we can identify if the adoption is effective or not.   DNS Security Service New feature   Details: When the DNS security license is active we ensure the DNS security service is configured according to best practice. In the DNS Signature tab in Anti-spyware profile we can select the DNS securit service EDL and set to action = sinnkhole and single packet capture to pass the best practice.   License validation based on enabled features New feature   Details: When using certain features that need license to be active and if license gets expired this new check will indicate the necessity of license to run the feature at optimal and as expected. Ex: If Anti-spyware is enabled on firewall policies but the license is not active or expired then the check would provide an indication to enable the license to ensure the feature works as intended.   Updated BPA Mapping Definitions Table  Bug   Details: Updated the BPA Mapping definition table under BPA component with new checks and its respective columns pertaining to security controls such a Capability Summary, CIS Critical Security controls.   Updated Wildfire file sizes for Pdf and MSoffice file types Bug   Details: Wildfire file size values for types Pdf and Msoffice was not accurate and had been rounded. These values were updated as per the recommendation.