Best Practice Assessment FAQ

Printer Friendly Page

Q: What is the Best Practice Assessment for NGFW and Panorama? 

A: The Best Practice Assessment, or BPA, for NGFW and Panorama consists of two components: The Best Practice Assessment and the Security Policy Capability Adoption Heatmap. 

The Best Practice Assessment assesses configurations, identifies risks and provides recommendations on how a customer can remediate issues in order to strengthen security. The assessment compares current configurations to best practices and produces a guide to which best practices are, and are not, being utilized. This guide includes details of best practice recommendations per feature. 

The Adoption Heatmap analyzes Panorama™ network security management and individual NGFW configurations to see how the customer is leveraging our prevention capabilities. Specifically, the tool analyzes the rule base to identify whether our capabilities are being leveraged where relevant. Confidently measure, track and improve your security policy adoption with the BPA.


Q: Why is it so important to run a Best Practice Assessment?

Most security breaches (99%) are due to misconfigurations, not flaws in a firewall. The Best Practice Assessment is a free tool we have developed specifically to help you configure your firewall correctly as recommended and set for risk prevention. The BPA quickly identifies critical security controls for your organization to focus on. It is one of the best ways to strengthen your security posture. Changes in your network may drive changes in your configuration so we recommend running a BPA regularly.


Q: How do I generate a BPA for NGFW/Panorama configurations? 

A: Generate a BPA with the following steps: 

  1. Download  the “tech support file” from the Operations/ Support tab of the NGFW and/or Panorama. 
  2. Login to Customer Support Portal(CSP) > Tools > Best Practice Assessment 
  3. Upload or drag and drop the Tech Support file.
  4. Map the zone type and area of architecture to each zone. 
  5. Follow the steps to auto download the BPA report bundle.


We also have a BPA API which generates the BPA results in Json output so any customization on the user end can be done on top of it. Access BPA API section at ,

Q: How can I view a list of all previous reports I have generated? 

A: Navigate to Customer Support Portal(CSP) > Tools > Best Practice Assessment where you can see a table of all previous summary reports you have generated. 


Q: How long does it take to generate a BPA for NGFW/Panorama? 

A: Report generation should take less than a minute in general and a couple minutes for larger TSF files. The upload process of the tech support file can take slighlty longer on slower connections., 


Q: Why is it important to map the area of architecture to each zone? 

A: Mapping each area of the architecture ensures profiles are applied consistently across all areas of the architecture. This helps  to start thinking from the inside, out, rather than from the outside, in. 


Q: Why do I see zero-percent adoption on the Heatmap? 

A: Zero-percent adoption on the Heatmap indicates that a security profile or feature is not applied on the rules. Maybe some profiles or features are not relevant to that business or network.


Q: Is the tech support file saved on the server after it is uploaded? 

A: No, the tech support file is deleted immediately after the BPA is generated. 


Q: Is any of the BPA or Heatmap data stored in a database? 

A: Yes, metadata is stored by Palo Alto Networks to track adoption trends and industry benchmarks. However, we do not store rule details or any sensitive customer information. 


Q: Who came up with the best practice logic? 

A: The logic behind the best practice checks in the BPA was put together by a group of leaders  from key areas across Palo Alto Networks, including Product Management, ETAC, Professional Services, Global Practice, Support, Customer Success, and Business Development. The scope of the exercise was to go through nearly every feature of PAN-OS® and document, from a prevention perspective, how a customer would properly configure each feature. 


Q: How are the best practices maintained and updated, and by whom? 

A: The best practice logic is centrally maintained by our Customer Experience Automation team. Updates to existing best practice checks, or requests for net new checks, come from our users. We encourage all users to provide feedback to the BPA team at:


Q: Are the best practices in the Expedition migration tool and the BPA the same? 

A: Yes, Expedition and the BPA use the same central Python library that parses the XML configurations to perform each best practice check. We partner with the Expedition development team to ensure they always have the latest version of code so that logic can remain aligned. 


Q: Why can’t users dismiss a failed best practice check in the HTML report for the BPA? 

A: The BPA HTML report is a static document with no backend data persistence layer. Having this functionality in the HTML report is technically possible, but any changes of dismissed failed checks cannot be saved and subsequently shared with others. 

To get around this limitation, we have a secondary Excel® file that provides a list of all failed best practice checks. A user can use this to track progress on the remediation of failed best practice checks. We also have a BPA API which generates the BPA results in Json output so any customization on the user end can be done on top of it. Access BPA API section at ,


Q: Where can I access the documentation of the different best practices themselves? 

A: You have three options for viewing documentation of the best practices: 1. Documentation for each check can be accessed from within the BPA HTML report by clicking the question mark (?) icon in each section of the report. 2. Documentation is also available in the secondary Excel file of failed best practice checks. 


Q: What kind of information does the Best Practice Assessment(BPA) tool process?


A: The BPA tool processes a Tech Support File (TSF) generated and uploaded by End Users/customers. The TSF contains logs, possibly including IP addresses or user ID’s, but the BPA tool only inspects the configuration file in the TSF, which does not contain personal data.


Q: How can I give someone on my team access to run a BPA on my firewalls?

A: In the customer support portal, ‘superusers’ can designate ‘BPA User’ role to another member/s in the team to generate BPA reports.


Q: What does the BPA tool do with the data ?

A: The BPA tool reviews the configuration file in the TSF, to generate a HTML report containing heatmaps and the best practice assessment of the device configuration. The purpose is to enable End Users to view features used, where and in which percentage they are adopted (Heatmaps), and to use the platform more effectively and in line with industry benchmarks and best practices to strengthen your security. The Tech Support File is uploaded and processed in memory and it is never captured or stored by the BPA tool.


Q: What does the Palo Alto Networks do with the HTML report ?

A: We generate the HTML report and store it in a temporary directory on disk. After generating the HTML, we delete  the configuration information from memory, we insert the HTML report into the zip file and remove it from disk. We then send the zip file to the user for download.


Q: What kind of data does Palo Alto Networks store?

A: We store aggregated results from the adoption measurements shown in the Heatmaps, rule counts, and the output from show system info. We also store aggregated statistics from the Best Practice Assessment. None of the above contains any information regarding specific customers or users. We do not store any rules detail, nor any of the files contained in the TSF.


Q: Does Palo Alto Networks share the data with anyone?

A: No, we do not share any of the data outside Palo Alto Networks and we treat it as confidential


Q: If I have a RMA/Serial Number change on my firewall how do I maintain trending?

A: Send an email to the BPA team ( to modify the historical data so trending does not break.


Q: What PAN OS versions does the BPA tool support?

A: The BPA tool officially supports PAN-OS 8.1 and later. Support for older versions is best effort and may produce inconsistent results. We recommend upgrading to supported versions of PAN OS.


Q: How many customers are in a particular industry?

A: The industry averages for all adoption metrics are comprised of customers who have previously generated a BPA in that particular industry.

A: BPA videos are short videos created for each Best Practice check to explain the security value and purpose of each check and guide how to configure it by walking through a firewall UI.


Q: I generated a BPA on the Customer Support Portal, where is my detailed HTML?

A: Upon completion of the BPA generation on the Customer Support Portal you are presented with the Best Practice Assessment Summary screen.  While on this screen the detailed HTML is automatically downloaded and you will receive a pop up indicating that this is complete.  Please remain on the Summary screen until the detailed HTML is downloaded and you receive the confirmation pop up message. 

Ask Questions Get Answers Join the Live Community
Version history
Revision #:
1 of 1
Last update:
a week ago
Updated by: