Best Practice Assessment FAQ

Showing results for 
Show  only  | Search instead for 
Did you mean: 
L4 Transporter
100% helpful (2/2)

Q: What is the Best Practice Assessment for NGFW and Panorama? 

A: The Best Practice Assessment, or BPA, for NGFW and Panorama consists of two components: The Best Practice Assessment and the Security Policy Capability Adoption Heatmap. 

The Best Practice Assessment assesses configurations, identifies risks and provides recommendations on how a customer










can remediate issues in order to strengthen security. The assessment compares current configurations to best practices and produces a guide to which best practices are, and are not, being utilized. This guide includes details of best practice










recommendations per feature. 

The Adoption Heatmap analyzes Panorama™ network security management and individual NGFW configurations to see how the customer is leveraging our prevention capabilities. Specifically, the tool analyzes the rule base to identify whether our capabilities are being leveraged where relevant. Confidently measure, track and improve your security policy adoption with the BPA.


Q: Why is it so important to run a Best Practice Assessment?

Most security breaches (99%) are due to misconfigurations, not flaws in a firewall. The Best Practice Assessment is a free tool we have developed specifically to help you configure your firewall correctly as recommended and set for risk prevention. The BPA quickly identifies critical security controls for your organization to focus on. It is one of the best ways to strengthen your security posture. Changes in your network may drive changes in your configuration so we recommend running a BPA regularly.


Q: How do I generate a BPA for NGFW/Panorama configurations? 

A: Generate a BPA with the following steps: 

  1. Download  the “tech support file” from the Operations/ Support tab of the NGFW and/or Panorama. 
  2. Login to Customer Support Portal(CSP) > Tools > Best Practice Assessment 
  3. Upload or drag and drop the Tech Support file.
  4. Map the zone type and area of architecture to each zone. 
  5. Follow the steps to auto download the BPA report bundle.


We also have a BPA API which generates the BPA results in Json output so any customization on the user end can be done on top of it. Access BPA API section at ,

Q: How can I view a list of all previous reports I have generated? 

A: Navigate to Customer Support Portal(CSP) > Tools > Best Practice Assessment where you can see a table of all previous summary reports you have generated. 


Q: How long does it take to generate a BPA for NGFW/Panorama? 

A: Report generation should take less than a minute in general and a couple minutes for larger TSF files. The upload process of the tech support file can take slighlty longer on slower connections., 


Q: Why is it important to map the area of architecture to each zone? 

A: Mapping each area of the architecture ensures profiles are applied consistently across all areas of the architecture. This helps  to start thinking from the inside, out, rather than from the outside, in. 


Q: Why do I see zero-percent adoption on the Heatmap? 

A: Zero-percent adoption on the Heatmap indicates that a security profile or feature is not applied on the rules. Maybe some profiles or features are not relevant to that business or network.


Q: Is the tech support file saved on the server after it is uploaded? 

A: No, the tech support file is deleted immediately after the BPA is generated. 


Q: Is any of the BPA or Heatmap data stored in a database? 

A: Yes, metadata is stored by Palo Alto Networks to track adoption trends and industry benchmarks. However, we do not store rule details or any sensitive customer information. 


Q: Who came up with the best practice logic? 

A: The logic behind the best practice checks in the BPA was put together by a group of leaders  from key areas across Palo Alto Networks, including Product Management, ETAC, Professional Services, Global Practice, Support, Customer Success, and Business Development. The scope of the exercise was to go through nearly every feature of PAN-OS® and document, from a prevention perspective, how a customer would properly configure each feature. 


Q: How are the best practices maintained and updated, and by whom? 

A: The best practice logic is centrally maintained by our Customer Experience Automation team. Updates to existing best practice checks, or requests for net new checks, come from our users. We encourage all users to provide feedback to the BPA team at:


Q: Are the best practices in the Expedition migration tool and the BPA the same? 

A: Yes, Expedition and the BPA use the same central Python library that parses the XML configurations to perform each best practice check. We partner with the Expedition development team to ensure they always have the latest version of code so that logic can remain aligned. 


Q: Why can’t users dismiss a failed best practice check in the HTML report for the BPA? 

A: The BPA HTML report is a static document with no backend data persistence layer. Having this functionality in the HTML report is technically possible, but any changes of dismissed failed checks cannot be saved and subsequently shared with others. 

To get around this limitation, we have a secondary Excel® file that provides a list of all failed best practice checks. A user can use this to track progress on the remediation of failed best practice checks. We also have a BPA API which generates the BPA results in Json output so any customization on the user end can be done on top of it. Access BPA API section at ,


Q: Where can I access the documentation of the different best practices themselves? 

A: You have three options for viewing documentation of the best practices: 1. Documentation for each check can be accessed from within the BPA HTML report by clicking the question mark (?) icon in each section of the report. 2. Documentation is also available in the secondary Excel file of failed best practice checks. 


Q: What kind of information does the Best Practice Assessment(BPA) tool process?


A: The BPA tool processes a Tech Support File (TSF) generated and uploaded by End Users/customers. The TSF contains logs, possibly including IP addresses or user ID’s, but the BPA tool only inspects the configuration file in the TSF, which does not contain personal data.


Q: How can I give someone on my team access to run a BPA on my firewalls?

A: In the customer support portal, ‘superusers’ can designate ‘BPA User’ role to another member/s in the team to generate BPA reports.


Q: What does the BPA tool do with the data ?

A: The BPA tool reviews the configuration file in the TSF, to generate a HTML report containing heatmaps and the best practice assessment of the device configuration. The purpose is to enable End Users to view features used, where and in which percentage they are adopted (Heatmaps), and to use the platform more effectively and in line with industry benchmarks and best practices to strengthen your security. The Tech Support File is uploaded and processed in memory and it is never captured or stored by the BPA tool.


Q: What does the Palo Alto Networks do with the HTML report ?

A: We generate the HTML report and store it in a temporary directory on disk. After generating the HTML, we delete  the configuration information from memory, we insert the HTML report into the zip file and remove it from disk. We then send the zip file to the user for download.


Q: What kind of data does Palo Alto Networks store?

A: We store aggregated results from the adoption measurements shown in the Heatmaps, rule counts, and the output from show system info. We also store aggregated statistics from the Best Practice Assessment. None of the above contains any information regarding specific customers or users. We do not store any rules detail, nor any of the files contained in the TSF.


Q: Does Palo Alto Networks share the data with anyone?

A: No, we do not share any of the data outside Palo Alto Networks and we treat it as confidential


Q: If I have a RMA/Serial Number change on my firewall how do I maintain trending?

A: Send an email to the BPA team ( to modify the historical data so trending does not break.


Q: What PAN OS versions does the BPA tool support?

A: The BPA tool officially supports PAN-OS 8.1 and later. Support for older versions is best effort and may produce inconsistent results. We recommend upgrading to supported versions of PAN OS.


Q: How many customers are in a particular industry?

A: The industry averages for all adoption metrics are comprised of customers who have previously generated a BPA in that particular industry.


Q: How do I know where to fix the Best Practice Check recommendations? 

A: BPA videos are short videos created for each Best Practice check to explain the security value and purpose of each check and guide how to configure it by walking through a firewall UI.  These videos can be found on the BPA LIVEcommunity tools page on the left hand side in the section titled: Best Practice Assessment Video Library.


Q: I generated a BPA on the Customer Support Portal, where is my detailed HTML?

A: Upon completion of the BPA generation on the Customer Support Portal you are presented with the Best Practice Assessment Summary screen.  While on this screen the detailed HTML is automatically downloaded and you will receive a pop up indicating that this is complete.  Please remain on the Summary screen until the detailed HTML is downloaded and you receive the confirmation pop up message. 

 Some quick troubleshooting steps,

1 - Wait until you see the message as below,

Screen Shot 2020-07-17 at 8.00.32 AM.png

2 - Look for a BPA bundle in your downloads folder.
3 - Give a couple minutes to ensure the TSF is processed and BPA report bundle is generated and tries to download.
4 - Attempt to upload the TSF file again and check the behavior
5 - Try generating a new TSF from the same or other device and try generating a BPA report bundle. Notice if it works this time.
6 - Try generating a TSF from another firewall/panorama if you have one and check if the other TSF works. Sometimes a TSF may be corrupted etc.
7 - Check if there are network level blocks or access level blocks at policy level or file blocking at profile level etc to download the BPA report.
8 - Try to generate a BPA report from home office if it is not worked at work so it may help isolate issues at your office or on our end.
9 - If none of the above steps work then provide the details observed for above steps and reach us at This will help us to narrow down further.
Q: Unable to generate BPA report after Tech Support file(TSF) upload ?
A: Always upload the original Tech Support file to BPA tool to generate BPA reports. When we upload TSF that are corrupted, unzippable, modified and re-zipped etc then the BPA tool cannot process it to generate a BPA report. Try some initial troubleshooting steps such as a> Create another TSF from same device and check if that works b> Create a BPA report from another device and check if that works if so we know the problem is from one device file only and not BPA tool
Q: What is new
A: The BPA has an updated front end framework along with usability and performance improvements.  BPA e-learning videos have launched. These 200+ short videos (approximately 1 minute each) provide simple instructions on how to address each best practice check and how to fix or make the configuration changes in the UI
Q: When is the new UI available
A: The new UI is available from September 14, 2020 onward
Q: How can I access the new UI
A: The new UI is available now via the Customer Support Portal (CSP), Partner Portal And Customer Success Site (no changes from how you accessed previous BPA versions)
Q: Can I see a demonstration of the new UI
A: There is a video demonstration for the new UI
Q: How can I access the new e-learning?
A: The short videos are embedded in the BPA and viewable by clicking on the movie icon within each best practice check.  Also access the short videos on LIVEcommunity BPA Tools page, LinkedIn, or our learning management system

Q: Not all rules should have all of the profiles applied. For example if you have internal traffic why would you assign URL filtering to this. But if you don't you will not get 100% in BPA. This is just one example. Is there a way to disable some of these checks?

A: Use filters in heatmap or BPA report to focus on the right policies or right zones to look at the URL adoption.


Q: On the compliancy sections (like NIST), will we ever have a more detailed insight into how that compliancy % was obtained and what can be changed about it?

A: You can click on any security compliance control and it will lead you to the mapping definitions table where you can see all the individual security control conditions.


Q: Will all of the BPA enhancements and new features be featured in the Expedition upgrades?

A: Yes. Expedition gets all of our updates when they are available so it’s always updated.


Q: What is the minimum PAN-OS version required to leverage the "new" BPA features?

A: Any supported Pan-OS version will be leveraging the new BPA features.


Q: Are there differences in BPA results if the FW or Panorama are running an older version?

A: BPA results are based on Pan-OS versions.  The checks are intelligent enough to look at the Pan-OS version and provide the correct analysis and verdict. 


Q: In the bpa documentation, do you have a template of how to make an executive presentation? I mean a power point tool or something like that.

A: When a BPA is generated the bundle that is delivered will include an executive summary in PDF format that presents the results in a higher level when compared to the detailed HTML also included in the BPA bundle.


Q: Is there a video or other learnings that can be socialized for customers new to BPA?

A: We have a BPA LIVEcommunity page available that has videos introducing the BPA and its features, FAQs, example documents, blogs, discussions, and a library of all the best practice check videos.  This can be found at


Q: Does the team have any priority sequence to focus on important areas?

A: You can select a security control framework and identify a list of certain BP checks and focus on implementing that and then moving on to the next priority area. 


Q: Can we run BPA report on a Container Firewall (CN-Series) ?

A: Yes, BPA report can be run on a PanOS Container firewall too just like Hardware and VM firewalls.

Rate this article:
L0 Member

What's the difference between BPA and prevent posture assessment?

Is have any similarity between both prevent posture assessment and heatmap?

L0 Member

What does the "Performance" mean under Capability Summary which is under BPA Summary:




L1 Bithead

HI Njaksec to answer your question >>>What does the "Performance" mean under Capability Summary which is under BPA Summary ?


Performance % indicates if you have any settings that affects the overall performance ( like - Having a security policy configured to Log at Start etc)


   By definition : Best Practice checks that intend to help increase the performance or help identify those causing performance degradation to help retain optimal performance.


If you are opening BPA report .HTML >>>  to further explore each summary you can just click on it to gain detailed summary 

if you have doubts on any report just click on the Context help (?) ---> question mark icon to gain more clarity

Register or Sign-in
Article Dashboard
Version history
Last Updated:
‎12-11-2020 07:13 AM
Updated by: