Q: What is the Best Practice Assessment for NGFW and Panorama?
A: The Best Practice Assessment, or BPA, for NGFW and Panorama consists of two components: The Best Practice Assessment and the Security Policy Capability Adoption Heatmap.
The Best Practice Assessment assesses configurations, identifies risks and provides recommendations on how a customer
can remediate issues in order to strengthen security. The assessment compares current configurations to best practices and produces a guide to which best practices are, and are not, being utilized. This guide includes details of best practice
recommendations per feature.
The Adoption Heatmap analyzes Panorama™ network security management and individual NGFW configurations to see how the customer is leveraging our prevention capabilities. Specifically, the tool analyzes the rule base to identify whether our capabilities are being leveraged where relevant. Confidently measure, track and improve your security policy adoption with the BPA.
Q: Why is it so important to run a Best Practice Assessment?
Most security breaches (99%) are due to misconfigurations, not flaws in a firewall. The Best Practice Assessment is a free tool we have developed specifically to help you configure your firewall correctly as recommended and set for risk prevention. The BPA quickly identifies critical security controls for your organization to focus on. It is one of the best ways to strengthen your security posture. Changes in your network may drive changes in your configuration so we recommend running a BPA regularly.
Q: How do I generate a BPA for NGFW/Panorama configurations?
A: Generate a BPA with the following steps:
We also have a BPA API which generates the BPA results in Json output so any customization on the user end can be done on top of it. Access BPA API section at , https://live.paloaltonetworks.com/t5/best-practice-assessment/ct-p/Best_Practice_Assessment
Q: How can I view a list of all previous reports I have generated?
A: Navigate to Customer Support Portal(CSP) > Tools > Best Practice Assessment where you can see a table of all previous summary reports you have generated.
Q: How long does it take to generate a BPA for NGFW/Panorama?
A: Report generation should take less than a minute in general and a couple minutes for larger TSF files. The upload process of the tech support file can take slighlty longer on slower connections.,
Q: Why is it important to map the area of architecture to each zone?
A: Mapping each area of the architecture ensures profiles are applied consistently across all areas of the architecture. This helps to start thinking from the inside, out, rather than from the outside, in.
Q: Why do I see zero-percent adoption on the Heatmap?
A: Zero-percent adoption on the Heatmap indicates that a security profile or feature is not applied on the rules. Maybe some profiles or features are not relevant to that business or network.
Q: Is the tech support file saved on the server after it is uploaded?
A: No, the tech support file is deleted immediately after the BPA is generated.
Q: Is any of the BPA or Heatmap data stored in a database?
A: Yes, metadata is stored by Palo Alto Networks to track adoption trends and industry benchmarks. However, we do not store rule details or any sensitive customer information.
Q: Who came up with the best practice logic?
A: The logic behind the best practice checks in the BPA was put together by a group of leaders from key areas across Palo Alto Networks, including Product Management, ETAC, Professional Services, Global Practice, Support, Customer Success, and Business Development. The scope of the exercise was to go through nearly every feature of PAN-OS® and document, from a prevention perspective, how a customer would properly configure each feature.
Q: How are the best practices maintained and updated, and by whom?
A: The best practice logic is centrally maintained by our Customer Experience Automation team. Updates to existing best practice checks, or requests for net new checks, come from our users. We encourage all users to provide feedback to the BPA team at: firstname.lastname@example.org.
Q: Are the best practices in the Expedition migration tool and the BPA the same?
A: Yes, Expedition and the BPA use the same central Python library that parses the XML configurations to perform each best practice check. We partner with the Expedition development team to ensure they always have the latest version of code so that logic can remain aligned.
Q: Why can’t users dismiss a failed best practice check in the HTML report for the BPA?
A: The BPA HTML report is a static document with no backend data persistence layer. Having this functionality in the HTML report is technically possible, but any changes of dismissed failed checks cannot be saved and subsequently shared with others.
To get around this limitation, we have a secondary Excel® file that provides a list of all failed best practice checks. A user can use this to track progress on the remediation of failed best practice checks. We also have a BPA API which generates the BPA results in Json output so any customization on the user end can be done on top of it. Access BPA API section at , https://live.paloaltonetworks.com/t5/best-practice-assessment/ct-p/Best_Practice_Assessment
Q: Where can I access the documentation of the different best practices themselves?
A: You have three options for viewing documentation of the best practices: 1. Documentation for each check can be accessed from within the BPA HTML report by clicking the question mark (?) icon in each section of the report. 2. Documentation is also available in the secondary Excel file of failed best practice checks.
Q: What kind of information does the Best Practice Assessment(BPA) tool process?
A: The BPA tool processes a Tech Support File (TSF) generated and uploaded by End Users/customers. The TSF contains logs, possibly including IP addresses or user ID’s, but the BPA tool only inspects the configuration file in the TSF, which does not contain personal data.
Q: How can I give someone on my team access to run a BPA on my firewalls?
A: In the customer support portal, ‘superusers’ can designate ‘BPA User’ role to another member/s in the team to generate BPA reports.
Q: What does the BPA tool do with the data ?
A: The BPA tool reviews the configuration file in the TSF, to generate a HTML report containing heatmaps and the best practice assessment of the device configuration. The purpose is to enable End Users to view features used, where and in which percentage they are adopted (Heatmaps), and to use the platform more effectively and in line with industry benchmarks and best practices to strengthen your security. The Tech Support File is uploaded and processed in memory and it is never captured or stored by the BPA tool.
Q: What does the Palo Alto Networks do with the HTML report ?
A: We generate the HTML report and store it in a temporary directory on disk. After generating the HTML, we delete the configuration information from memory, we insert the HTML report into the zip file and remove it from disk. We then send the zip file to the user for download.
Q: What kind of data does Palo Alto Networks store?
A: We store aggregated results from the adoption measurements shown in the Heatmaps, rule counts, and the output from show system info. We also store aggregated statistics from the Best Practice Assessment. None of the above contains any information regarding specific customers or users. We do not store any rules detail, nor any of the files contained in the TSF.
Q: Does Palo Alto Networks share the data with anyone?
A: No, we do not share any of the data outside Palo Alto Networks and we treat it as confidential.
Q: If I have a RMA/Serial Number change on my firewall how do I maintain trending?
A: Send an email to the BPA team (email@example.com) to modify the historical data so trending does not break.
Q: What PAN OS versions does the BPA tool support?
A: The BPA tool officially supports PAN-OS 8.1 and later. Support for older versions is best effort and may produce inconsistent results. We recommend upgrading to supported versions of PAN OS.
Q: How many customers are in a particular industry?
A: The industry averages for all adoption metrics are comprised of customers who have previously generated a BPA in that particular industry.
Q: How do I know where to fix the Best Practice Check recommendations?
A: BPA videos are short videos created for each Best Practice check to explain the security value and purpose of each check and guide how to configure it by walking through a firewall UI. These videos can be found on the BPA LIVEcommunity tools page on the left hand side in the section titled: Best Practice Assessment Video Library.
Q: I generated a BPA on the Customer Support Portal, where is my detailed HTML?
A: Upon completion of the BPA generation on the Customer Support Portal you are presented with the Best Practice Assessment Summary screen. While on this screen the detailed HTML is automatically downloaded and you will receive a pop up indicating that this is complete. Please remain on the Summary screen until the detailed HTML is downloaded and you receive the confirmation pop up message.
Some quick troubleshooting steps,
Q: Not all rules should have all of the profiles applied. For example if you have internal traffic why would you assign URL filtering to this. But if you don't you will not get 100% in BPA. This is just one example. Is there a way to disable some of these checks?
A: Use filters in heatmap or BPA report to focus on the right policies or right zones to look at the URL adoption.
Q: On the compliancy sections (like NIST), will we ever have a more detailed insight into how that compliancy % was obtained and what can be changed about it?
A: You can click on any security compliance control and it will lead you to the mapping definitions table where you can see all the individual security control conditions.
Q: Will all of the BPA enhancements and new features be featured in the Expedition upgrades?
A: Yes. Expedition gets all of our updates when they are available so it’s always updated.
Q: What is the minimum PAN-OS version required to leverage the "new" BPA features?
A: Any supported Pan-OS version will be leveraging the new BPA features.
Q: Are there differences in BPA results if the FW or Panorama are running an older version?
A: BPA results are based on Pan-OS versions. The checks are intelligent enough to look at the Pan-OS version and provide the correct analysis and verdict.
Q: In the bpa documentation, do you have a template of how to make an executive presentation? I mean a power point tool or something like that.
A: When a BPA is generated the bundle that is delivered will include an executive summary in PDF format that presents the results in a higher level when compared to the detailed HTML also included in the BPA bundle.
Q: Is there a video or other learnings that can be socialized for customers new to BPA?
A: We have a BPA LIVEcommunity page available that has videos introducing the BPA and its features, FAQs, example documents, blogs, discussions, and a library of all the best practice check videos. This can be found at https://live.paloaltonetworks.com/t5/best-practice-assessment/ct-p/Best_Practice_Assessment#
Q: Does the team have any priority sequence to focus on important areas?
A: You can select a security control framework and identify a list of certain BP checks and focus on implementing that and then moving on to the next priority area.
Q: Can we run BPA report on a Container Firewall (CN-Series) ?
A: Yes, BPA report can be run on a PanOS Container firewall too just like Hardware and VM firewalls.