Keeping Configuration Aligned to Best Practices

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.
L3 Networker
No ratings

Configuration changes are always necessary in a network, whether they are for adding new applications, allowing access to users or to create exceptions in security profiles. Prisma Access Cloud Management provides the ability for administrators to make sure that the configuration is always aligned to Palo Alto Networks recommended best practices.


The best practice assessments are available across Security policies, all security profiles and decryption policies and profiles with other ones being added often. The best practice checks are updated every 3 minutes. 

Security Policies and Rulebase Checks

Best practices checks on the security policies are of two basic types: checks on individual Policy Rules themselves and checks against the rulebase. Also available is a summary page of all of the counts of policies against various types of failures and mapping those checks into CSC Controls.


Every security policy created is checked against a multitude of checks for operational, security and auditing purposes. These checks typically cover mundane things such as adding a description to a rule, and making sure any/any/allow policies are not written.


Each new tenant instantiated after March has new policies automatically created to address the rulebase checks. Customers can choose to disable or remove them, but our recommendation is to keep them, in order to have a better security posture.

Security Profiles 

Best practices are available across all security profiles. They cover best practice checks on the profiles themselves, use of failing profiles in policies and in general association of profiles to policies. CSC controls are also available for security profiles.

Decryption Policies and Profiles

From a best practices perspective, enabling decryption is a must. As you know, the entire decryption settings are on a single page in Prisma Access Cloud Management. It already has two decryption policies, disabled by default, one for decrypting traffic and one to bypass decryption. Once you provide the forward trust and forward untrust certificates, enable the policies and push the configuration to Prisma Access, you will have enabled decryption on your network. Checks for best practices including ones for policies having decryption profiles and policies not in use.

CSC Controls

Prisma Access Cloud Management provides checks that map into CSC controls across security policies, profiles and decryption checks. CSC controls are important from an audit and compliance standpoint. They map into other standards such as NIST-OLIR and ISO 27001.

Default Configuration

Prisma Access Cloud Management has best practices-aligned default configuration located throughout the product. It is recommended that you use that configuration in your network. However, if you need to customize the configuration, the configuration will undergo best-practices checks.

Rate this article:
Register or Sign-in
Article Dashboard
Version history
Last Updated:
‎10-26-2021 07:05 PM
Updated by: