Implement NGFW Best Practices with Ease

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.
L4 Transporter

An Introduction to Best Practice Assessment Plus (BPA+)


As organizational complexity continues to increase, the attack surface that security teams must address expands parallely. As new technologies are adopted, security teams are posed with the challenge of manually managing controls across all devices while maintaining resource efficiency. Customers struggle to configure their firewalls using existing applications and capabilities to properly secure their network which means a misconfigured firewall offers comparable protection to no firewall at all. Ninety nine percent (99%) of firewall breaches through 2023 will be due to firewall misconfigurations, not firewall flaws, according to Gartner research. 


The Best Practice Assessment (BPA) measures usage of your Palo Alto Networks Next Generation Firewall, and Panorama™ security management capabilities across your deployment, enabling you to make adjustments to maximize your return on investment and strengthen security. The BPA enables you to obtain context into your security posture from a configuration perspective by generating high level graphics, heatmaps and reports that compare how your configuration aligns with best practices across your industry. Additionally, more granular metrics are shown along with recommendations on how to take action in order to improve configuration security posture across all devices. 


The Palo Alto Networks Best Practice Assessment Plus (BPA+) is a step-by-step configuration wizard that provides an intuitive, easy-to-use interface to configure firewalls to align with best practices.The BPA+ takes the results of the BPA and expedites the remediation process by outputting commands that can be easily pasted into any instance of PAN-OS and committed. Thus provides a clear call to action on how to remediate failed BPA checks and improve security posture.


BPA+ User


We have designed BPA+ to help our Strata ™ and Panorama™ customers to automagically expedite expert-driven changes by identifying failed BPA checks and provide clear call to action on how to remediate those failed BPA checks. This will help our Strata ™ and Panorama™ customers to reduce misconfigurations across their network security resulting in greater security posture.


Screen Shot 2022-01-14 at 9.39.47 AM.png


BPA+ Customer Benefits


  • Save time and automatically remediate to security best practices. 
  • Lower risk and reduce configuration errors 
  • Quickly deploy configurations across you entire firewall infrastructure
  • Maximize your return on your security investment  


Our goal is to provide you with a customized recommendation to remediate failed BPA checks to improve overall security posture. Thus providing a step-by-step guided configuration wizard that would provide an intuitive, easy-to-use interface to configure your Palo Alto Networks Next Generation Firewall that aligns with best practices. This involves tech support file (TSF) upload, completing the numbered steps and then executing the commands generated by the BPA+  on to your Firewall


As a part of initial release BPA+ will analyze the ten most prevalent Best Practice checks.



Screen Shot 2022-01-14 at 9.41.05 AM.png


How to access Best Practice Assessment Plus?


There are two different ways to access the Best Practice Assessment Plus.


1. Login to your account in Customer Support Portal and click tools, then Best Practice Assessment to generate an assessment of your current configuration.




Then upload a tech support file to check for failed BPA checks. After the file is analyzed, the BPA report will be generated with the results. You can view these in the tool or download the report. Once you open your report, please click “Try BPA+” tab to launch BPA+ wizard.





2. You can also access BPA+ from the Get Help location through Customer Support Portal. Click the Get Help button and when entering the problem description, the system will determine you may be having a configuration issue based on your problem category choice. A “Launch BPA+” button will appear in the recommended solutions.




Once a tech support file is uploaded, BPA+ will identify available remediations based on the failed best practice checks. You can confirm the best practice settings being modified for each specific profile and rulebase. After review, you can run simple, executable commands in your firewall CLI to update your configuration settings to adhere to best practices.