Geng Started with the BPA
10.2
docs.paloaltonetworks.com
Contact Informaon
Corporate Headquarters:
Palo Alto Networks
3000 Tannery Way
Santa Clara, CA 95054
www.paloaltonetworks.com/company/contact-support.html
About the Documentaon
• For the most recent version of this guide or for access to related documentaon, visit the
Technical Documentaon portal docs.paloaltonetworks.com.
• To search for a specific topic, go to our search page docs.paloaltonetworks.com/search.html.
• Have feedback or quesons for us? Leave a comment on any page in the portal, or write to us
at documentaon@paloaltonetworks.com.
Copyright
Palo Alto Networks, Inc.
www.paloaltonetworks.com
©2022 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto
Networks. A list of our trademarks can be found at www.paloaltonetworks.com/company/
trademarks.html. All other marks menoned herein may be trademarks of their respecve
companies.
Last Revised
May 13, 2022
Geng Started with the BPA Version 10.2
2
©2022 Palo Alto Networks, Inc.
Table of Contents
Evaluate Security Policy Capability Adopon............................................. 5
Review the Adopon Summary............................................................................................... 6
Idenfy Gaps in Adopon......................................................................................................... 9
Idenfy Rules to Improve........................................................................................................18
Evaluate Best Pracce Configuraon......................................................... 21
Review the Best Pracce Summary......................................................................................22
Review Best Pracce Policy Configuraon......................................................................... 24
Review Best Pracce Objects Configuraon......................................................................26
Review Best Pracce Network Configuraon....................................................................28
Review Best Pracce Device and Panorama Management Configuraon...................29
Priorize Best Pracce Changes..................................................................31
Strengthen Device Management Posture............................................................................32
Improve Visibility into Traffic..................................................................................................33
Implement Inial Best Pracce Controls............................................................................. 35
Fine-Tune and Enhance Best Pracce Controls.................................................................36
Geng Started with the BPA Version 10.2
3
©2022 Palo Alto Networks, Inc.
Table of Contents
Geng Started with the BPA Version 10.2
4
©2022 Palo Alto Networks, Inc.
Evaluate Security Policy Capability
Adopon
The Best Pracce Assessment (BPA) tool helps you understand your current
level of Security policy capability adopon and helps you assess the maturity and
effecveness of your security posture. Adopng capabilies such as WildFire,
Vulnerability Protecon, SSL Decrypon, etc., contributes to detecng and prevenng
aacks. Developing a solid understanding of how and where to use each capability in
different environments is crical to understanding how to best protect your network
and its valuable assets.
Geng Started with Best Pracces shows how to access and run the BPA. The
Capability Adopon Heatmaps secon of the BPA report enables you to review
the adopon of these capabilies across the Security policy rulebase. Watch the
Introducon to Heatmaps video to learn about Heatmaps, and take advantage of the
BPA video library and the BPA+ video library to learn more about the tool.
In Panorama-managed environments, Panorama may manage large numbers of next-generaon
firewalls. Should you run the BPA on Panorama or on each individual firewall? The tradeoff is speed
and convenience versus completeness.
Running the BPA on Panorama is fast, convenient, and assesses most of the capabilies of the
managed firewalls, but does not examine local firewall overrides.
Running the BPA on each managed firewall assesses the complete configuraon (including local
overrides) but takes much more me.
The most praccal method is to run the BPA on Panorama first. Examine the results, decide if you
need to focus on any parcular managed devices, and then run the BPA on those devices. This
method saves me while sll focusing on relevant informaon that enables you to improve your
security posture.
Review and analyze the informaon on the Heatmap tabs to idenfy gaps in security
capability adopon and determine what you want to improve:
> Review the Adopon Summary
> Idenfy Gaps in Adopon
> Idenfy Rules to Improve
5
Evaluate Security Policy Capability Adopon
Review the Adopon Summary
Aer you or your Palo Alto Networks representave run the BPA, the resulng HTML report
opens on the Adopon Heatmap page, in the Adopon Summary. The Adopon Summary view
provides an overview of your device’s overall adopon of security capabilies. The report shows
the current adopon percentage for each metric (except Industry Average, which provides the
adopon averages in your industry), and in parentheses, the percentage change in adopon since
the last me you ran the BPA on the device’s configuraon file (or No change if the value is the
same as the last me you ran the BPA).
Overall Adopon—Adopon of Security profiles in Security policy allow rules. Percentages are
based on the number of allow rules that have one or more profiles enabled as part of the rule. The
BPA doesn’t count disabled rules or block rules.
Industry Average—Average adopon of Security profiles in allow rules for your company’s
industry.
Best Pracce Mode—Adopon of Security profiles configured in the recommended best pracce
manner in allow rules. The BPA only counts rules with profiles that pass all best pracce checks.
Geng Started with the BPA Version 10.2
6
©2022 Palo Alto Networks, Inc.
Evaluate Security Policy Capability Adopon
App-ID Adopon—Adopon of App-ID across Security policy rules. The percentage value is based
on the total number of allow rules with one or more defined applicaon (the Applicaon is not
any). The BPA doesn’t count disabled rules.
User-ID Adopon—Adopon of User-ID across Security policy rules. The percentage value
is based on the total number of allow rules with users (including the values known-user and
unknown) or user groups. The BPA doesn’t count disabled rules.
Service/Port Adopon—Adopon of service/port across Security policy rules. The percentage
value is based on the total number of allow rules with a defined service or port (the Service is not
any). The BPA doesn’t count disabled rules.
The BPA doesn’t count App-ID, User-ID, or Service/Port adopon for block rules because
the raonale for blocking differs from business to business, so the BPA can’t make
recommendaons based on block rules.
Logging Adopon—Adopon of Log at Session End across Security policy rules. The percentage
value is based on the total number of rules with Log at Session End enabled. The BPA doesn’t
count disabled rules.
Log Forwarding Adopon—Adopon of Log Forwarding profiles across Security policy rules. The
percentage value is based on the total number of rules with a Log Forwarding profile configured.
The BPA doesn’t count disabled rules.
Zone Protecon Adopon—Adopon of Zone protecon across Security policy allow rules. The
percentage value is based on the total number of allow rules in which the source zone has a Zone
Protecon profile configured. The BPA doesn’t count disabled rules.
For each of these metrics, the value in parentheses next to each percentage is the percentage
change in adopon since the last me you ran the BPA on the device’s configuraon file (or No
change if the value is the same as the last me you ran the BPA).
Decrypon Summary—Shows if the configuraon includes Decrypon policy rules for SSL
Forward Proxy, SSL Inbound Inspecon, and SSH Proxy. The summary also shows if the
configuraon includes Decrypon profiles and idenfies URL categories that the device exempts
from decrypon.
Geng Started with the BPA Version 10.2
7
©2022 Palo Alto Networks, Inc.
Evaluate Security Policy Capability Adopon
If you don’t decrypt a URL category (or individual applicaons), you can’t inspect its traffic
because the firewall can’t see what’s inside the encrypted traffic. The firewall can only
inspect traffic you decrypt.
Next: Idenfy Gaps in Adopon to understand where you can improve security.
Geng Started with the BPA Version 10.2
8
©2022 Palo Alto Networks, Inc.
Evaluate Security Policy Capability Adopon
Idenfy Gaps in Adopon
The Adopon Heatmap opons show where your security policy is strong and where there are
gaps in security policy capability adopon that you can focus on improving. To gain maximum
visibility into traffic and maximum protecon against aacks, set goals for security capability
adopon and use the following recommendaons as a best pracce baseline. Assess your current
posture against the baseline to idenfy gaps in security policy capability adopon.
Adopon Heatmaps help idenfy devices, zones, and areas where you can improve security policy
capability adopon. You can review adopon informaon by Device Group, Serial Number &
Vsys, Zones, Areas of Architecture, Tags, Rule Details, and Zone Mappings. Local Filters filter
on Device Group, Source Area of Architecture, Desnaon Area of Architecture, Target, Source
Zone, Desnaon Zone, and Tags to narrow the scope and idenfy gaps. The following shows the
Adopon Heatmap by Area of Architecture (Adopon Heatmap > Areas of Architecure):
Geng Started with the BPA Version 10.2
9
©2022 Palo Alto Networks, Inc.
Evaluate Security Policy Capability Adopon
Geng Started with the BPA Version 10.2
10
©2022 Palo Alto Networks, Inc.
Evaluate Security Policy Capability Adopon
In Adopon Heatmap > Summary, click Adopon Summary to check the adopon rates of the
following capabilies. Use the recommendaons as gap idenficaon criteria—if the actual
adopon rate doesn’t match the recommendaons, plan to close the gap:
Geng Started with the BPA Version 10.2
11
©2022 Palo Alto Networks, Inc.
Evaluate Security Policy Capability Adopon
Apply WildFire, Anvirus, An-Spyware, Vulnerability Protecon, and File Blocking security
profiles to all rules that allow traffic, with a target of 100% or almost 100% adopon. If you
don’t apply a profile to an allow rule, ensure that there is a good business reason not to apply
the profile.
Configuring security profiles on all allow rules enables the firewall to inspect decrypted traffic
for threats, regardless of applicaon or service/port. Aer updang the configuraon, run the
BPA to measure progress and to catch new rules that don’t have security profiles aached.
You can apply WildFire profiles to rules without a WildFire license. Coverage is limited
to PE files, but this sll provides useful visibility into unknown malicious files.
In the An-Spyware profile, apply DNS Sinkhole to all rules to prevent compromised internal
hosts from sending DNS queries for malicious and custom domains, to idenfy and track the
potenally compromised hosts, and to avoid gaps in DNS inspecon. Enabling DNS Sinkhole
protects your network without affecng availability, so you can and should enable it right away.
Apply URL Filtering and Credenal The (phishing) Protecon to all outbound internet traffic.
In the Adopon Summary’s Applicaon & User Control Adopon Summary, check the adopon
rates of the following capabilies. Use the recommendaons as gap idenficaon criteria—if the
actual adopon rate doesn’t match the recommendaons, plan to close the gap:
Apply App-ID to as close to 100% of the rules as possible. Apply User-ID to all rules with
source zones or address ranges that have a user presence (some zones may not have user
sources; for example, sources in data center zones should be servers and not users). Leverage
App-ID and User-ID to create policies that allow appropriate users to sanconed (and
tolerated) applicaons. Explicitly block malicious and unwanted applicaons.
Target 100% or close to 100% service/port adopon—don’t allow applicaons on non-standard
ports unless there’s a good business reason for it.
In the Adopon Summary’s Logging & Zone Protecon Adopon Summary, check the adopon
rates of the following capabilies. Use the recommendaons as gap idenficaon criteria—if the
actual adopon rate doesn’t match the recommendaons, plan to close the gap:
Geng Started with the BPA Version 10.2
12
©2022 Palo Alto Networks, Inc.
Evaluate Security Policy Capability Adopon
Target at or close to 100% adopon for Logging and Log Forwarding.
Configure Zone protecon profiles on all zones.
In summary:
Feature
Adopon Goal
WildFire
As close to 100% of Security policy rules as possible
Anvirus
As close to 100% of Security policy rules as possible
An-Spyware
As close to 100% of Security policy rules as possible
Vulnerability
As close to 100% of Security policy rules as possible
File Blocking
As close to 100% of Security policy rules as possible
URL Filtering and Credenal
The
All outbound internet traffic
App-ID
As close to 100% of Security policy rules as possible
User-ID
All rules with source zones or address ranges that have a
user presence
Service/port
As close to 100% of Security policy rules as possible
Logging
As close to 100% of Security policy rules as possible
Log Forwarding
As close to 100% of Security policy rules as possible
Geng Started with the BPA Version 10.2
13
©2022 Palo Alto Networks, Inc.
Evaluate Security Policy Capability Adopon
Feature
Adopon Goal
Zone protecon
All zones
When viewing Adopon Heatmaps, use Local Filters to narrow the scope. Use the resulng
informaon to idenfy gaps in security policy capability, measure against gap-idenficaon
criteria, and refine or establish new gap-idenficaon criteria for further invesgaon. For
example, to create a filter that displays adopon of rules that control traffic to the internet Area of
Architecture:
STEP 1 | Select Adopon Heatmap > Areas of Architecture.
STEP 2 | Click Local Filters to expand the filter opons.
STEP 3 | Set the Desnaon Area of Architecture to Internet.
Geng Started with the BPA Version 10.2
14
©2022 Palo Alto Networks, Inc.
Evaluate Security Policy Capability Adopon
STEP 4 | Click Apply.
The BPA filters the results:
Geng Started with the BPA Version 10.2
15
©2022 Palo Alto Networks, Inc.
Evaluate Security Policy Capability Adopon
Geng Started with the BPA Version 10.2
16
©2022 Palo Alto Networks, Inc.
Evaluate Security Policy Capability Adopon
Interpret the results based on your security goals and criteria. For example, if your goal is to
apply WildFire to 100% of your allow rules, the filtered Adopon Heatmap reveals that only
50% of your DMZ allow rules have WildFire profiles, so you have idenfied a gap to target for
improvement.
STEP 5 | Next: Idenfy Rules to Improve.
Geng Started with the BPA Version 10.2
17
©2022 Palo Alto Networks, Inc.
Evaluate Security Policy Capability Adopon
Idenfy Rules to Improve
Aer you idenfy a gap in security policy capability adopon, use the Adopon Heatmap > Rule
Detail view to list rules that require further invesgaon or remediaon. Configure Local Filters
to match the gap idenficaon criteria you developed when you idenfied gaps in adopon.
This results in rule lists you can export and hand off to the operaonal team in charge of firewall
Security policy.
For example, to create a Rule Detail filter to idenfy rules that allow all traffic and don’t have a
Vulnerability Protecon profile configured:
STEP 1 | From the Adopon Heatmap menu, select Rule Detail to view the Rule Details page.
Geng Started with the BPA Version 10.2
18
©2022 Palo Alto Networks, Inc.
Evaluate Security Policy Capability Adopon
STEP 2 | Click Local Filters to view the filter opons and then select the following filters:
• Source Zone = any
• Desnaon Zone = any
• Source Address Configured = No
• Desnaon Address Configured = No
• Acon = allow
• Rule Enabled = Yes
• Vulnerability On = No
STEP 3 | Click Apply Filters.
The BPA lists the rules that match the filters:
STEP 4 | To export the filtered rule list to a .csv file, click Export Data.
Geng Started with the BPA Version 10.2
19
©2022 Palo Alto Networks, Inc.
Evaluate Security Policy Capability Adopon
STEP 5 | Next: Evaluate Best Pracce Configuraon.
Geng Started with the BPA Version 10.2
20
©2022 Palo Alto Networks, Inc.
Evaluate Best Pracce Configuraon
The Best Pracce Assessment (BPA) tool helps you understand the current level of
best pracce configuraon in your Security policy so you can assess the maturity of
your security posture. Watch the Introducon to the BPA video to learn about the
BPA, and take advantage of the BPA video library and the BPA+ video library to learn
even more about the tool.
The BPA report opens first on the Adopon Heatmap page. Click the Best Pracce
Assessment to view the BPA secon of the report, which focuses on the adopon of
configuraon best pracces for next-generaon firewalls and Panorama.
In addion to this documentaon, you can view the BPA demo and a short video
about how to run a BPA to learn more about using the BPA.
A BPA report evaluates a next-generaon firewall or Panorama configuraon file
against more than 200 best pracce checks. The BPA groups the results of the
evaluaon by policies, objects, network, and device/Panorama informaon, similar to
the PAN-OS user interface.
In Panorama-managed environments, Panorama may manage large numbers of next-generaon
firewalls. Should you run the BPA on Panorama or on each individual firewall? The tradeoff is speed
and convenience versus completeness.
Running the BPA on Panorama is fast, convenient, and assesses most of the capabilies of the
managed firewalls, but does not examine local firewall overrides.
Running the BPA on each managed firewall assesses the complete configuraon (including local
overrides) but takes much more me.
The most praccal method is to run the BPA on Panorama first. Examine the results, decide if you
need to focus on any parcular managed devices, and then run the BPA on those devices. This
method saves me while sll focusing on relevant informaon that enables you to improve your
security posture.
Review and analyze the informaon to find areas to focus on and improve:
> Review the Best Pracce Summary
> Review Best Pracce Policy Configuraon
> Review Best Pracce Objects Configuraon
> Review Best Pracce Network Configuraon
> Review Best Pracce Device and Panorama Management Configuraon
21
Evaluate Best Pracce Configuraon
Review the Best Pracce Summary
Select Summary from the Best Pracce Assessment menu to view the Best Pracce Summary.
The summary presents best pracce configuraon check results mapped to the control categories
of industry standards, such as the Center for Internet Security’s (CIS) Crical Security Controls and
the Naonal Instute of Standards and Technology (NIST) publicaon on Security Controls and
Assessment Procedures. The purpose of this informaon is to provide a good way to learn how
BPA checks e to industry standards, not to act as an audit.
Like the Adopon Summary, the Best Pracce Summary includes metrics that show your current
adopon rate and adopon progress (in parentheses) since the last me you generated the BPA on
the device’s configuraon.
Click Mapping Definions (le sidebar) to see a complete list of all of the mapped checks
and their individual scores. Show Filters to set filters, Apply Filters to the output, and Export
Mappings to export the mappings to a .csv file.
Geng Started with the BPA Version 10.2
22
©2022 Palo Alto Networks, Inc.
Evaluate Best Pracce Configuraon
Next: Review Best Pracce Policy Configuraon.
Geng Started with the BPA Version 10.2
23
©2022 Palo Alto Networks, Inc.
Evaluate Best Pracce Configuraon
Review Best Pracce Policy Configuraon
Best Pracce Assessment > Policies shows all checks related to different types of firewall policies
and begins on the Security Rulebase checks page. Security Rulebase checks summarizes the best
pracce check results by device group, with a pass/fail status and recommendaons for what to
do about failed checks. Click help ( ) to view the descripon of and raonale for each result,
along with a link to technical documentaon for reference.
Select the type of policy you want to review from the le menu to idenfy potenal rule
improvements. For example, Security Rule Checks displays rule-based check results. Click Local
Filters to configure filters that narrow the results to rules that failed one or more parcular checks.
You can Export Data to export the list to a .csv file for remediaon analysis.
Geng Started with the BPA Version 10.2
24
©2022 Palo Alto Networks, Inc.
Evaluate Best Pracce Configuraon
When you review Policy informaon, at a minimum, review the following items to help understand
the scope of policy remediaon (switch between views):
Security—Idenfy rules that fail the Source/Desnaon !=any/any check.
Security—Idenfy rules that fail the App-ID with Service check.
Security—Idenfy User-ID rules that fail the User-ID Rules without User ID enabled on Zone
check.
Decrypon Rulebase—SSH Proxy decrypon checks.
Decrypon—Each Decrypon policy rule should have an associated Decrypon profile.
The excepon is TLSv1.3 traffic that you choose not to decrypt by applying a No
Decrypon policy to the traffic. When you aach a No Decrypon profile to the policy,
the profile checks cerficate informaon and blocks decrypon sessions that use bad
cerficates. However, because TLSv1.3 encrypts cerficate informaon, the firewall
cannot block undecrypted traffic based on cerficate informaon, so there is no point
to aaching the profile to the policy.
Applicaon Override—Applicaon Override rules that use a simple custom applicaon bypass
Layer 7 inspecon for matching traffic. Reduce or eliminate Applicaon Override rules that
use a simple custom applicaon so you can Improve Visibility into Traffic and inspect the
applicaons and content these rules control.
Next: Review Best Pracce Objects Configuraon.
Geng Started with the BPA Version 10.2
25
©2022 Palo Alto Networks, Inc.
Evaluate Best Pracce Configuraon
Review Best Pracce Objects Configuraon
Best Pracce Assessment > Objects shows all checks related to different types of firewall objects,
and begins on the Applicaon Filters page. Select the object you want to review to understand
the exisng configuraon and to idenfy potenal gaps in best pracce configuraon related to
Applicaon Filters, Tags, GlobalProtect, Security profiles, Log Forwarding, and Decrypon profiles.
The following example shows the result when you select the Anvirus Security profile object.
For each Anvirus profile, the report shows the current configuraon and how many rules use
the profile. The report shows the best pracce check results below the current configuraon
with pass/fail status and recommendaons for failed best pracce checks. Click help ( ) for the
raonale for each check and links to best pracce documentaon.
When one or more checks fail, the profile tle turns red. The report lists profiles that aren’t in use
at the boom with a yellow tle.
The “QS” buon next to some of the profile page links on the le of the screen connect you to the
QuickStart Service opons. The QuickStart Service helps you increase your security capabilies
and investments by helping you plan and execute your firewall-as-a-plaorm implementaon. The
Self-guided Documents help you understand, create, and deploy the object.
Geng Started with the BPA Version 10.2
26
©2022 Palo Alto Networks, Inc.
Evaluate Best Pracce Configuraon
When you review the Objects tab, at a minimum, review the following items to help understand
the potenal scope of remediaon:
Anvirus—Decoder acons for both Anvirus and WildFire.
An-Spyware—Strict Profile, DNS Sinkhole.
Vulnerability Protecon—Strict Profile.
URL Filtering—Whether known bad categories are blocked.
WildFire Analysis—Profile File Types (all types should be sent to WildFire for analysis).
Log Forwarding—Whether all log types are forwarded (forward all log types).
Next: Review Best Pracce Network Configuraon.
Geng Started with the BPA Version 10.2
27
©2022 Palo Alto Networks, Inc.
Evaluate Best Pracce Configuraon
Review Best Pracce Network Configuraon
Best Pracce Assessment > Network shows all checks for network-related configuraon and
begins on the Zones page. On the le nav, select the network check you want to review to
understand the exisng configuraon and to idenfy potenal gaps in best pracce configuraon
related to Zones, GRE Tunnels, and to GlobalProtect, IPsec Crypto, Interface Management, and
Zone Protecon profiles. The following example shows the result for Zones.
The report shows the current configuraon for each item. The best pracce check results for each
item appears below its current configuraon. You can specify a Device Group and/or Template to
limit the scope of the informaon displayed.
Each check has pass/fail status and recommendaons for failed best pracce checks. Click help
( ) for the raonale for each check and links to best pracce documentaon. When one or more
checks fail, the item’s tle turns red.
When you review the Network tab, at a minimum, review the following items to help understand
the potenal scope of remediaon:
Zones—Whether each zone has Packet Buffer Protecon enabled and has a Zone Protecon
profile.
Zone Protecon—Whether Flood Protecon and Packet-Based Aack Protecon are enabled.
Next: Review Best Pracce Device and Panorama Management Configuraon.
Geng Started with the BPA Version 10.2
28
©2022 Palo Alto Networks, Inc.
Evaluate Best Pracce Configuraon
Review Best Pracce Device and Panorama
Management Configuraon
Best Pracce Assessment > Device and Best Pracce Assessment > Panorama pages show all
checks related to device management setup and configuraon. On standalone firewalls, Best
Pracce Assessment > Device begins on the firewall device’s General Sengs for Management
Setup page. On Panorama, Best Pracce Assessment > Device begins on the page that shows
general sengs for each template stack. Best Pracce Assessment > Panorama begins on the
device’s General Sengs for Management Setup page. Select the check you want to review to
understand the exisng configuraon and to idenfy potenal gaps in best pracce configuraon
related to firewall and Panorama device management. The following example shows the result for
General Sengs on a Panorama device.
The report shows the current configuraon for each item. The best pracce check results for each
item appears below its current configuraon. When viewing informaon for a Device, you can
specify a Template to limit the scope of the informaon displayed.
Each check has pass/fail status and recommendaons for failed best pracce checks. Click help
( ) for the raonale for each check and links to best pracce documentaon. When one or more
checks fail, the item’s tle turns red.
When you review the Device or Panorama tab, at a minimum, review the following items to help
understand the potenal scope of remediaon:
Dynamic Updates—Anvirus, Apps, Threats, and WildFire updates.
Management Interface Sengs—Network Connecvity Services, Permied IP Addresses.
Administrators—Local Admins, Administrator Password profile. Check Device > Administrators
or Panorama > Administrators to ensure Administrators’ passwords are configured with the
minimum required complexity.
Minimum Password Complexity—Password minimum complexity requirements check.
Next: Priorize Best Pracce Changes.
Geng Started with the BPA Version 10.2
29
©2022 Palo Alto Networks, Inc.
Evaluate Best Pracce Configuraon
Geng Started with the BPA Version 10.2
30
©2022 Palo Alto Networks, Inc.
Priorize Best Pracce Changes
The amount of informaon in a BPA report can be overwhelming. This chapter
provides recommendaons to help you priorize improvement to your configuraon
so you can close security gaps, implement the highest-value enhancements first, and
make progress toward achieving a best pracce security posture.
In Panorama-managed environments, Panorama may manage large numbers of next-generaon
firewalls. Should you run the BPA on Panorama or on each individual firewall? The tradeoff is speed
and convenience versus completeness.
Running the BPA on Panorama is fast, convenient, and assesses most of the capabilies of the
managed firewalls, but does not examine local firewall overrides.
Running the BPA on each managed firewall assesses the complete configuraon (including local
overrides) but takes much more me.
The most praccal method is to run the BPA on Panorama first. Examine the results, decide if you
need to focus on any parcular managed devices, and then run the BPA on those devices. This
method saves me while sll focusing on relevant informaon that enables you to improve your
security posture.
The following topics focus on how to improve your security posture in the order in
which new deployments are usually implemented, focusing on management first, then
visibility, control, and enforcement. Exisng deployments already may have achieved
some maturity in each area.
> Strengthen Device Management Posture
> Improve Visibility into Traffic
> Implement Inial Best Pracce Controls
> Fine-Tune and Enhance Best Pracce Controls
31
Priorize Best Pracce Changes
Strengthen Device Management Posture
Strengthening your device management posture secures the firewall by prevenng unauthorized
access that could compromise it, reduces the operaonal impact of unexpected events, and
provides greater visibility into firewall operaon.
Follow the Adminstrave Access Best Pracces to prevent unauthorized and unsecured access
to the device’s management interface.
Forward all system and configuraon logs to Panorama and to third-party monitoring soluons
to keep track of system-related events and configuraon changes.
Create a configuraon backup schedule so you can remediate configuraon-related issues and
system outages faster.
Aer you configure changes, Run the BPA to validate the changes, measure progress, and
priorize the next changes.
Next: Improve Visibility into Traffic.
Geng Started with the BPA Version 10.2
32
©2022 Palo Alto Networks, Inc.
Priorize Best Pracce Changes
Improve Visibility into Traffic
You can’t protect yourself against threats you can’t see, so you must ensure you have full visibility
into traffic, across all users and applicaons, at all mes. Complete visibility into the applicaons,
content, and users on your network is the first step toward informed policy control:
Maximize Security profile adopon. Aer you Review the Adopon Summary and idenfy
gaps in adopon, remediate the gaps using the safe transion steps to move toward a full best
pracce Security profile implementaon.
Maximize Logging adopon (including Log Forwarding) across the Security policy rulebase to
inspect all traffic.
Configure best pracces for dynamic content updates to ensure the firewall has the latest
applicaon and threat signatures to protect your network and that you deploy updates based
on your network security and availability requirements.
Plan your SSL Decrypon deployment based on best pracces.
Enable User-ID in user zones (internal, trusted zones from which users iniate traffic) to map
applicaon traffic and associated threats to users and devices.
Don’t enable User-ID in external untrusted zones. If you enable User-ID (or client
probing such as WMI) on an external untrusted zone, probes could be sent outside your
protected network and expose User-ID informaon such as the User-ID Agent service
account name, domain name, and encrypted password hash, which could enable an
aacker to compromise your network.
Reduce or eliminate Applicaon Override rules so you can inspect the applicaons and content
these rules control (an Applicaon Override rule is a layer 4 rule that doesn’t allow the firewall
to inspect the traffic). Eliminate the need for or reduce the scope of basic Applicaon Override
rules:
• Validate whether the use case for the rule sll exists. Oen, an Applicaon Override rule
was created to overcome a specific issue related to performance, protocol decoders, or
unknown applicaons. Over me, PAN-OS updates, content updates, or hardware upgrades
may remove the need for some Applicaon Override rules. If you run PAN-OS 9.0 or later
on firewalls or PAN-OS 9.0 or later on a Panorama managing firewalls running PAN-OS 8.1
(or later), you can use Policy Opmizer to transform the rule to a layer 7 rule.
• Reduce the scope of the Applicaon Override rule so it only affects the minimum possible
amount of traffic. Rules that are defined too broadly may override more traffic than
necessary or intended. Define source and desnaon zones, address, and/or ports in each
Applicaon Override rule to limit the rule’s scope as much as possible.
• Create layer 7 custom applicaons for internal applicaons.
• Create Service objects with custom meout values.
Plan to deploy DoS and Zone Protecon and take baseline CPS measurements so you can set
reasonable flood protecon thresholds.
When you implement these nave App-ID, Content-ID, User-ID, and SSL Decrypon capabilies,
the firewall gains visibility into and can inspect all of your traffic—applicaons, threats, and content
—and e events to the user, regardless of locaon, device type, port, encrypon, or an aacker’s
evasive techniques.
Geng Started with the BPA Version 10.2
33
©2022 Palo Alto Networks, Inc.
Priorize Best Pracce Changes
Improving the adopon of capabilies such as SSL Decrypon, logging, flood protecon,
Security profiles, etc., may result in addional firewall resource consumpon. Understand
the capacity of your firewalls and ensure they’re properly sized to handle any addional
load. Your Palo Alto Networks SE or CE can help you size the deployment. You also may
need addional log storage space.
Aer you configure changes, Run the BPA to validate the changes, measure progress, and
priorize the next changes.
Next: Implement Inial Best Pracce Controls.
Geng Started with the BPA Version 10.2
34
©2022 Palo Alto Networks, Inc.
Priorize Best Pracce Changes
Implement Inial Best Pracce Controls
Aer you gain visibility and context into the traffic on your network—applicaons, content,
threats, and users—implement strict controls to reduce the aack surface and prevent known and
unknown threats to complete the transion to a best pracce configuraon.
Aer you Review the Adopon Summary and idenfy gaps in adopon, follow the safe
transion steps to move toward best pracce Security profiles to block threats and reduce the
aack surface, including implemenng strict controls in the data center to protect the most
valuable assets of your business.
Create applicaon-based Security policy rules for data center and perimeter firewalls; use
the perimeter firewall best pracce recommendaons for other firewalls that aren’t in the
data center. If you run PAN-OS 9.0 or later on firewalls or PAN-OS 9.0 or later on a Panorama
managing firewalls running PAN-OS 8.1 (or later), you can use Policy Opmizer to convert portbased rules to applicaon-based rules.
Create user-based access policies.
Deploy best pracce Zone Protecon profiles to all zones.
Deploy SSL Decrypon so the firewall can gain visibility into (decrypt) and inspect encrypted
traffic.
Aer you implement control capabilies, the firewall can scan all allowed traffic and detect and
block network and applicaon-layer vulnerability exploits, buffer overflows, DoS aacks, port
scans, and known and unknown malware variants. The firewall controls applicaon and user
access as well as blocking malicious and unwanted applicaons.
Aer you configure changes, Run the BPA to validate the changes, measure progress, and
priorize the next changes.
Next: Fine-Tune and Enhance Best Pracce Controls.
Geng Started with the BPA Version 10.2
35
©2022 Palo Alto Networks, Inc.
Priorize Best Pracce Changes
Fine-Tune and Enhance Best Pracce Controls
Aer you implement control over your network traffic—applicaons, content, threats, and users
—start fine-tuning the controls and implement addional funconality to improve your security
posture.
• If you haven’t converted internal applicaons to custom applicaons to gain visibility into and
control of the traffic, convert internal applicaons to custom applicaons.
• Tune Security profiles to best pracces aer you use the safe transion steps to begin the
move to best pracce profiles.
• Block known malicious IP addresses based on threat intelligence from Palo Alto Networks and
reputable third-party feeds.
• Deploy GlobalProtect or Prisma Access to extend the next-generaon security plaorm to
users and devices regardless of where they are located.
• Enable credenal the prevenon.
• Configure network-based Mul-Factor Authencaon.
Next: Run the BPA to validate changes, measure progress, and priorize the next changes, learn
more about best pracces, and learn more about the many security capabilies of Panorama and
PAN-OS next-generaon firewalls.
Geng Started with the BPA Version 10.2
36
©2022 Palo Alto Networks, Inc.