Starng Best Pracces with the BPA
and Security Assurance
Version 9.0 (EoL)
docs.paloaltonetworks.com
� Contact Informaon
Corporate Headquarters:
Palo Alto Networks
3000 Tannery Way
Santa Clara, CA 95054
www.paloaltonetworks.com/company/contact-support.html
About the Documentaon
• For the most recent version of this guide or for access to related documentaon, visit the
Technical Documentaon portal docs.paloaltonetworks.com.
• To search for a specific topic, go to our search page docs.paloaltonetworks.com/search.html.
• Have feedback or quesons for us? Leave a comment on any page in the portal, or write to us
at documenta
[email protected].
Copyright
Palo Alto Networks, Inc.
www.paloaltonetworks.com
©2019–2022 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo
Alto Networks. A list of our trademarks can be found at www.paloaltonetworks.com/company/
trademarks.html. All other marks menoned herein may be trademarks of their respecve
companies.
Last Revised
March 14, 2022
Starng Best Pracces with the BPA and Security Assurance 2 ©2022 Palo Alto Networks, Inc.
Version Version 9.0 (EoL)
�Table of Contents
Geng Started with Best Pracces.............................................................. 5
Idenfy and Priorize Best Pracces......................................................................................6
Access and Run the BPA........................................................................................................... 9
Access the BPA from the Customer Support Portal................................................ 9
Generate and Download a BPA Report....................................................................11
Security Assurance....................................................................................................................15
The Seven Key Security Capabilies to Adopt....................................................... 15
Check Adopon of the Seven Key Security Capabilies......................................16
Improve Adopon of the Seven Key Security Capabilies.................................. 18
How to Engage Security Assurance.......................................................................... 19
Starng Best Pracces with the BPA and Security Assurance 3 ©2022 Palo Alto Networks, Inc.
Version Version 9.0 (EoL)
�Table of Contents
Starng Best Pracces with the BPA and Security Assurance 4 ©2022 Palo Alto Networks, Inc.
Version Version 9.0 (EoL)
�Geng Started with Best Pracces
Security best pracces prevent known and unknown threats, reduce the aack
surface, and provide visibility into traffic, so you know and control which applicaons,
users, and content are on your network. When you implement security best pracces,
you:
> Minimize the chances of a successful intrusion.
> Idenfy the presence of aackers.
> Protect your valuable data.
> Protect your customers, partners, and employees, and thus protect the reputaon
of your business.
> Help to achieve a Zero Trust security environment.
To transion to security best pracces, first you need to understand your current
network security posture and idenfy areas for improvement. Palo Alto Networks
provides a guided transion path: the Best Pracce Assessment (BPA) combined with
Safe Transion Steps and best pracce technical documentaon.
When you subscribe to the Premium (on or aer November 1, 2019) or Planum
Support Contract, you have the opportunity to prepare for Security Assurance.
Security Assurance provides access to Palo Alto Networks security experts and tools
to help with inial incident invesgaon.
> Idenfy and Priorize Best Pracces
> Access and Run the BPA
> Security Assurance
5
�Geng Started with Best Pracces
Idenfy and Priorize Best Pracces
Palo Alto Networks’ Best Pracce Assessment (BPA) uses your Tech Support File to analyze
Panorama and next-generaon firewall configuraon sengs and compares the configuraon
to Palo Alto Networks best pracces. The BPA shows the current state of best pracce security
adopon and suggests specific changes to align the configuraon with security best pracces.
Running the BPA not only gives you an understanding of where to improve your security posture,
it also sets a baseline for later comparison and provides links to technical documentaon that
shows you how to transion the BPA’s recommendaons into a best pracce configuraon.
Using an iterave, priorized approach, you can transform your security posture to a best pracce
state, one step at a me, measuring progress as you go at your pace and level of comfort:
STEP 1 | Upload a Tech Support File on Customer Support Portal and Access and Run the BPA
yourself, or contact your Palo Alto Networks SE or partner to run the BPA on Panorama or
your next-generaon firewalls.
If you run the BPA yourself, we recommend that you contact your Palo Alto Networks SE or
partner to help interpret the results and discuss the next steps.
STEP 2 | Idenfy and priorize the first area of improvement to begin the transion to best pracces.
Whether your Palo Alto Networks SE or partner runs the BPA or you run the BPA, your SE or
partner can help you formulate a priorized plan to safely phase in best pracces. Plan to start
with the safest, easiest, highest impact changes first, such as applying Anvirus, An-Spyware,
Vulnerability Protecon, and WildFire Analysis profiles to your Security policy allow rules.
Starng Best Pracces with the BPA and Security Assurance 6 ©2022 Palo Alto Networks, Inc.
Version Version 9.0 (EoL)
�Geng Started with Best Pracces
STEP 3 | Use the BPA’s links to technical documentaon to configure the best pracces you priorize.
Downloading the BPA report gives you a .zip file that contains the detailed HMTL report, an
Execuve Summary, and an Excel spreadsheet that lists failed best pracce checks. You link to
technical documentaon in two ways:
• From the spreadsheet—The Documentaon tab provides links for each failed check.
In addion, the idenficaon number in the Check ID column on the Policies, Objects,
Network, and Device tabs links directly to the relevant line on the Documentaon tab.
• From the HTML report—When you open the HTML report, you see a heatmap that
summarizes best pracce adopon. Go to BPA to access the report.
From the BPA summary page, view Policies, Objects, Network, or Device detailed reports
for the selected configuraon assessment.
From a detailed report, click the circled blue ? for descripons and raonales for
the configuraon check and links to technical documentaon for the best pracce
configuraon.
Starng Best Pracces with the BPA and Security Assurance 7 ©2022 Palo Alto Networks, Inc.
Version Version 9.0 (EoL)
�Geng Started with Best Pracces
For Security profiles (Vulnerability Protecon, Anvirus, An-Spyware, URL Filtering,
File Blocking), use the safe transion advice to ensure availability of business-crical
applicaons as you move to best pracce Security profiles.
STEP 4 | Aer you implement the first set of best pracce changes, run the BPA again to measure
progress and help verify that the changes work as expected.
Compare the first BPA output and the next BPA output to see the improvements in your
security posture. Idenfy and priorize the next area of improvement to address.
STEP 5 | Use the BPA’s links to technical documentaon to configure the next set of best pracces
you priorized.
STEP 6 | At your own pace, repeat the process of running the BPA to measure progress and
idenfy and priorize next steps, and then configure best pracces using the technical
documentaon.
STEP 7 | Get started now—Access and Run the BPA or contact your Palo Alto Networks SE or partner
and begin the transion to a more secure network today!
Starng Best Pracces with the BPA and Security Assurance 8 ©2022 Palo Alto Networks, Inc.
Version Version 9.0 (EoL)
�Geng Started with Best Pracces
Access and Run the BPA
Access the Best Pracce Assessment (BPA) from the Customer Support Portal. Super User
accounts automacally have access to the BPA and can assign the BPA User role to a Standard
User’s profile so that the Standard User can run the BPA. This procedure shows Super Users how
to give access to Standard Users and how to run the BPA. You can also view short videos on how
to run a BPA and how to understand the results.
In addion, if you subscribe to the Premium (on or aer Nov 1, 2019) or Planum Support
Contract, you have the opportunity to prepare for and acvate Security Assurance. Security
Assurance provides access to Palo Alto Networks security experts and tools to help with inial
incident invesgaon. We strongly recommend that you run the BPA to measure your adopon
of seven key security capabilies and to ensure that your adopon rate is at least equal to your
industry’s average adopon rate so that your network is beer protected. The combinaon of the
Premium or Planum support contract and a recent BPA measurement that shows your adopon
rate for the seven key security capabilies meets your industry’s average automacally acvates
Security Assurance.
• Access the BPA from the Customer Support Portal
• Generate and Download a BPA Report
Access the BPA from the Customer Support Portal
STEP 1 | From the Customer Support Portal’s authencaon home screen, select Members > Manage
Users.
Starng Best Pracces with the BPA and Security Assurance 9 ©2022 Palo Alto Networks, Inc.
Version Version 9.0 (EoL)
�Geng Started with Best Pracces
STEP 2 | Click the pencil icon to edit the Standard User to whom you want to assign BPA permissions.
STEP 3 | Select BPA User role and then click the update check mark to add the new role.
Starng Best Pracces with the BPA and Security Assurance 10 ©2022 Palo Alto Networks, Inc.
Version Version 9.0 (EoL)
�Geng Started with Best Pracces
STEP 4 | The Standard User now has the BPA User role privileges.
STEP 5 | Super Users and Standard Users with the BPA User role can log in to the Customer Support
Portal to access and run the BPA (Tools > Run Best Pracce Assessment).
Generate and Download a BPA Report
Aer you gain access to the BPA, you can generate a BPA report for a Panorama appliance or for a
next-generaon firewall.
If possible, generate BPA reports for Panorama appliances instead of individual next-
generaon firewalls to gain complete visibility into all of the firewalls in your environment
in one report. Generate reports on a regular basis to measure progress toward adopng
security capabilies and security best pracces.
Starng Best Pracces with the BPA and Security Assurance 11 ©2022 Palo Alto Networks, Inc.
Version Version 9.0 (EoL)
�Geng Started with Best Pracces
STEP 1 | Drag or drop a Tech Support File (.tgz file) in the Customer Support Portal window or browse
for a Tech Support File.
Super Users can create Tech Support Files (Device > Support > Tech Support File or Panorama
> Support > Tech Support File).
STEP 2 | Oponally, map each zone to the area of architecture, or click Skip this step to run the BPA
without mapping zones.
Drag and drop the architectural value from Architecture Classificaon, use the Classificaon
drop-down to select a value, or select mulple check boxes to select mulple zones and then
apply a value to all of the selected zones at one me.
Starng Best Pracces with the BPA and Security Assurance 12 ©2022 Palo Alto Networks, Inc.
Version Version 9.0 (EoL)
�Geng Started with Best Pracces
STEP 3 | Idenfy the industry mapped to your account, and generate and download the BPA report
(Generate & Download Report).
You can change the industry against which the BPA compares your results using the drop-
down. If you want to change anything before you generate the report, you can also go back
and make those changes.
Generate & Download Report downloads the detailed BPA report, the Execuve Summary
report, and a spreadsheet that shows failed best pracce checks to the system from which you
accessed and ran the BPA.
STEP 4 | The generated BPA displays the Execuve Summary and informs you that the detailed HTML
report was downloaded to your computer.
Starng Best Pracces with the BPA and Security Assurance 13 ©2022 Palo Alto Networks, Inc.
Version Version 9.0 (EoL)
�Geng Started with Best Pracces
STEP 5 | Now that you know how to run the BPA, go to the Customer Support Portal and try it
out today (or contact your Palo Alto Networks SE or partner to run the BPA) to begin the
transion to a more secure network.
If you subscribe to the Premium (on or aer November 1, 2019) or Planum Support
Contract, use the BPA to prepare your security posture to take advantage of Security
Assurance, which helps with inial incident invesgaon.
Starng Best Pracces with the BPA and Security Assurance 14 ©2022 Palo Alto Networks, Inc.
Version Version 9.0 (EoL)
�Geng Started with Best Pracces
Security Assurance
If you detect suspicious acvity in your network, Security Assurance provides extra help from Palo
Alto Networks when you need it the most. Security Assurance provides:
• Access to Palo Alto Networks security experts and their specialized threat intelligence tools
and threat hunng pracces.
• Advanced log and indicators of compromise (IOC) analysis.
• Configuraon assessment that includes customized product security recommendaons.
• Next step recommendaons to expedite the transion to your incident response (IR) vendor to
help manage and resolve the incident.
To take advantage of Security Assurance, you must subscribe to the Premium Support Contract
(on or aer November 1, 2019) or to the Planum Support Contract.
The first step toward Security Assurance is to run the Best Pracce Assessment (BPA) to measure
your adopon of seven key security capabilies: WildFire, Anvirus, An-Spyware, DNS Sinkhole,
URL Filtering, Vulnerability Protecon, and Logging. We recommend that you ensure your
adopon rate for those security capabilies is at least equal to your industry’s average adopon
rate.
Running the BPA and adopng higher levels of key security capabilies provides beer protecon
for your network and helps avoid incidents. The BPA also measures the adopon level of many
other security capabilies such as App-ID and User-ID, zone configuraon, other security profiles
such as File Blocking and DoS Protecon profiles, and the BPA makes recommendaons on how
to improve your security posture.
Run the BPA at regular intervals (for example, monthly or quarterly) to measure the
adopon of key security capabilies, understand the state of your network security, and
priorize security improvements.
When you subscribe to the Premium Support Contract (on or aer November 1, 2019) or to
the Planum Support Contract and run the BPA, if it shows that you have adopted the seven
key security capabilies at a rate that meets your industry’s average, Security Assurance is
enabled automacally. If you need assistance to adopt these key capabilies at a rate that
meets your industry average, contact your Palo Alto Networks sales representave for help in
defining requirements, providing jusficaon criteria, etc. If business reasons prevent you from
adopng the key security capabilies at this level, please work with your Palo Alto Network sales
representave on how to gain access to the benefits of Security Assurance.
• The Seven Key Security Capabilies to Adopt
• Check Adopon of the Seven Key Security Capabilies
• Improve Adopon of the Seven Key Security Capabilies
• How to Engage Security Assurance
The Seven Key Security Capabilies to Adopt
We strongly recommend adopng the following seven key security capabilies for the following
reasons:
Starng Best Pracces with the BPA and Security Assurance 15 ©2022 Palo Alto Networks, Inc.
Version Version 9.0 (EoL)
�Geng Started with Best Pracces
• WildFire—Aach a WildFire security profile to security policy rules that allow traffic to protect
your network from new, unknown threats. WildFire is a strong defense against advanced
persistent threats (ATPs).
• Anvirus—Aach an Anvirus security profile to security policy rules that allow traffic to block
known malicious files such as malware, ransomware, bots, and viruses.
• An-Spyware—Aach an An-Spyware security profile to security policy rules that allow traffic
to detect command-and-control (C2) traffic iniated by malicious code running on a server or
endpoint and to prevent compromised systems from establishing an outbound connecon from
your network.
• DNS Sinkhole—Configure the DNS Sinkhole poron of an An-Spyware security profile
that is aached to security policy rules that allow traffic. DNS Sinkhole idenfies potenally
compromised hosts that aempt to access suspicious domains by tracking the hosts and
prevenng them from accessing those domains.
• URL Filtering—Aach a URL Filtering profile to security policy rules that allow traffic to prevent
access to risky web content (sites that may contain malicious content). URL Filtering profiles
and URL categories give you granular control over the types of websites to which you allow
access.
• Vulnerability Protecon—Aach a Vulnerability Protecon security profile to security
policy rules that allow traffic to prevent aackers from exploing client-side and server-side
vulnerabilies and delivering malicious payloads to your network and users, and to prevent
aackers from using vulnerabilies to move laterally within your network.
• Logging—Enable logging on all traffic (allowed and denied) to provide a me-stamped audit trail
for system events and network traffic events. Logs provide crical informaon for invesgang
incidents. Log Forwarding enables you to send logs from all your firewalls to Panorama or to
external to aggregate the logs for analysis.
Adopng these key capabilies greatly improves your security posture, reduces your aack
surface, increases your visibility into network traffic, prevents known and new aacks, and
protects your the data, assets, applicaons, and services that are most valuable to your network.
Check Adopon of the Seven Key Security Capabilies
In the detailed BPA report (HTML format) you receive when you generate and download your BPA
results, go to the Adopon Summary page to check your overall adopon of the six security profile
(WildFire, Anvirus, An-Spyware, DNS Sinkhole, Vulnerability Protecon, and URL Filtering)
capabilies and your industry’s average adopon of those capabilies (logging is a separate check).
The Adopon Summary page shows your security capability adopon compared to your industry
and helps you idenfy gaps in adopon. For example, if your industry is High Technology:
Starng Best Pracces with the BPA and Security Assurance 16 ©2022 Palo Alto Networks, Inc.
Version Version 9.0 (EoL)
�Geng Started with Best Pracces
The results show that the configuraon meets the industry average adopon for four capabilies:
WildFire, Anvirus, An-Spyware, and Vulnerability Protecon profiles. The results also show that
the configuraon does not come up to the industry average adopon of two capabilies: DNS
sinkhole and URL Filtering. This indicates the next course of acon: configure DNS sinkhole in the
An-Spyware profile and apply URL Filtering to internet traffic.
In the detailed HTML BPA report, go to the Trending page to check your overall adopon of
logging capabilies and your industry’s average adopon of logging.
Starng Best Pracces with the BPA and Security Assurance 17 ©2022 Palo Alto Networks, Inc.
Version Version 9.0 (EoL)
�Geng Started with Best Pracces
This page shows not only your level of adopon compared to your industry, it also shows your
level of adopon compared to the last me you ran the BPA. This is a measure of security
improvement over me as well as a call to acon if your results indicate that your security is not as
ght as you want it to be.
If the profile and logging results show that your adopon of all seven capabilies meet your
industry’s average, Security Assurance is automacally enabled. If you need assistance to adopt
these key capabilies at a rate that meets your industry average, contact your Palo Alto Networks
sales representave for help in defining requirements, providing jusficaon criteria, etc. If
business reasons prevent you from adopng the key security capabilies at this level, please work
with your Palo Alto Network sales representave on how to gain access to the benefits of Security
Assurance.
Improve Adopon of the Seven Key Security Capabilies
Use the BPA in conjuncon with Palo Alto Networks technical documentaon to idenfy the
security capabilies that need improvement and to make the needed improvements, especially in
the seven key security capabilies. Improving your security posture helps to safeguard your users
and your valuable devices, assets, applicaons, and services.
• WildFire—Transion WildFire Profiles Safely to Best Pracces and then implement WildFire
Best Pracces. The best pracce WildFire profile is the default profile.
• Anvirus—Transion Anvirus Profiles Safely to Best Pracces and then implement Anvirus
Best Pracces (or slightly stricter Anvirus Best Pracces for the data center).
• An-Spyware and DNS Sinkhole—DNS Sinkhole configuraon is on the DNS Signatures tab in
the An-Spyware security profile. Transion An-Spyware Profiles Safely to Best Pracces and
then implement An-Spyware Best Pracces (or slightly stricter An-Spyware Best Pracces
for the data center).
• URL Filtering—Transion URL Filtering Profiles Safely to Best Pracces and then implement
URL Filtering Best Pracces.
• Vulnerability Protecon—Transion Vulnerability Protecon Profiles Safely to Best Pracces
and then implement Vulnerability Protecon Best Pracces (or slightly stricter Vulnerability
Protecon Best Pracces for the data center)).
• Logging—Security policy rules log at session end by default.
In addion, the BPA and the technical documentaon show you how to improve many other
security capabilies such App-ID, User-ID, File Blocking profiles, DoS and Zone Protecon, and
credenal the protecon. Some key resources are:
• Geng Started with the BPA—Shows you how to use the BPA to review the adopon of
security capabilies and idenfy gaps in adopon, evaluate your configuraon including
policies, objects, network, and device and Panorama configuraon, and priorize changes
including strengthening your device management posture, improving visibility into traffic, and
implemenng inial best pracce controls.
• Decrypon Best Pracces—Shows you how to increase you visibility by decrypng all of the
traffic that your business model, privacy consideraons, and regulaons allow so that you can
inspect the maximum amount of traffic and protect your network from encrypted threats.
Starng Best Pracces with the BPA and Security Assurance 18 ©2022 Palo Alto Networks, Inc.
Version Version 9.0 (EoL)
�Geng Started with Best Pracces
• DoS and Zone Protecon Best Pracces—Shows you how to take a layered approach to
protecng against denial-of-service (DoS) aacks that try to take down your network and to
defending your network perimeter, zones, and individual devices.
• Best Pracces for Applicaons and Threats Content Updates—Deploying content and
applicaons updates in the best manner for your business requirements ensures that your
network is protected against the latest threats and idenfies the latest applicaons.
You can find all of these documents and much more from the Best Pracces portal and the
Transion to Best Pracces page.
How to Engage Security Assurance
If you experience suspicious acvity, when you engage Security Assurance, you must provide a
specific set of data about the suspected incident so Palo Alto Networks’ experts can invesgate
the acvity.
• Data to Collect Before Engaging Security Assurance
• Engaging Security Assurance
Data to Collect Before Engaging Security Assurance
Palo Alto Networks’ experts need at a minimum the following informaon about the suspicious
acvity to begin diagnosing the potenal issue. Please collect this data before you engage Security
Assurance.
Basic details regarding the suspicious acvity:
• The suspected aack vector and type: What evidence of suspicious acvity alerted your
administrave or response team?
• Timeline:
• Date and me of the suspected inial aack, if known.
• The me at which you idenfied the potenal issue.
• Incident details:
• Known IP addresses of impacted systems.
• The IP addresses of impacted hosts that are publicly available through NAT.
• Crical services that could make the system or systems a target, for example, databases,
web services, remote access (RDP, Citrix, etc.) servers.
• Known or suspicious IP addresses that may be related to the aack.
• The User-IDs of compromised user accounts (if any).
• Topology diagram or overview: The locaon of the firewall in relaon to the impacted hosts. (A
complete network topology diagram is not required.)
• Malware and indicators-of-compromise:
• Samples.
• Hashes.
Firewall data:
Starng Best Pracces with the BPA and Security Assurance 19 ©2022 Palo Alto Networks, Inc.
Version Version 9.0 (EoL)
�Geng Started with Best Pracces
• Tech Support Files:
• Generate and upload Tech Support files from the firewalls in the path to potenally
impacted devices at the me of the suspicious acvity.
• If you use Panorama to manage the firewalls, generate and upload the Panorama Tech
Support file.
• Firewall logs: Export logs from the firewall and Panorama appliances from two hours before the
suspicious acvity. Before you export logs, verify that the CSV row seng is at its maximum
value of 65535 rows and if the value is lower, increase it to the maximum of 65535 rows.
Export logs for each of the following basic log categories (if logs are enabled) based on IP
address informaon and Timestamp details (you can filter logs to display log entries based on IP
address and me):
• Data Filtering logs
• Traffic logs
• Threat logs
• URL Filtering logs
• User-ID logs (if you suspect lateral movement is involved)
• WildFire Submissions logs
It’s important to understand your deployment’s log retenon policy and log retenon
capacity to ensure that no relevant data is unexamined. Administrators may need to take
addional acons such as exporng data from firewalls or other logging servers to assure
connuity and completeness of data for the duraon of the invesgaon.
More ways to idenfy meaningful data about suspicious acvity:
• Use the Applicaon Command Center (ACC). The ACC can show you traffic spikes, anomalies,
and changes in the me before, during, and aer the suspicious acvity.
• Use the Threat Monitor Report to view the top threats over a the me period preceding,
during, and aer the suspicious acvity.
Engaging Security Assurance
Aer you collect data about the suspicious acvity to ensure the mely analysis of the relevant
informaon, you’re ready to engage Security Assistance. You can engage Security Assistance in
two ways:
• Log in to the Customer Support Portal. Click Create a Case to open a support case. When you
fill out the form, select Threat.
• Your sales engineer (SE) can open a support case on your behalf.
Starng Best Pracces with the BPA and Security Assurance 20 ©2022 Palo Alto Networks, Inc.
Version Version 9.0 (EoL)
