Starting Best Practices with the BPA and

Security Assurance
Version 9.1

paloaltonetworks.com/documentation
Contact Information
Corporate Headquarters:
Palo Alto Networks
3000 Tannery Way
Santa Clara, CA 95054
www.paloaltonetworks.com/company/contact-support

About the Documentation

• For the most recent version of this guide or for access to related documentation, visit the Technical
Documentation portal www.paloaltonetworks.com/documentation.
• To search for a specific topic, go to our search page www.paloaltonetworks.com/documentation/
document-search.html.
• Have feedback or questions for us? Leave a comment on any page in the portal, or write to us at
documentation@paloaltonetworks.com.

Copyright
Palo Alto Networks, Inc.
www.paloaltonetworks.com

© 2019-2019 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo
Alto Networks. A list of our trademarks can be found at www.paloaltonetworks.com/company/
trademarks.html. All other marks mentioned herein may be trademarks of their respective companies.

Last Revised
December 18, 2019

2 STARTING BEST PRACTICES WITH THE BPA AND SECURITY ASSURANCE |

Table of Contents
Getting Started with Best Practices............................................................... 5
Identify and Prioritize Best Practices..................................................................................................... 7
Access and Run the BPA...........................................................................................................................9
Access the BPA from the Customer Support Portal..............................................................9
Generate and Download a BPA Report................................................................................. 11
Security Assurance................................................................................................................................... 14
The Seven Key Security Capabilities to Adopt..................................................................... 14
Check Adoption of the Seven Key Security Capabilities....................................................15
Improve Adoption of the Seven Key Security Capabilities................................................ 16
How to Engage Security Assurance........................................................................................ 17

TABLE OF CONTENTS iii

iv TABLE OF CONTENTS
Getting Started with Best Practices
Security best practices prevent known and unknown threats, reduce the attack surface, and
provide visibility into traffic, so you know and control which applications, users, and content
are on your network. When you implement security best practices, you:

> Minimize the chances of a successful intrusion.

> Identify the presence of attackers.
> Protect your valuable data.
> Protect your customers, partners, and employees, and thus protect the reputation of your
business.
> Help to achieve a Zero Trust security environment.

To transition to security best practices, first you need to understand your current network
security posture and identify areas for improvement. Palo Alto Networks provides a guided
transition path: the Best Practice Assessment (BPA) combined with Safe Transition Steps and
best practice technical documentation.
When you subscribe to the Premium (on or after November 1, 2019) or Platinum Support
Contract, you have the opportunity to prepare for Security Assurance. Security Assurance
provides access to Palo Alto Networks security experts and tools to help with initial incident
investigation.

> Identify and Prioritize Best Practices

> Access and Run the BPA
> Security Assurance

5
6 STARTING BEST PRACTICES WITH THE BPA AND SECURITY ASSURANCE | Getting Started with Best
Practices
© 2019 Palo Alto Networks, Inc.
Identify and Prioritize Best Practices
Palo Alto Networks’ Best Practice Assessment (BPA) uses your Tech Support File to analyze Panorama
and next-generation firewall configuration settings and compares the configuration to Palo Alto Networks
best practices. The BPA shows the current state of best practice security adoption and suggests specific
changes to align the configuration with security best practices. Running the BPA not only gives you an
understanding of where to improve your security posture, it also sets a baseline for later comparison and
provides links to technical documentation that shows you how to transition the BPA’s recommendations
into a best practice configuration.
Using an iterative, prioritized approach, you can transform your security posture to a best practice state,
one step at a time, measuring progress as you go at your pace and level of comfort:

STEP 1 | Upload a Tech Support File on Customer Support Portal and Access and Run the BPA yourself,
or contact your Palo Alto Networks SE or partner to run the BPA on Panorama or your next-
generation firewalls.
If you run the BPA yourself, we recommend that you contact your Palo Alto Networks SE or partner to
help interpret the results and discuss the next steps.

STEP 2 | Identify and prioritize the first area of improvement to begin the transition to best practices.
Whether your Palo Alto Networks SE or partner runs the BPA or you run the BPA, your SE or partner
can help you formulate a prioritized plan to safely phase in best practices. Plan to start with the safest,
easiest, highest impact changes first, such as applying Antivirus, Anti-Spyware, Vulnerability Protection,
and WildFire Analysis profiles to your Security policy allow rules.

STEP 3 | Use the BPA’s links to technical documentation to configure the best practices you prioritize.
Downloading the BPA report gives you a .zip file that contains the detailed HMTL report, an Executive
Summary, and an Excel spreadsheet that lists failed best practice checks. You link to technical
documentation in two ways:
• From the spreadsheet—The Documentation tab provides links for each failed check. In addition, the
identification number in the Check ID column on the Policies, Objects, Network, and Device tabs
links directly to the relevant line on the Documentation tab.
• From the HTML report—When you open the HTML report, you see a heatmap that summarizes best
practice adoption. Go to BPA to access the report.

From the BPA summary page, view Policies, Objects, Network, or Device detailed reports for the
selected configuration assessment.

STARTING BEST PRACTICES WITH THE BPA AND SECURITY ASSURANCE | Getting Started with Best Practices 7
© 2019 Palo Alto Networks, Inc.
 From a detailed report, click the circled blue ? for descriptions and rationales for the configuration
check and links to technical documentation for the best practice configuration.

For Security profiles (Vulnerability Protection, Antivirus, Anti-Spyware, URL Filtering, File Blocking),
use the safe transition advice to ensure availability of business-critical applications as you move to
best practice Security profiles.

STEP 4 | After you implement the first set of best practice changes, run the BPA again to measure
progress and help verify that the changes work as expected.
Compare the first BPA output and the next BPA output to see the improvements in your security
posture. Identify and prioritize the next area of improvement to address.

STEP 5 | Use the BPA’s links to technical documentation to configure the next set of best practices you
prioritized.

STEP 6 | At your own pace, repeat the process of running the BPA to measure progress and identify and
prioritize next steps, and then configure best practices using the technical documentation.

STEP 7 | Get started now—Access and Run the BPA or contact your Palo Alto Networks SE or partner
and begin the transition to a more secure network today!

8 STARTING BEST PRACTICES WITH THE BPA AND SECURITY ASSURANCE | Getting Started with Best
Practices
© 2019 Palo Alto Networks, Inc.
Access and Run the BPA
Access the Best Practice Assessment (BPA) from the Customer Support Portal. Super User accounts
automatically have access to the BPA and can assign the BPA User role to a Standard User’s profile so that
the Standard User can run the BPA. This procedure shows Super Users how to give access to Standard
Users and how to run the BPA. You can also view short videos on how to run a BPA and how to understand
the results.
In addition, if you subscribe to the Premium (on or after Nov 1, 2019) or Platinum Support Contract, you
have the opportunity to prepare for and activate Security Assurance. Security Assurance provides access
to Palo Alto Networks security experts and tools to help with initial incident investigation. We strongly
recommend that you run the BPA to measure your adoption of seven key security capabilities and to ensure
that your adoption rate is at least equal to your industry’s average adoption rate so that your network
is better protected. The combination of the Premium or Platinum support contract and a recent BPA
measurement that shows your adoption rate for the seven key security capabilities meets your industry’s
average automatically activates Security Assurance.
• Access the BPA from the Customer Support Portal
• Generate and Download a BPA Report

Access the BPA from the Customer Support Portal

STEP 1 | From the Customer Support Portal’s authentication home screen, select Members > Manage
Users.

STEP 2 | Click the pencil icon to edit the Standard User to whom you want to assign BPA permissions.

STARTING BEST PRACTICES WITH THE BPA AND SECURITY ASSURANCE | Getting Started with Best Practices 9
© 2019 Palo Alto Networks, Inc.
STEP 3 | Select BPA User role and then click the update check mark to add the new role.

STEP 4 | The Standard User now has the BPA User role privileges.

10 STARTING BEST PRACTICES WITH THE BPA AND SECURITY ASSURANCE | Getting Started with Best
Practices
© 2019 Palo Alto Networks, Inc.
STEP 5 | Super Users and Standard Users with the BPA User role can log in to the Customer Support
Portal to access and run the BPA (Tools > Run Best Practice Assessment).

Generate and Download a BPA Report

After you gain access to the BPA, you can generate a BPA report for a Panorama appliance or for a next-
generation firewall.

If possible, generate BPA reports for Panorama appliances instead of individual next-
generation firewalls to gain complete visibility into all of the firewalls in your environment
in one report. Generate reports on a regular basis to measure progress toward adopting
security capabilities and security best practices.

STEP 1 | Drag or drop a Tech Support File (.tgz file) in the Customer Support Portal window or browse
for a Tech Support File.
Super Users can create Tech Support Files (Device > Support > Tech Support File or Panorama >
Support > Tech Support File).

STARTING BEST PRACTICES WITH THE BPA AND SECURITY ASSURANCE | Getting Started with Best Practices 11
© 2019 Palo Alto Networks, Inc.
STEP 2 | Optionally, map each zone to the area of architecture, or click Skip this step to run the BPA
without mapping zones.
Drag and drop the architectural value from Architecture Classification, use the Classification drop-down
to select a value, or select multiple check boxes to select multiple zones and then apply a value to all of
the selected zones at one time.

STEP 3 | Identify the industry mapped to your account, and generate and download the BPA report
(Generate & Download Report).
You can change the industry against which the BPA compares your results using the drop-down. If you
want to change anything before you generate the report, you can also go back and make those changes.
Generate & Download Report downloads the detailed BPA report, the Executive Summary report, and a
spreadsheet that shows failed best practice checks to the system from which you accessed and ran the
BPA.

12 STARTING BEST PRACTICES WITH THE BPA AND SECURITY ASSURANCE | Getting Started with Best
Practices
© 2019 Palo Alto Networks, Inc.
STEP 4 | The generated BPA displays the Executive Summary and informs you that the detailed HTML
report was downloaded to your computer.

STEP 5 | Now that you know how to run the BPA, go to the Customer Support Portal and try it out
today (or contact your Palo Alto Networks SE or partner to run the BPA) to begin the transition
to a more secure network.

If you subscribe to the Premium (on or after November 1, 2019) or Platinum Support
Contract, use the BPA to prepare your security posture to take advantage of Security
Assurance, which helps with initial incident investigation.

STARTING BEST PRACTICES WITH THE BPA AND SECURITY ASSURANCE | Getting Started with Best Practices 13
© 2019 Palo Alto Networks, Inc.
Security Assurance
If you detect suspicious activity in your network, Security Assurance provides extra help from Palo Alto
Networks when you need it the most. Security Assurance provides:
• Access to Palo Alto Networks security experts and their specialized threat intelligence tools and threat
hunting practices.
• Advanced log and indicators of compromise (IOC) analysis.
• Configuration assessment that includes customized product security recommendations.
• Next step recommendations to expedite the transition to your incident response (IR) vendor to help
manage and resolve the incident.
To take advantage of Security Assurance, you must subscribe to the Premium Support Contract (on or after
November 1, 2019) or to the Platinum Support Contract.
The first step toward Security Assurance is to run the Best Practice Assessment (BPA) to measure your
adoption of seven key security capabilities: WildFire, Antivirus, Anti-Spyware, DNS Sinkhole, URL Filtering,
Vulnerability Protection, and Logging. We recommend that you ensure your adoption rate for those security
capabilities is at least equal to your industry’s average adoption rate.
Running the BPA and adopting higher levels of key security capabilities provides better protection for
your network and helps avoid incidents. The BPA also measures the adoption level of many other security
capabilities such as App-ID and User-ID, zone configuration, other security profiles such as File Blocking
and DoS Protection profiles, and the BPA makes recommendations on how to improve your security
posture.

Run the BPA at regular intervals (for example, monthly or quarterly) to measure the adoption
of key security capabilities, understand the state of your network security, and prioritize
security improvements.

When you subscribe to the Premium Support Contract (on or after November 1, 2019) or to the Platinum
Support Contract and run the BPA, if it shows that you have adopted the seven key security capabilities
at a rate that meets your industry’s average, Security Assurance is enabled automatically. If you need
assistance to adopt these key capabilities at a rate that meets your industry average, contact your Palo
Alto Networks sales representative for help in defining requirements, providing justification criteria, etc. If
business reasons prevent you from adopting the key security capabilities at this level, please work with your
Palo Alto Network sales representative on how to gain access to the benefits of Security Assurance.
• The Seven Key Security Capabilities to Adopt
• Check Adoption of the Seven Key Security Capabilities
• Improve Adoption of the Seven Key Security Capabilities
• How to Engage Security Assurance

The Seven Key Security Capabilities to Adopt

We strongly recommend adopting the following seven key security capabilities for the following reasons:
• WildFire—Attach a WildFire security profile to security policy rules that allow traffic to protect your
network from new, unknown threats. WildFire is a strong defense against advanced persistent threats
(ATPs).
• Antivirus—Attach an Antivirus security profile to security policy rules that allow traffic to block known
malicious files such as malware, ransomware, bots, and viruses.
• Anti-Spyware—Attach an Anti-Spyware security profile to security policy rules that allow traffic to
detect command-and-control (C2) traffic initiated by malicious code running on a server or endpoint and
to prevent compromised systems from establishing an outbound connection from your network.

14 STARTING BEST PRACTICES WITH THE BPA AND SECURITY ASSURANCE | Getting Started with Best
Practices
© 2019 Palo Alto Networks, Inc.
 • DNS Sinkhole—Configure the DNS Sinkhole portion of an Anti-Spyware security profile that is attached
to security policy rules that allow traffic. DNS Sinkhole identifies potentially compromised hosts that
attempt to access suspicious domains by tracking the hosts and preventing them from accessing those
domains.
• URL Filtering—Attach a URL Filtering profile to security policy rules that allow traffic to prevent
access to risky web content (sites that may contain malicious content). URL Filtering profiles and URL
categories give you granular control over the types of websites to which you allow access.
• Vulnerability Protection—Attach a Vulnerability Protection security profile to security policy rules that
allow traffic to prevent attackers from exploiting client-side and server-side vulnerabilities and delivering
malicious payloads to your network and users, and to prevent attackers from using vulnerabilities to
move laterally within your network.
• Logging—Enable logging on all traffic (allowed and denied) to provide a time-stamped audit trail for
system events and network traffic events. Logs provide critical information for investigating incidents.
Log Forwarding enables you to send logs from all your firewalls to Panorama or to external to aggregate
the logs for analysis.
Adopting these key capabilities greatly improves your security posture, reduces your attack surface,
increases your visibility into network traffic, prevents known and new attacks, and protects your the data,
assets, applications, and services that are most valuable to your network.

Check Adoption of the Seven Key Security Capabilities

In the detailed BPA report (HTML format) you receive when you generate and download your BPA results,
go to the Adoption Summary page to check your overall adoption of the six security profile (WildFire,
Antivirus, Anti-Spyware, DNS Sinkhole, Vulnerability Protection, and URL Filtering) capabilities and your
industry’s average adoption of those capabilities (logging is a separate check). The Adoption Summary page
shows your security capability adoption compared to your industry and helps you identify gaps in adoption.
For example, if your industry is High Technology:

The results show that the configuration meets the industry average adoption for four capabilities: WildFire,
Antivirus, Anti-Spyware, and Vulnerability Protection profiles. The results also show that the configuration
does not come up to the industry average adoption of two capabilities: DNS sinkhole and URL Filtering.
This indicates the next course of action: configure DNS sinkhole in the Anti-Spyware profile and apply URL
Filtering to internet traffic.
In the detailed HTML BPA report, go to the Trending page to check your overall adoption of logging
capabilities and your industry’s average adoption of logging.

STARTING BEST PRACTICES WITH THE BPA AND SECURITY ASSURANCE | Getting Started with Best Practices 15
© 2019 Palo Alto Networks, Inc.
 This page shows not only your level of adoption compared to your industry, it also shows your level of
adoption compared to the last time you ran the BPA. This is a measure of security improvement over time
as well as a call to action if your results indicate that your security is not as tight as you want it to be.
If the profile and logging results show that your adoption of all seven capabilities meet your industry’s
average, Security Assurance is automatically enabled. If you need assistance to adopt these key capabilities
at a rate that meets your industry average, contact your Palo Alto Networks sales representative for help in
defining requirements, providing justification criteria, etc. If business reasons prevent you from adopting the
key security capabilities at this level, please work with your Palo Alto Network sales representative on how
to gain access to the benefits of Security Assurance.

Improve Adoption of the Seven Key Security Capabilities

Use the BPA in conjunction with Palo Alto Networks technical documentation to identify the security
capabilities that need improvement and to make the needed improvements, especially in the seven key
security capabilities. Improving your security posture helps to safeguard your users and your valuable
devices, assets, applications, and services.
• WildFire—Transition WildFire Profiles Safely to Best Practices and then implement WildFire Best
Practices. The best practice WildFire profile is the default profile.
• Antivirus—Transition Antivirus Profiles Safely to Best Practices and then implement Antivirus Best
Practices (or slightly stricter Antivirus Best Practices for the data center).
• Anti-Spyware and DNS Sinkhole—DNS Sinkhole configuration is on the DNS Signatures tab in the Anti-
Spyware security profile. Transition Anti-Spyware Profiles Safely to Best Practices and then implement
Anti-Spyware Best Practices (or slightly stricter Anti-Spyware Best Practices for the data center).
• URL Filtering—Transition URL Filtering Profiles Safely to Best Practices and then implement URL
Filtering Best Practices.

16 STARTING BEST PRACTICES WITH THE BPA AND SECURITY ASSURANCE | Getting Started with Best
Practices
© 2019 Palo Alto Networks, Inc.
 • Vulnerability Protection—Transition Vulnerability Protection Profiles Safely to Best Practices and then
implement Vulnerability Protection Best Practices (or slightly stricter Vulnerability Protection Best
Practices for the data center)).
• Logging—Security policy rules log at session end by default.
In addition, the BPA and the technical documentation show you how to improve many other security
capabilities such App-ID, User-ID, File Blocking profiles, DoS and Zone Protection, and credential theft
protection. Some key resources are:
• Getting Started with the BPA—Shows you how to use the BPA to review the adoption of security
capabilities and identify gaps in adoption, evaluate your configuration including policies, objects,
network, and device and Panorama configuration, and prioritize changes including strengthening your
device management posture, improving visibility into traffic, and implementing initial best practice
controls.
• Decryption Best Practices—Shows you how to increase you visibility by decrypting all of the traffic that
your business model, privacy considerations, and regulations allow so that you can inspect the maximum
amount of traffic and protect your network from encrypted threats.
• DoS and Zone Protection Best Practices—Shows you how to take a layered approach to protecting
against denial-of-service (DoS) attacks that try to take down your network and to defending your
network perimeter, zones, and individual devices.
• Best Practices for Applications and Threats Content Updates—Deploying content and applications
updates in the best manner for your business requirements ensures that your network is protected
against the latest threats and identifies the latest applications.
You can find all of these documents and much more from the Best Practices portal and the Transition to
Best Practices page.

How to Engage Security Assurance

If you experience suspicious activity, when you engage Security Assurance, you must provide a specific set
of data about the suspected incident so Palo Alto Networks’ experts can investigate the activity.
• Data to Collect Before Engaging Security Assurance
• Engaging Security Assurance

Data to Collect Before Engaging Security Assurance

Palo Alto Networks’ experts need at a minimum the following information about the suspicious activity to
begin diagnosing the potential issue. Please collect this data before you engage Security Assurance.
Basic details regarding the suspicious activity:
• The suspected attack vector and type: What evidence of suspicious activity alerted your administrative
or response team?
• Timeline:
• Date and time of the suspected initial attack, if known.
• The time at which you identified the potential issue.
• Incident details:
• Known IP addresses of impacted systems.
• The IP addresses of impacted hosts that are publicly available through NAT.
• Critical services that could make the system or systems a target, for example, databases, web
services, remote access (RDP, Citrix, etc.) servers.
• Known or suspicious IP addresses that may be related to the attack.
• The User-IDs of compromised user accounts (if any).

STARTING BEST PRACTICES WITH THE BPA AND SECURITY ASSURANCE | Getting Started with Best Practices 17
© 2019 Palo Alto Networks, Inc.
 • Topology diagram or overview: The location of the firewall in relation to the impacted hosts. (A
complete network topology diagram is not required.)
• Malware and indicators-of-compromise:
• Samples.
• Hashes.
Firewall data:
• Tech Support Files:
• Generate and upload Tech Support files from the firewalls in the path to potentially impacted devices
at the time of the suspicious activity.
• If you use Panorama to manage the firewalls, generate and upload the Panorama Tech Support file.
• Firewall logs: Export logs from the firewall and Panorama appliances from two hours before the
suspicious activity. Before you export logs, verify that the CSV row setting is at is maximum value of
65535 rows (Device > Setup > Management > Logging and Reporting Settings). If the value is lower,
increase it to the maximum of 65535 rows. Export logs for each of the following basic log categories (if
logs are enabled) based on IP address information and Timestamp details (you can filter logs to display
log entries based on IP address and time):
• Data Filtering logs
• Traffic logs
• Threat logs
• URL Filtering logs
• User-ID logs (if you suspect lateral movement is involved)
• WildFire Submissions logs

It’s important to understand your deployment’s log retention policy and log retention capacity
to ensure that no relevant data is unexamined. Administrators may need to take additional
actions such as exporting data from firewalls or other logging servers to assure continuity
and completeness of data for the duration of the investigation.

More ways to identify meaningful data about suspicious activity:

• Use the Application Command Center (ACC). The ACC can show you traffic spikes, anomalies, and
changes in the time before, during, and after the suspicious activity.
• Use the Threat Monitor Report to view the top threats over a the time period preceding, during, and
after the suspicious activity.

Engaging Security Assurance

After you collect data about the suspicious activity to ensure the timely analysis of the relevant information,
you’re ready to engage Security Assistance. You can engage Security Assistance in two ways:
• Log in to the Customer Support Portal. Click Create a Case to open a support case. When you fill out the
form, in Product/Problem Area, select Threat.
• Your sales engineer (SE) can open a support case on your behalf.

18 STARTING BEST PRACTICES WITH THE BPA AND SECURITY ASSURANCE | Getting Started with Best
Practices