Palo Alto Networks Best Practice Assessment Tool (BPA)

Jonathan Cardenas
Senior Consultant
Jonathan Cardenas
Senior Consultant

The PAN BPA Tool. A great way to assess the success of your deployment.

Throughout this year, Basis Networks has worked with numerous customers helping them assess their current Palo Alto Networks configuration and comparing this to recommended best practices. We have been doing these by leveraging the power of the Palo Alto Best Practices Assessment tool (BPA).

What is the Best Practices Assessment tool?

The BPA tool uses the Tech Support File from PAN next generation firewalls, or Panorama, and produces a security policy capability adoption heatmap. This heatmap measures adoption of App-ID, User-ID, Threat Prevention, URL Filtering, WildFire, File-Blocking, Data Filtering and Logging.

For Palo Alto partners like us the use of the BPA has become an effective way to transform a technology conversation into a business level one. The heatmap metrics provide visibility and when the assessment is run as a scheduled task by the security teams, trending data can be used by executives to justify budget requirements to move forward with subsequent phases of platform adoption. In short, the tool highlights great ways to achieve more value from the investments you have made in the Palo Alto Networks platform.

At Basis Networks, we have also found the tool invaluable in validating our Palo Alto Networks firewall deployments, as it provides a visual representation of our adherence to best practices when we implement on behalf of our customers.

Up to this week the BPA tool has only been available for partners and Palo Alto Networks Engineers, however, from November 14th customers can create a Self-Service BPA through their Customer Support Portal. This provides a great opportunity for Palo Alto Networks customers to assess the state of their deployment, and work with partners such as Basis Networks to plan and implement additional security capabilities.

We are here to help

According to Gartner Inc. “More than 95% of firewall breaches will be caused by firewall misconfigurations, not firewall flaws.”

It is important to highlight that a low adoption rate of any of the platform features doesn’t mean your environment is vulnerable, the same way 100% adoption doesn’t mean 100% best practice. At Basis Networks we can help get the most out of your BPA assessment, by qualifying your environment and setting realistic expectations of how your metrics should look like in the mid to long term. We understand that adoption of App-ID, User-ID or even decryption can be challenging after a migration process. We have the capability and experience to firstly help you to perform that migration smoothly and using best practice techniques if you aren’t quite there, and then create a clear roadmap towards adoption of the platforms more advanced features. And from the 14th you will be able to use the BPA to measure progress as your business aligns the platform expectations with the actual operational implementation.

If you would like some expert advice on your Palo Alto Networks deployment, or are considering the platform, please get in touch so we can give you some assistance.

Jonathan Cardenas is a Senior Consultant at Basis Networks, a Palo Alto Networks Certified Network Security Consultant (PCNSC) and a Cyberforce Defender.