Best Practice Assessment (BPA)

Palo Alto Networks created a Best Practice Assessment (BPA) Tool to check whether your firewall is still Next-Generation.

The BPA tool performs more than 200 security checks on a firewall or the Panorama central management configuration and provides a pass/fail score for each check.

The Best Practices Assessment uses the configuration files from your Palo Alto Networks Next-Generation Firewall(s) to produce a heat-map and a list of recommendations. The heat-map provides a detailed overview of the adoption of security capabilities like App-ID, User-ID, Threat Prevention, URL Filtering, WildFire and Logging on your firewall.

According to Gartner research, 95% of all firewall breaches are caused by misconfiguration, not flaws. It is essential to adhere your firewall configuration to the evolving Best Practices on a regular basis in order to keep the security posture of your Next-Generation Firewall at a maximised level.

The Best Practices tool has the following features:


  • It evaluates a device’s configuration by measuring the adoption of your firewall’s security capabilities like App-ID, User-ID, Threat Prevention, URL Filtering, WildFire, and Logging;
  • It validates whether the policies adhere to best practices & compares against industry standards; The Best Practices Assessment tool performs more than 200 checks and compares industry averages in your sector based on all other Best Practice Assessment checks worldwide.
  • It provides recommendations and instructions on how to remediate failed best practice checks;
  • It benchmarks against CIS Top 20 Critical Security Controls.

The report’s summary view covers security controls aligned with various best practice checks, such as the CIS Critical Security Controls and NIST Framework. Adoption Heatmaps analyse NGFW configurations to produce a visualisation of how you are taking advantage of the prevention capabilities.

Specifically, the tool analyses your rule base to identify whether your using the full capabilities where relevant.

How do I get a BPA?

To get a BPA just contact us via email or phone to arrange your BPA. We offer a free BPA with all our Remote Installation Service.

How long does it take to generate the BPA?

We can deliver a BPA normally within half a day and normally completes the same day. All we require is access to the firewall.

Is this a one-off service?

Yes and No. We can certainly perform this as a one off service and we do this as part of our remote installation service free of charge. We do recommended reguarly performing a BPA to ensure the firewall is always making full use of the new features and any changes that have been made are working as best they can.

Contact Us

Call our friendly team to discuss your installation requirements.

0800 048 9338