Best Practice Assessment for Palo Alto Networks

Getting a “second opinion” about your security infrastructure

The cybersecurity threat landscape is filled with constant changes and developments, creating challenges for data security professionals in all organizations. It is even more difficult for companies to protect their most valuable assets when shortage of experienced engineers and analysts is prevailing. In such atmosphere any help and advice is highly appreciated and welcome.

Read what Slawek Balcerzak, BlueChipTek Systems Engineering Director, has to say about Palo Alto Networks' solution to optimizing your usage of your equipment.


There are hundreds of challenges all the security professionals face on daily basis, and among them are definitely such as below.

Are we optimally using the equipment we invested into?

It is not uncommon that the solutions implemented in particular network have sets of features which are different from the originally requested functionality. Also, the needs change in time, new features get implemented, functionalities get expanded or changed, so it would be great to periodically check whether a good match between the needs and the enabled (and quite frequently - subscribed) features exists. Nobody wants to pay for bells and whistles they don’t need, or if they already have them they prefer to use them effectively.

Are we following the best practices to provide stellar protection for our company’s assets?

Even the biggest organizations may not have the team big enough, and experience gained at other places to be able to come up with the best practices on their own. Wouldn’t it be beneficial to know what’s recommended and what other organizations are doing?

How can we be sure there are no mistakes in configurations, which make our equipment ineffective?

Even the best security solution won’t protect any resources if it isn’t configured properly. The bigger organization is, the more complicated the configuration of their infrastructure becomes, therefore more care needs to be taken to make sure there are no mistakes there.

Are we doing everything we can with the tools we own, so that we provide adequate prevention level?

Currently, the most dangerous security attacks last for a very short period, are precisely targeted and not repeated. Because of that, legacy approach of manual intervention after the incident has been detected is not working. Without automated reaction to the detected threat the only thing the security team will be able to do is minimize losses and do the damage control. That’s why prevention should be main goal of any security team and tools they use.


Very interesting approach to solve these dilemmas has been developed by Palo Alto Networks Customer Success team, who defined a Prevention Architecture Methodology consisting of four elements: Assessment, Analysis, Planning and Execution

PAN-Prevention-Architecture-Methology.png#asset:3001

Source: Palo Alto Networks


Within this framework there are two very well-defined and structured tools that form a foundation for adoption planning and execution – Prevention Posture Assessment (PPA) and Best Practice Assessment (BPA) for next generation firewalls and Panorama.

Both tools generate a very informative reports, however they are different in the type of input they use and the purpose they serve. PPA is a guided interview that helps security professionals understand status and gap areas of their current security technologies used within the organization. This assessment can be performed no matter what vendor solution is utilized in the network, and provides information on how different stakeholders perceive the current status and what are their intentions and goals. BPA, on the other hand, analyzes current status of network security on more objective level comparing existing configuration with the industry best practices.

Best Practice Assessment provides several kinds of information. Heatmaps are a graphical representation of adoption of various security capabilities of Palo Alto Network platform in each security policy and zone. They show whether things like Antivirus, UserID, various IPS techniques are enabled and applied to each security policy and zone, and they provide a score in form of a color (from green through different shades of yellow and orange to red) and numerical value of the adoption rate. If BPA is performed for several times, preferably after each round of execution of remediation steps (as shown in the lifecycle representation before) tool will provide Trending, which shows security executives insight into how well the remediation efforts have improved prevention posture of the organization. Finally, the part of BPA that provides almost direct instructions on what needs to be corrected and how is Best Practices section of this report. This is where the adoption planning will start. Each configuration deviation from what Palo Alto Networks engineers and security analysts defined as best practice will be marked and explained, thus giving the user solid information on whether it applies to their situation and environment.

BlueChipTek is a Gold Partner of Palo Alto Networks. If you are a current user of their next generation firewalls we would be glad to run a BPA for you, free of charge. We are dedicated to helping you to make sure that your investment in security is properly and effectively utilized. What we have noticed in our practice is that periodical reviews of configurations help a lot with improving prevention posture for our customers, especially that many of them don’t have enough resources to do it by themselves.

If you are interested in scheduling a Best Practice Assessment free of charge, please reach out to your BlueChipTek representative if you are already working with us, or fill out our contact form to ask for this service.