The Big Red Pill: Using Palo Alto Networks Best Practices Tool to Optimize Your Firewall Security Stance

By Timothy Grossner, PCNSE

Estimated Reading Time: 11 minutes

As a CISO, a security decision maker, or a Network Security Engineer, do you ever wonder how your organization’s Palo Alto Networks (PAN) configurations for rules, updates, and threat protection stand up to the vendor recommendations? Did you just finish migrating from a last-gen firewall product and want to see what Palo Alto Networks best practices are recommended and what PAN features you are and are not using? Do you choose the red pill, and dig into the firewall policy for what it could potentially do for you? Or do you choose the blue one and cross your fingers? I know which one I’d choose. Let me take you down the rabbit hole.

The Red Pill

The Deepwatch Protect Firewall team is here to help by utilizing and explaining the Palo Alto Networks Best Practices Tool (BPA). The BPA gives organizations the best view of the PAN firewall security posture both as an organization and as a member of your specific industry. Running your firewall or Panorama configuration through the tool, we are presented with a report that not only shows how your firewalls are positioned, but also how it stacks up against other comparable PAN customers.

Using the Tool to Generate Reports:

  • Login to your firewall or Panorama
  • Select the device tab (if firewall) or Panorama tab (if Panorama)

  • Select Support on the left hand side of the page

  • Select the Generate Tech Support File

  • Save the compressed file in a safe location (this file contains sensitive information such as hashed passwords, etc.)
  • Login to your support account on the Palo Alto Networks website (
    • Your support account, if not the main administrative account, must be granted access to the BPA Tool to continue
  • Click on Tools, Best Practice Assessment

  • Select Generate New BPA

  • Drag your tech support compressed file to the area to upload, or select browse to select the file directly from your workstation

  • Once the file is uploaded, you will be tasked with setting some basic topology definitions for zone, device group (if using Panorama) and classifications of those zones

Once the report is generated, you can use it to understand your security policy, threat protection, and other features which require your attention. The BPA score should be considered an ideal to strive for. Very few organizations are going to achieve 100% on any individual score, let alone all of them. Settings that work for one company environment are not going to be ideal for another environment. The score for the use of User-ID, for example, is not important if you are not using the User ID feature to identify users and apply security policy to those users. However, you should use it as a way to measure your use of chosen PAN features to their fullest potential.

Example Reports

  • Capability Summary – You can easily see where your firewall management and operations gaps are.

  • Class Summary – Where does your Technical, Operational, and Management functionality rank?

  • CIS Critical Security Controls – How does your firewall configuration score, when mapped to the CIS?

  • Security Profile Adoption – This shows you how your use of the Palo Alto Networks security features stack up against peers in your industry/vertical

Interpreting the Results

Let’s say your score shows that you have Security Profile Adoption rates of:


Take Anti-Virus as an example. The table above shows you that only 22.9% of your rules have an anti-virus profile applied to them. To improve that score, you need to review the rules that do not use anti-virus profiles or profile groups that contain an anti-virus profile in the action tab, and then determine if the traffic those rules process propagate viruses. Is the rule a simple allowance for DNS and NTP traffic between two hosts? Then it likely isn’t a candidate for using anti-virus protections. However, you should apply an anti-spyware profile to it, because PAN uses anti-spyware profiles to enact DNS Security/Sinkholing. Applying the anti-spyware protections to the rule will raise the Anti-Spyware score. What if the rule allows your user base to get to the World Wide Web? You definitely want anti-virus protections as well as url filtering on that traffic.

How about App-ID Utilization and User-ID Utilization?

If you are not using User ID at all, your score would be 0%, and with good reason. Just because the tool reports a low or zero score, doesn’t mean you must start using a feature. Some organizations have no need for User ID at all, so their score would naturally be zero. App ID is another matter, however. 

App ID is one of the crown jewels of the Palo Alto Networks next generation firewall technologies — the ability to identify what application is being used on any given flow through the firewall. Any rule that is not using App ID in the Application column of the rule should be converted to App ID. Without it, you could have SSH traffic flowing over TCP port 443, and TLS traffic flowing over TCP port 22. Or, both could be flowing outbound over TCP port 53. Wake up, Neo. The Matrix has you.

Allowing outbound TCP port 443 to “any” on an last-gen firewall, you would allow any kind of traffic, such as SSH/SCP traffic, as long as the remote server was configured to use port 443, that would be encrypted and unreadable by you or your security devices. There was no telling exactly what was flowing out from your environment. Now, however, with App ID, you can simply convert that rule to use “web-browsing and SSL” and voila! Any other type of application that would normally be allowed by that rule would be blocked, and only a web browsing session using SSL/TLS would make it through the firewall. The BPA tool can tell you how many, if any, of your rulesets are using this ultra-valuable feature on your Palo Alto Networks firewall.

What about Logging? 

At Deepwatch, we LOVE US some logging. It’s our “thing”.

The BPA tool can show you what percentage of rules are set to log at the end of the session AND what percentage are being forwarded to your log collector — in our case, a Deepwatch Heavy Forwarder — for archiving and reporting. The more rules that have logging on, and log forwarding to your Heavy Forwarder, the better.  

Decryption! Yes, it’s worth it.

TLS/SSL is becoming so commonplace, it’s estimated that 85% of public Internet web traffic is now using encryption.

Are you using SSH Proxy decryption? Cool. How about SSL Forward Proxy for outbound user TLS/SSL sessions? Yep, that looks good. But decryption of inbound SSL is not enabled, in this example. Without it, the firewall has no way to detect and stop the web shell that was just installed on your webserver by Agent Smith.


The Palo Alto Networks Best Practices Tool:

  • Analyzes the configuration from a tech support dump file
  • Gives you a report on where it aligns with security standards
  • Shows you what security protections are applied, and to what degree

In short, the Palo Alto Networks Best Practices Tool can give you a clearer picture of how your security appliance is utilizing the features that Palo Alto offers. A firewall is only as good as the features that you take advantage of. Much of the time, it’s not obvious where the gaps are in the use of those features. The BPA tool finds those gaps, and shows you not only where they are, but how you stack up against other industry customer’s implementations as well. With all of this the BPA Tool can help you realize the truth…. there is no spoon.


LinkedIn Twitter YouTube

Subscribe to the Deepwatch Insights Blog