Palo Alto Best Practice Assessment (BPA) for Security Profiles
7654
Created On 05/28/24 03:39 AM - Last Modified 05/28/24 05:01 AM
Objective
Run the Best Practice Assessment (BPA) and Feature Adoption summary directly from Strata Cloud Manager.
On Demand BPA (Ad-hoc devices not associated with AIOps)
For devices associated with AIOps
To configure security profiles in accordance to Palo Alto Networks BPA.
Security Policy Best Practices
BPA results would often show that Security Profiles failed the checks if they are not configured in accordance to BPA. This document provides configurations and screenshots to simplify the process.
Procedure
Security Policy Best Practices contains the steps on how to configure various security profiles.
To simplify, here are the screenshots of the different security profiles as per best practice.
Antivirus Profile
Anti-Spyware Profile
Vulnerability Protection Profile
URL Filtering Profile
(See full category list below).
Comprehensive list of URL categories and recommended action for URL Filtering Profile:
set profiles url-filtering BPA-URL alert [ abortion alcohol-and-tobacco artificial-intelligence auctions business-and-economy computer-and-internet-info content-delivery-networks cryptocurrency dating educational-institutions entertainment-and-arts financial-services games government health-and-medicine high-risk home-and-garden hunting-and-fishing internet-communications-and-telephony internet-portals job-search legal low-risk marijuana medium-risk military motor-vehicles music news nudity online-storage-and-backup personal-sites-and-blogs philosophy-and-political-advocacy private-ip-addresses real-estate real-time-detection recreation-and-hobbies reference-and-research religion search-engines sex-education shareware-and-freeware shopping social-networking society sports stock-advice-and-tools streaming-media swimsuits-and-intimate-apparel training-and-tools translation travel web-advertisements web-based-email web-hosting ]
set profiles url-filtering BPA-URL block [ abused-drugs adult command-and-control copyright-infringement dynamic-dns encrypted-dns extremism gambling grayware hacking insufficient-content malware newly-registered-domain not-resolved parked peer-to-peer phishing proxy-avoidance-and-anonymizers questionable ransomware scanning-activity unknown weapons ]
set profiles url-filtering BPA-URL credential-enforcement alert [ abortion alcohol-and-tobacco artificial-intelligence auctions business-and-economy computer-and-internet-info content-delivery-networks cryptocurrency dating educational-institutions entertainment-and-arts financial-services games government health-and-medicine home-and-garden hunting-and-fishing internet-communications-and-telephony internet-portals job-search legal low-risk marijuana medium-risk military motor-vehicles music news nudity online-storage-and-backup personal-sites-and-blogs philosophy-and-political-advocacy private-ip-addresses real-estate real-time-detection recreation-and-hobbies reference-and-research religion search-engines sex-education shareware-and-freeware shopping social-networking society sports stock-advice-and-tools streaming-media swimsuits-and-intimate-apparel training-and-tools translation travel web-advertisements web-based-email web-hosting ]
set profiles url-filtering BPA-URL credential-enforcement block [ abused-drugs adult command-and-control copyright-infringement dynamic-dns encrypted-dns extremism gambling grayware hacking high-risk insufficient-content malware newly-registered-domain not-resolved parked peer-to-peer phishing proxy-avoidance-and-anonymizers questionable ransomware scanning-activity unknown weapons ]
Additional Information
Here are some profile check fail you might see if BPA is not followed.
Best Practice check name:
The Anti-Spyware profile settings for low and informational severity events are not set to "default"
The Vulnerability Protection profile settings for low and informational severity events are not set to "default"
Antivirus Decoder action settings not recommended
Antivirus Decoder WildFire Actions Not Set to Recommended
Antivirus Profile Decoder Wildfire Inline ML Action
URL Filtering Profile Inline ML Model Action
User Credential Detection is not configured as 'Use Domain Credential Filter' in a URL Filtering Profile
No visibility into URL categories.
URL categories that present liability risk to businesses are not blocked.
Potentially malicious URL categories are not blocked.
User Credential Submission in the URL Filtering profile is not blocked for categories that may present liability risk to businesses.
User Credential Submission in the URL Filtering profile is not blocked for categories that are potentially malicious.
No visibility into user credential submissions to websites.