* [Blog](https://www.paloaltonetworks.com.au/blog)
* [Palo Alto Networks](https://www.paloaltonetworks.com.au/blog/corporate/)
* [Announcement](https://www.paloaltonetworks.com.au/blog/category/announcement/)
* Implement NGFW Best Pract...

# Implement NGFW Best Practices with Ease

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.paloaltonetworks.com.au%2Fblog%2F2022%2F02%2Fngfw-best-practice-assessment%2F)  
[](https://twitter.com/share?text=Implement+NGFW+Best+Practices+with+Ease&url=https%3A%2F%2Fwww.paloaltonetworks.com.au%2Fblog%2F2022%2F02%2Fngfw-best-practice-assessment%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww.paloaltonetworks.com.au%2Fblog%2F2022%2F02%2Fngfw-best-practice-assessment%2F&title=Implement+NGFW+Best+Practices+with+Ease&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www.paloaltonetworks.com.au/blog/2022/02/ngfw-best-practice-assessment/&ts=markdown)  
\[\](mailto:?subject=Implement NGFW Best Practices with Ease)  
Link copied  
By [Vivek Sharma](https://www.paloaltonetworks.com/blog/author/vivek-sharma/?ts=markdown "Posts by Vivek Sharma")  
Feb 18, 2022  
4 minutes  
[Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown)  
[Next-Generation Firewalls](https://www.paloaltonetworks.com/blog/network-security/category/next-generation-firewalls/?ts=markdown)  
[Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)  
[BPA](https://www.paloaltonetworks.com/blog/tag/bpa-2/?ts=markdown)  
[NGFW](https://www.paloaltonetworks.com/blog/tag/ngfw/?ts=markdown)  
[Panorama](https://www.paloaltonetworks.com/blog/tag/panorama/?ts=markdown)  
[Strata](https://www.paloaltonetworks.com/blog/tag/strata/?ts=markdown)

This post is also available in: [日本語 (Japanese)](https://www.paloaltonetworks.com.au/blog/2022/04/ngfw-best-practice-assessment/?lang=ja "Switch to Japanese(日本語)")

## An Introduction to Best Practice Assessment Plus (BPA+)

As organizational complexity continues to increase, the attack surface that security teams must address expands parallelly. Customers struggle to configure their firewalls using existing applications and capabilities to properly secure their network, which means a misconfigured firewall offers comparable protection to no firewall at all. 99% of firewall breaches through 2023 will be due to firewall misconfigurations, not firewall flaws, according to [Gartner research](https://www.gartner.com/en/documents/3902564/technology-insight-for-network-security-policy-managemen).

The Best Practice Assessment (BPA) measures usage of your Palo Alto Networks^Ⓡ^ Next Generation Firewall, and Panorama™ security management capabilities across your deployment, enabling you to make adjustments to maximize your return on investment and strengthen security. The BPA enables you to obtain context into your security posture from a configuration perspective by generating high-level graphics, heatmaps and reports that compare how your configuration aligns with best practices across your industry. Additionally, more granular metrics are shown along with recommendations on how to take action in order to improve configuration security postures across all devices.

The Palo Alto Networks Best Practice Assessment Plus (BPA+) is a step-by-step configuration wizard that provides an intuitive, easy-to-use interface to configure firewalls to align with best practices. The BPA+ takes the results of the BPA and expedites the remediation process by outputting commands that can be easily pasted into any instance of PAN-OS and committed. This provides a clear call to action on how to remediate failed BPA checks and improve security posture.

## BPA+ User

We have designed BPA+ to help our Strata ™ and Panorama customers to automagically expedite expert-driven changes by identifying failed BPA checks and provide a clear call to action on how to remediate those failed BPA checks. This will help our Strata and Panorama customers to reduce misconfigurations across their network security resulting in greater security posture.

## BPA+ Customer Benefits

* Save time and automatically remediate to security best practices.
* Lower risk and reduce configuration errors.
* Quickly deploy configurations across your entire firewall infrastructure.
* Maximize your return on your security investment.

Our goal is to provide you with a customized recommendation to remediate failed BPA checks that improve overall security posture. A step-by-step guided configuration wizard will provide an intuitive, easy-to-use interface to configure your Palo Alto Networks Next Generation Firewall that aligns with best practices. This involves tech support file (TSF) upload, completing the numbered steps and then executing the commands generated by the BPA+ on to your firewall.

As part of its initial release, BPA+ will analyze the ten most prevalent Best Practice Assessment checks.

![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/02/word-image-34.png)  
![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/02/Top-10-Checks.png)

## How to Access Best Practice Assessment Plus?

There are two different ways to access the Best Practice Assessment Plus.

1. Login to your account in [Customer Support Portal](https://support.paloaltonetworks.com/support) and click tools, then Best Practice Assessment to generate an assessment of your current configuration.

![Customer support portal screen shot showing alerts and recent activity.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/02/word-image-2.gif)

Then upload a tech support file to check for failed BPA checks. After the file is analyzed, the BPA report will be generated with the results. You can view these in the tool or download the report. Once you open your report, click "**Try BPA+**" tab to launch BPA+ wizard.

![Screen shot of Strata and device content ID settings.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/02/word-image-36.png)

2. You can also access BPA+ from the Get Help location of the Customer Support Portal. Click the "Get Help" button and when entering the problem description, the system will determine you may be having a configuration issue based on your problem category choice. A "Launch BPA+" button will appear in the recommended solutions.

Once a tech support file is uploaded, BPA+ will identify available remediations based on the failed best practice checks. You can confirm the best practice settings being modified for each specific profile and rulebase. After review, you can run simple, executable commands in your firewall CLI to update your configuration settings to adhere to best practices.

![Screenshot of BPA+ remediations. The welcome page.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/02/word-image-37.png)

Learn more about [BPA+](https://www.youtube.com/watch?v=DpyirA-W4-U) or [BPA](https://www.paloaltonetworks.com/services/bpa).

*** ** * ** ***

## Related Blogs

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown), [Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise/?ts=markdown)

[#### Introducing PAN-OS 9.0: Stop Threats Hiding in DNS, Close Security Gaps](https://www.paloaltonetworks.com.au/blog/2019/02/introducing-pan-os-9-0-stop-threats-hiding-dns-close-security-gaps/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Next-Generation Firewalls](https://www.paloaltonetworks.com/blog/network-security/category/next-generation-firewalls/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### Enterprise \& Branch Security with Palo Alto Networks New NGFWs](https://www.paloaltonetworks.com.au/blog/network-security/enterprise-branch-security-with-palo-alto-networks-new-ngfws/)

### [AI Security](https://www.paloaltonetworks.com/blog/category/ai-security/?ts=markdown), [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Cloud-delivered Security](https://www.paloaltonetworks.com/blog/sase/category/cloud-delivered-security/?ts=markdown), [News \& Events](https://www.paloaltonetworks.com/blog/sase/category/news-events/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/sase/category/product-features/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### Strata Cloud Manager: One Interface, Complete Network Security Control](https://www.paloaltonetworks.com.au/blog/2024/11/strata-cloud-manager-one-interface-complete-network-security-control/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown), [Zero Trust Security](https://www.paloaltonetworks.com/blog/network-security/category/zero-trust-security/?ts=markdown)

[#### Palo Alto Networks Paves the Way with New OT Security Innovations](https://www.paloaltonetworks.com.au/blog/2023/11/new-ot-security-innovations/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### Outmatch Adversaries with PAN-OS 11.1 Cosmos \& Strata Cloud Manager](https://www.paloaltonetworks.com.au/blog/2023/11/pan-os-11-1-cosmos-strata-cloud-manager/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Next-Generation Firewalls](https://www.paloaltonetworks.com/blog/network-security/category/next-generation-firewalls/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### Just Released and Ready for Download --- Software Firewalls for Dummies](https://www.paloaltonetworks.com.au/blog/2023/09/software-firewalls-for-dummies/)

### Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www.paloaltonetworks.com.au/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language