Palo Alto Networks Best Practice Assessment (BPA) analyzes NGFW and Panorama configurations and compares them to the best practices. This integration was integrated and tested with version 1.0 of BPA. Supported Cortex XSOAR versions: 5.0.0 and later.
Navigate to Settings > Integrations > Servers & Services.
Search for BPA.
Click Add instance to create and configure a new integration instance.
Parameter Description Required server Panorama Server URL (e.g., https://192.168.0.1\) True key Panorama API Key True token BPA Access Token True insecure Trust any certificate (not secure) False proxy Use system proxy settings False
Click Test to validate the URLs, token, and connection.
You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
Gets the documentation of all BPA checks.
|doc_ids||A comma-separated list of IDs of the documents to return.||Optional|
|PAN-OS-BPA.Documentation.Document.DocId||Number||The ID of the document.|
|PAN-OS-BPA.Documentation.Document.TopNav||String||The TopNav field of the document.|
|PAN-OS-BPA.Documentation.Document.LeftNav||String||The LeftNav of the document.|
|PAN-OS-BPA.Documentation.Document.Title||String||The title of the document.|
|PAN-OS-BPA.Documentation.Document.DocType||String||The type of the document.|
|PAN-OS-BPA.Documentation.Document.Description||String||The description of the document.|
|PAN-OS-BPA.Documentation.Document.Rationale||String||The rationale of the document.|
|PAN-OS-BPA.Documentation.Document.References||String||The references for the document.|
|PAN-OS-BPA.Documentation.Document.Active||Boolean||Whether the document is active or not.|
|PAN-OS-BPA.Documentation.Document.LastUpdatedDate||String||The date the document was last updated.|
|PAN-OS-BPA.Documentation.Document.CapabilityLabel||Unknown||The capability label of the document.|
|PAN-OS-BPA.Documentation.Document.ClassLabel||Unknown||The class label of the document.|
|PAN-OS-BPA.Documentation.Document.ControlCategory||Unknown||The control category of the document.|
|PAN-OS-BPA.Documentation.Document.Cscv6Control||Unknown||The CSCv6 control of the document.|
|PAN-OS-BPA.Documentation.Document.Cscv7Control||Unknown||The CSCv7 control of the document.|
|PAN-OS-BPA.Documentation||Unknown||The list of BPA checks.|
Active CapabilityLabel ClassLabel Complexity ControlCategory Cscv6Control Cscv7Control Description DocId DocType Effort LastUpdatedDate LeftNav Rationale References Title TopNav true Preventative,
Technical Advanced Access Control 11.1,
Do not specify both the source and destination zones as "any" on the rule. 4 Warning 60 2020-10-05T22:46:57.585179Z Security Use Security policy settings to create rules that exactly define the traffic to which the rules apply (zones, IP addresses, users, applications). Policies that are too general may match traffic you don’t want the policy to match and either permit undesirable traffic or deny legitimate traffic. Defining the source, destination, or both zones prevents potentially malicious traffic that uses evasive or deceptive techniques to avoid detection or appear benign from traversing the entire network, which reduces the attack surface and the threat scope. The exception to this best practice is when the Security policy needs to protect the entire network. For example, a rule that blocks traffic to malware or phishing URL categories can apply to all zones (and all traffic) because the URL Category clearly defines the traffic to block. Another example is blocking all unknown traffic with a block rule that applies to all traffic in all zones and defining the blocked applications as “unknown-tcp”, “unknown-udp”, and “unknown-p2p”. ['https://www.paloaltonetworks.com/documentation/81/best-practices/best-practices-internet-gateway/best-practice-internet-gateway-security-policy/define-the-initial-internet-gateway-security-policy'] Source/Destination = any/any Policies true Performance Technical Advanced Audit and Accountability Don't enable "Log at Session Start" in a rule except for troubleshooting purposes. 6 Warning 60 2020-10-05T22:46:57.596239Z Security By default, the firewall creates logs at the end of the session for all sessions that match a Security policy rule because the application identification is likely to change as the firewall identifies the specific application and because logging at the session end consumes fewer resources than logging the session start. For example, at the start of a session, the firewall identifies Facebook traffic as web-browsing traffic, but after examining a few packets, the firewall refines the application to Facebook-base. Use “Log at Session Start” only to troubleshoot packet flow and related issues, or for tunnel session logs (only logging at session start shows active GRE tunnels in the Application Command Center). ['https://www.paloaltonetworks.com/documentation/81/best-practices/best-practices-data-center/data-center-best-practice-security-policy/log-and-monitor-data-center-traffic/what-data-center-traffic-to-log-and-monitor'] Log at Start of Session Policies true Recovery,
Advanced Contingency Planning,
Audit and Accountability
Create and enable a Log Forwarding profile on the rule. 7 Warning 60 2020-10-05T22:46:57.601517Z Security The firewall has limited log storage space and when the space fills up, the firewall purges the oldest logs. Configure Log Forwarding for the traffic that matches each Security policy rule. You can create profiles that send logs to a dedicated storage device such as Panorama in Log Collector mode, a syslog or SNMP server, or to an email profile, to provide redundant storage for the logs on the firewall and a long-term repository for older logs. You can create profiles to forward logs to one or more external storage devices to remain in compliance, run analytics, and review abnormal activity, threat behaviors, and long-term patterns. ['https://www.paloaltonetworks.com/documentation/81/pan-os/pan-os/monitoring/configure-log-forwarding'] Log Forwarding Policies
Submits a job to the BPA job queue. PAN-OS devices with large configuration files may take a few minutes for the job to be submitted.
|generate_zip_bundle||Whether to download the Panorama report. Can be "true" or "false". Default is "false".||Optional|
|timeout||The timeout for the request. Default is 120.||Optional|
|PAN-OS-BPA.SubmittedJob.JobID||String||Submitted Job ID, used to query results when the job is done.|
Submitted BPA job ID: ca5dc5a7-c3e5-474a-8d04-e3129c1b0edf
Returns results of BPA job.
|task_id||The job ID for which to return results.||Required|
|exclude_passed_checks||Whether to exclude passed checks. Can be "true" or "false". Default is "false".||Optional|
|check_id||A comma-separated list of the BPA IDs of the results to return.||Optional|
|check_name||A comma-separated list of the name of the results to return.||Optional|
|PAN-OS-BPA.JobResults.JobID||String||The submitted job ID.|
|PAN-OS-BPA.JobResults.Status||String||The job status in the queue (in progress or completed).|
|PAN-OS-BPA.JobResults.Checks||Unknown||The list of checks.|
|InfoFile.EntryID||string||File entry ID.|
|InfoFile.Type||string||File type, e.g., "PE"|
|InfoFile.Info||string||Basic information of the file.|
!pan-os-bpa-get-job-results task_id=b0539068-e1c1-496c-9dfd-a1274947f76e check_id=104,105 check_name="Accelerated Aging"
check_category check_feature check_id check_message check_name check_passed check_type device device_setup_services 105 It is recommended to configure a primary and secondary NTP Server Address NTP Server Address false Warning device device_setup_services 104 Verify Update Server Identity true Warning device device_setup_session 121 Accelerated Aging true Warning