Step 1: Understand the Best Practice Assessment (BPA)
Purpose: The BPA assesses NGFW (e.g., PA-Series) and Panorama configurations against best practices, including Center for Internet Security (CIS) Critical Security Controls, to enhance security and feature adoption.
Process: Requires a Tech Support File (TSF) upload or telemetry data from onboarded devices to generate the report.
Evolution: Historically available via the Customer Support Portal, the BPA has transitioned to newer platforms like AIOps and Strata Cloud Manager.
References: "BPA measures security posture against best practices" (paloaltonetworks.com, Best Practice Assessment Overview).
Step 2: Evaluate Each Option
Option A: PANW Partner Portal
Description: The Palo Alto Networks Partner Portal is a platform for partners (e.g., resellers, distributors) to access tools, resources, and customer-related services.
BPA Capability:
Historically, partners could generate BPAs on behalf of customers via the Customer Success Portal (accessible through Partner Portal integration), but this was not a direct customer-facing feature.
As of July 17, 2023, the BPA generation capability in the Customer Support Portal and related partner tools was disabled, shifting focus to AIOps and Strata Cloud Manager.
Partners can assist customers with BPA generation but cannot directly generate reports for customer review in the Partner Portal itself; customers must access reports via their own interfaces (e.g., AIOps).
Verification:
"BPA transitioned to AIOps; Customer Support Portal access disabled after July 17, 2023" (live.paloaltonetworks.com, BPA Transition Announcement, 07-10-2023).
No current documentation supports direct BPA generation in the Partner Portal for customer review.
Conclusion: Not a customer-accessible location for generating BPAs.Not Applicable.
Option B: Customer Support Portal
Description: The Customer Support Portal (support.paloaltonetworks.com) provides customers with tools, case management, and historically, BPA generation.
BPA Capability:
Prior to July 17, 2023, customers could upload a TSF under "Tools > Best Practice Assessment" to generate a BPA report (HTML, XLSX, PDF formats).
Post-July 17, 2023, this functionality was deprecated in favor of AIOps and Strata Cloud Manager. Historical BPA data was maintained until December 31, 2023, but new report generation ceased.
As of March 08, 2025, the Customer Support Portal no longer supports BPA generation, though it remains a support hub.
Verification:
"TSF uploads for BPA in Customer Support Portal disabled after July 17, 2023" (docs.paloaltonetworks.com/panorama/10-2/panorama-admin/panorama-best-practices).
"Transition to AIOps for BPA generation" (live.paloaltonetworks.com, BPA Transition to AIOps, 07-10-2023).
Conclusion: No longer a valid location for BPA generation as of the current date.Not Applicable.
Option C: AIOps
Description: AIOps for NGFW is an AI-powered operations platform for managing Strata NGFWs and Panorama, offering real-time insights, telemetry-based monitoring, and BPA generation.
BPA Capability:
Supports two BPA generation methods:
On-Demand BPA: Customers upload a TSF (PAN-OS 9.1 or higher) via "Dashboards > On Demand BPA" to generate a report, even without telemetry or onboarding.
Continuous BPA: For onboarded devices with telemetry enabled (PAN-OS 10.0+), AIOps provides ongoing best practice assessments via the Best Practices dashboard.
Available in free and premium tiers; the free tier includes BPA generation.
Reports include detailed findings, remediation steps, and adoption summaries.
Use Case: Ideal for customers managing firewalls with or without full AIOps integration.
Verification:
"Generate on-demand BPA reports by uploading TSFs in AIOps" (docs.paloaltonetworks.com/aiops/aiops-for-ngfw/dashboards/on-demand-bpa).
"AIOps Best Practices dashboard assesses configurations continuously" (live.paloaltonetworks.com, AIOps On-Demand BPA, 10-25-2022).
Conclusion: A current, customer-accessible location for BPA generation.Applicable.
Option D: Strata Cloud Manager (SCM)
Description: Strata Cloud Manager is a unified, AI-powered management interface for NGFWs and SASE, integrating AIOps, digital experience management, and configuration tools.
BPA Capability:
Supports on-demand BPA generation by uploading a TSF under "Dashboards > On Demand BPA," similar to AIOps, for devices not sending telemetry or not fully onboarded.
For onboarded devices, provides real-time best practice checks via the "Best Practices" dashboard, analyzing policies against Palo Alto Networks and CIS standards.
Available in Essentials (free) and Pro (paid) tiers; BPA generation is included in both.
Use Case: Offers a modern, centralized platform for customers to manage and assess security posture.
Verification:
"Run BPA directly from Strata Cloud Manager with TSF upload" (docs.paloaltonetworks.com/strata-cloud-manager/dashboards/on-demand-bpa, 07-24-2024).
"Best Practices dashboard measures posture against guidance" (paloaltonetworks.com, Strata Cloud Manager Overview).
Conclusion: A current, customer-accessible location for BPA generation.Applicable.
Step 3: Select the Two Valid Locations
C (AIOps): Supports both on-demand (TSF upload) and continuous BPA generation, accessible to customers via the Palo Alto Networks hub.
D (Strata Cloud Manager): Provides identical on-demand BPA capabilities and real-timeassessments, designed as a unified management interface.
Why Not A or B?
A (PANW Partner Portal): Partner-focused, not a direct customer tool for BPA generation.
B (Customer Support Portal): Deprecated for BPA generation post-July 17, 2023; no longer valid as of March 08, 2025.
Step 4: Verified References
AIOps BPA: "On-demand BPA in AIOps via TSF upload" (docs.paloaltonetworks.com/aiops/aiops-for-ngfw/dashboards/on-demand-bpa).
Strata Cloud Manager BPA: "Generate BPA reports in SCM" (docs.paloaltonetworks.com/strata-cloud-manager/dashboards/on-demand-bpa).
Customer Support Portal Transition: "BPA moved to AIOps/SCM; CSP access ended July 17, 2023" (live.paloaltonetworks.com, BPA Transition, 07-10-2023).