Skip to main content
Version: 1.0

Posture Management and Assessment API: BPA, Custom Checks, and Compliance

The Posture Management and Assessment API suite provides a streamlined, programmatic way for organizations to audit, manage, and enforce their security posture. By integrating these APIs into your workflow, you can automate security assessments, manage customized posture checks, and ensure continuous alignment with industry-standard security benchmarks and your organization's unique requirements. Best Practice Assessment (BPA) Config Upload API The Best Practice Assessment (BPA) Config Upload API enables automated submission of configuration files from Palo Alto Networks Panorama or Next-Generation Firewalls (NGFW) to receive a comprehensive assessment based on predefined, industry-standard security best practices. The service parses your configuration, identifies potential security gaps, and returns a detailed JSON-formatted report, allowing your team to ingest data directly into custom dashboards, SIEMs, or other automations.

Key Features and Security

We understand that configuration files contain sensitive architectural data. This API is built with a security-first architecture to ensure your data remains protected

  • Secure Transmission- All data is encrypted in transit using industry-standard TLS protocols.
  • Privacy Control (Zero Persistence)- The API includes an optional flag that instructs the service to delete the configuration file immediately after the report is generated. This ensures that none of your sensitive information is stored in the cloud environment.
  • Actionable JSON Output- Instead of static PDFs, the API delivers structured data, making it machine-readable and easily processed.

BPA Workflow Overview

  • Export- Generate a configuration file from your Panorama or NGFW.
  • Upload- Submit the file to the config upload endpoint via a secure POST request.
  • Process- The engine analyzes the configuration against hundreds of pre-defined best-practice checks.
  • Retrieve- Receive the results instantly in a structured JSON schema.
  • Purge- (Optional) The service automatically deletes the source configuration file upon completion.

Custom Posture Check Management (Pro License Required)

While the BPA Config Upload API validates against pre-defined best practices, our Custom Posture Check endpoints give Pro-licensed users the ability to manage and report on user-defined posture checks tailored to specific organizational policies.

These endpoints provide full lifecycle management for Custom Posture Checks

  • List Checks- Retrieve all custom posture checks in your environment.
  • Create Checks- Define new custom security posture rules.
  • Retrieve (Get) Checks- Fetch the details of a specific posture check by its ID.
  • Update Checks- Modify existing checks to adapt to evolving security policies.
  • Delete Checks- Remove outdated or unnecessary checks by ID.
  • Clone Checks- Quickly duplicate an existing check to use as a template for a new one.
  • Batch Upsert- Create or update multiple custom posture checks in a single API call for efficient bulk management.
  • Batch Delete- Remove multiple posture checks simultaneously.

Note These endpoints are strictly for the management and reporting of Custom Posture Checks and require a Pro license.

Coming Soon Compliance Management and Reporting

We are continuously expanding our API capabilities to help you maintain a robust security posture. Soon, we will be introducing endpoints for Compliance Management and Reporting. This upcoming feature set will allow organizations to automatically map their network security configurations and posture check results directly against major regulatory frameworks and compliance standards, streamlining audit preparations, continuous compliance tracking and evidence collection. This Open API spec file was created on April 10, 2026. © 2026 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto Networks. A list of our trademarks can be found at https://www.paloaltonetworks.com/company/trademarks.html. All other marks mentioned herein may be trademarks of their respective companies. This Open API spec file was created on May 18, 2026. © 2026 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto Networks. A list of our trademarks can be found at https://www.paloaltonetworks.com/company/trademarks.html. All other marks mentioned herein may be trademarks of their respective companies.