Home

Location

Documentation Home
Palo Alto Networks
Support
Live Community
Knowledge Base

Home
Traps
Traps Endpoint Security Manager Administrator's Guide
Administer the ESM Server
Multi-ESM Deployments
Manage Multiple ESM Servers

Last Updated:

Wed Sep 30 09:32:21 PDT 2020

Current Version:

4.2 (EoS)

Version 4.2 (EoS)

Table of Contents

Search the Table of Contents

Traps Overview

About Traps

Malware Protection Overview

Exploit Protection Overview

Traps Components

ESM Console

ESM Server

Database

Endpoints

Traps Agent

External Logging Platform

WildFire

Forensic Folder

Traps Deployment Scenarios

Standalone Deployment

Small Deployments

Small Single-Site Deployment

Small Multi-Site Deployment

Large Deployments

Large Single-Site Deployment

Large Multi-Site Deployment with One Endpoint Security Mana...

Large Multi-Site Deployment with Roaming Agents (Without VP...

Large Multi-Site Deployment with Roaming Agents (With VPN)

Prerequisites

Hardware Requirements

Standalone Endpoint Security Manager Hardware Requirements

Distributed Endpoint Security Manager Hardware Requirements

Software Requirements

ESM Console Software Requirements

ESM Server Software Requirements

Database Software Requirements

Set Up the Traps Infrastructure

Set Up the Endpoint Infrastructure

Activate Traps Licenses

Set Up the Endpoint Security Manager

Endpoint Infrastructure Installation Considerations

TLS/SSL Encryption for Traps Components

Configure the MS-SQL Server Database

Install the Endpoint Security Manager Server Software

Install the Endpoint Security Manager Console Software

Manage Proxy Communication with the Endpoint Security Manager

Load Balance Traffic to ESM Servers

Install ESM Components Using Windows Msiexec

Install ESM Components

Uninstall ESM Components

Set Up the Endpoints

Recommended Traps Deployment Process

Traps Installation Options

Manage Traps Installation Packages

Verify Connectivity from the ESM Console

VDI

VDI Overview

Virtualized Applications and Desktops

VDI Modes

Set Up Traps in a VDI Environment

Administer the ESM

Manage ESM Server Settings

Manage ESM Console Settings

Multi-ESM Deployments

Known Limitations with Multi-ESM Deployments

What Logic Does the Agent Use When Selecting an ESM Server?

Manage Multiple ESM Servers

Traps Licenses

Add a Traps License Using the ESM Console

Add a Traps License Using the DB Configuration Tool

Manage Administrator Access to the ESM Console

Administrative Roles

Administrative Privileges

Administrative Users

Administrative Authentication

Configure Administrative Accounts and Authentication

Configure Administrative Roles

Configure Administrative Users, Groups, or Organizational U...

Configure the Authentication Mode

Change the Ninja-Mode Password

Export and Import Policy Files

User-Defined Rules

Content Updates

Manage Content Updates

Monitoring

Maintain the Endpoints and Traps

Use the Endpoint Security Manager Dashboard

Monitor Security Events

Use the Security Events Dashboard

Manage Security Events

View Security Error Log Details

View the Security Event History on an Endpoint

Monitor the Endpoints

View Endpoint Health Details

View Notifications About Changes in the Agent Status

View the Rule History of an Endpoint

View the Service Status History of an Endpoint

Remove an Endpoint from the Health Page

Monitor the ESM Servers

View the Health of the ESM Servers

View Notifications About the ESM Server

View the Rule Summary

Monitor Data Retrieval

Get Started with Rules

Endpoint Policy Rule Concepts

Policy Rule Types

Policy Enforcement

Default Protection Policy

Common Rule Components and Actions

Conditions

Define Activation Conditions for a Rule on Windows Endpoint...

Define Activation Condition for a Rule on Mac Endpoints

Define Activation Conditions for Linux

Include or Exclude Endpoints Using Conditions

Delete or Modify a Rule Condition

Target Objects

Manage Endpoint Groups

Name or Rename a Rule

Save Rules

Manage Saved Rules

Filter Rules

Disable or Enable All Protection Rules

Show or Hide the Default Policy Rules

Wildcards and Variables in Policy Rules

Wildcards in Policy Rules

Environment Variables in Policy Rules

Environment Variable Support for Windows Vista and Later Re...

Environment Variable Support for Windows XP

Example: Using Wildcards and Variables in Restriction Rules

Process Management

Process Protection Types

Processes Protected by the Default Policy

Add a New Protected Process

Import or Export a Process

View, Modify, or Delete a Process

View Processes Currently Protected by Traps

Malware Protection

Malware Protection Policy Best Practices

Malware Protection Flow

Manage Malware Protection Rules

Malware Protection Rules

Configure Child Process Protection

Configure Anti-Ransomware Protection

Configure the Gatekeeper Enhancement MPM

Manage Restriction Rules

Block Execution from Local Folders

Define External Media Restrictions

Manage Global Whitelists

Add a New Restriction Rule

Whitelist a Network Folder

Restriction Rules

WildFire Integration

WildFire Integration Concepts

ESM Forwarding

Verdicts

Verdict Caches

File Type Analysis

Set Up the ESM to Communicate with WildFire

Set Up a Private WildFire Cloud

Configure a WildFire Rule

Manage Hashes for Files

View and Search Hashes

Filter File Hash Records

File Hash Search Conditions

Export and Import Hashes

View a WildFire Report

View the History of a Verdict

Override a WildFire Verdict

Recheck a WildFire Decision

Report an Incorrect Verdict

Upload a File to WildFire for Analysis

Manage Quarantine Settings

Restore a Quarantined File

Manage Trusted Signers

Exploit Protection

Exploit Protection Rules

Windows Exploit Protection Modules (EPMs)

Mac Exploit Protection Modules (EPMs)

Linux Exploit Protection Modules

Create an Exploit Protection Rule

Exclude an Endpoint from an Exploit Protection Rule

Manage the Endpoints

Manage Traps Action Rules

Traps Action Rules

Add a New Action Rule

Manage Data Collected by Traps

Uninstall or Upgrade Traps on the Endpoint

Manage Agent Settings Rules

Traps Agent Settings Rules

Add a New Agent Settings Rule

Define Event Logging Preferences

Hide or Restrict Access to the Traps Console

Define Communication Settings Between the Endpoint and the ESM Server

Define Heartbeat Settings Between the Agent and the ESM Ser...

Define Communication Settings Between the Agent and the ESM...

Collect New Process Information

Manage Service Protection

Change the Uninstall Password

Create a Custom User Alert Message

Remove an Endpoint from the Health Page

Install an End-of-Life Traps Agent Version

Forensics

Forensics Overview

Forensics Flow

Phase 1: Prevention Event Triggered

Phase 2: Automated Analysis

Phase 3: Automated Detection

Phase 4: Collection of Forensic Data

Forensic Data Types

Best Practices for Managing Forensic Data

Manage Forensics Rules and Settings

Forensics Rules

Change the Default Forensic Folder

Change the Forensic Folder Destination Using the ESM Consol...

Change the Forensic Folder Destination Using the DB Configu...

Create a Forensics Rule

Define Memory Dump Preferences

Define Forensics Collection Preferences

Retrieve Data About a Security Event

Agent Query

Agent Query Flow

Search Endpoints for a File, Folder, or Registry Key

View the Results of an Agent Query

Reports and Logging

Event Log Types

Security Events

Policies - General

Policies - Rules

Policies - Process Management

Policies - Restriction Settings

Policies - Hash Control

Monitor - Agent

Monitor ESM

Settings - Administration

Settings - Agent

Settings - ESM

Settings - Conditions

Settings - Licenses

Settings - Installation Package

Common Variables Used in Events

Agent Change Event Variables

ESM Configuration Change Event Variables

Policy Change Event Variables

ESM Server Event Variables

Security Event Monitoring Variables

Forward Logs to an External Logging Platform

Enable Log Forwarding to an External Logging Platform

Enable Log Forwarding to an External Logging Platform Using...

CEF Format

LEEF Format

Syslog (RFC5424) Format

Forward Logs to Panorama

Set Up Secure Communication With Panorama

Enable Log Forwarding to Panorama

View ESM Logs and Correlation Events on Panorama

Forward Logs to Email

Enable Log Forwarding to Email

Email Format

Troubleshooting

Traps Troubleshooting Resources

Traps and Endpoint Security Manager Processes

ESM Tech Support File

Database (DB) Configuration Tool

Access the Database Configuration Tool

Configure Administrative Access to the ESM Console Using th...

Configure ESM Server Settings Using the DB Configuration To...

Customizable ESM Server Settings

Cytool

Access Cytool

View the Status of the Agent Using Cytool

View Processes Currently Protected by Traps Using Cytool

Manage Protection Settings on the Endpoint Using Cytool

Enable or Disable Core Process Protection on the Endpoint

Enable or Disable Registry Protection Settings on the Endpo...

Enable or Disable Traps File Protection Settings on the End...

Enable or Disable Service Protection Settings on the Endpoi...

Use the Security Policy to Manage Service Protection

Manage Traps Drivers and Services on the Endpoint Using Cytool

View Traps Startup Components on the Endpoint

Enable or Disable the Startup of Traps Components on the En...

View Traps Runtime Components on the Endpoint

Start or Stop Traps Runtime Components on the Endpoint

Enable or Disable RPC Services Using Cytool

View and Compare Security Policies on an Endpoint Using Cyt...

View Details About an Active Policy

Compare Policies

Manage Logging of Traps Components Using Cytool

Restore a Quarantined File Using Cytool

View Statistics for a Protected Process Using Cytool

View Details About the Traps Local Analysis Module Using Cy...

View Hash Details About a File Using Cytool

Troubleshoot Traps Issues

Why can’t I install Traps?

Why can’t I upgrade or uninstall Traps?

Why can’t Traps connect to the ESM Server?

How do I fix a Traps server certificate error?

Troubleshoot ESM Console Issues

Why can’t I log in to the ESM Console?

Why do I get a server error when launching the ESM Console?

Why do all endpoints appear as disconnected in the ESM Cons...

Traps Overview
- About Traps
  - Malware Protection Overview
  - Exploit Protection Overview
- Traps Components
Traps Deployment Scenarios
Prerequisites
- Hardware Requirements
  - Standalone Endpoint Security Manager Hardware Requirements
  - Distributed Endpoint Security Manager Hardware Requirements
- Software Requirements
Set Up the Traps Infrastructure
VDI
- VDI Overview
  - Virtualized Applications and Desktops
  - VDI Modes
- Set Up Traps in a VDI Environment
Administer the ESM
Monitoring
Get Started with Rules
Malware Protection
Exploit Protection
Manage the Endpoints
Forensics
Reports and Logging
Troubleshooting

Document:Traps Endpoint Security Manager Administrator's Guide

Manage Multiple ESM Servers

Last Updated:

Wed Sep 30 09:32:21 PDT 2020

Current Version:

4.2 (EoS)

Version 4.2 (EoS)

Table of Contents

Search the Table of Contents

Traps Overview

About Traps

Malware Protection Overview

Exploit Protection Overview

Traps Components

ESM Console

ESM Server

Database

Endpoints

Traps Agent

External Logging Platform

WildFire

Forensic Folder

Traps Deployment Scenarios

Standalone Deployment

Small Deployments

Small Single-Site Deployment

Small Multi-Site Deployment

Large Deployments

Large Single-Site Deployment

Large Multi-Site Deployment with One Endpoint Security Mana...

Large Multi-Site Deployment with Roaming Agents (Without VP...

Large Multi-Site Deployment with Roaming Agents (With VPN)

Prerequisites

Hardware Requirements

Standalone Endpoint Security Manager Hardware Requirements

Distributed Endpoint Security Manager Hardware Requirements

Software Requirements

ESM Console Software Requirements

ESM Server Software Requirements

Database Software Requirements

Set Up the Traps Infrastructure

Set Up the Endpoint Infrastructure

Activate Traps Licenses

Set Up the Endpoint Security Manager

Endpoint Infrastructure Installation Considerations

TLS/SSL Encryption for Traps Components

Configure the MS-SQL Server Database

Install the Endpoint Security Manager Server Software

Install the Endpoint Security Manager Console Software

Manage Proxy Communication with the Endpoint Security Manager

Load Balance Traffic to ESM Servers

Install ESM Components Using Windows Msiexec

Install ESM Components

Uninstall ESM Components

Set Up the Endpoints

Recommended Traps Deployment Process

Traps Installation Options

Manage Traps Installation Packages

Verify Connectivity from the ESM Console

VDI

VDI Overview

Virtualized Applications and Desktops

VDI Modes

Set Up Traps in a VDI Environment

Administer the ESM

Manage ESM Server Settings

Manage ESM Console Settings

Multi-ESM Deployments

Known Limitations with Multi-ESM Deployments

What Logic Does the Agent Use When Selecting an ESM Server?

Manage Multiple ESM Servers

Traps Licenses

Add a Traps License Using the ESM Console

Add a Traps License Using the DB Configuration Tool

Manage Administrator Access to the ESM Console

Administrative Roles

Administrative Privileges

Administrative Users

Administrative Authentication

Configure Administrative Accounts and Authentication

Configure Administrative Roles

Configure Administrative Users, Groups, or Organizational U...

Configure the Authentication Mode

Change the Ninja-Mode Password

Export and Import Policy Files

User-Defined Rules

Content Updates

Manage Content Updates

Monitoring

Maintain the Endpoints and Traps

Use the Endpoint Security Manager Dashboard

Monitor Security Events

Use the Security Events Dashboard

Manage Security Events

View Security Error Log Details

View the Security Event History on an Endpoint

Monitor the Endpoints

View Endpoint Health Details

View Notifications About Changes in the Agent Status

View the Rule History of an Endpoint

View the Service Status History of an Endpoint

Remove an Endpoint from the Health Page

Monitor the ESM Servers

View the Health of the ESM Servers

View Notifications About the ESM Server

View the Rule Summary

Monitor Data Retrieval

Get Started with Rules

Endpoint Policy Rule Concepts

Policy Rule Types

Policy Enforcement

Default Protection Policy

Common Rule Components and Actions

Conditions

Define Activation Conditions for a Rule on Windows Endpoint...

Define Activation Condition for a Rule on Mac Endpoints

Define Activation Conditions for Linux

Include or Exclude Endpoints Using Conditions

Delete or Modify a Rule Condition

Target Objects

Manage Endpoint Groups

Name or Rename a Rule

Save Rules

Manage Saved Rules

Filter Rules

Disable or Enable All Protection Rules

Show or Hide the Default Policy Rules

Wildcards and Variables in Policy Rules

Wildcards in Policy Rules

Environment Variables in Policy Rules

Environment Variable Support for Windows Vista and Later Re...

Environment Variable Support for Windows XP

Example: Using Wildcards and Variables in Restriction Rules

Process Management

Process Protection Types

Processes Protected by the Default Policy

Add a New Protected Process

Import or Export a Process

View, Modify, or Delete a Process

View Processes Currently Protected by Traps

Malware Protection

Malware Protection Policy Best Practices

Malware Protection Flow

Manage Malware Protection Rules

Malware Protection Rules

Configure Child Process Protection

Configure Anti-Ransomware Protection

Configure the Gatekeeper Enhancement MPM

Manage Restriction Rules

Block Execution from Local Folders

Define External Media Restrictions

Manage Global Whitelists

Add a New Restriction Rule

Whitelist a Network Folder

Restriction Rules

WildFire Integration

WildFire Integration Concepts

ESM Forwarding

Verdicts

Verdict Caches

File Type Analysis

Set Up the ESM to Communicate with WildFire

Set Up a Private WildFire Cloud

Configure a WildFire Rule

Manage Hashes for Files

View and Search Hashes

Filter File Hash Records

File Hash Search Conditions

Export and Import Hashes

View a WildFire Report

View the History of a Verdict

Override a WildFire Verdict

Recheck a WildFire Decision

Report an Incorrect Verdict

Upload a File to WildFire for Analysis

Manage Quarantine Settings

Restore a Quarantined File

Manage Trusted Signers

Exploit Protection

Exploit Protection Rules

Windows Exploit Protection Modules (EPMs)

Mac Exploit Protection Modules (EPMs)

Linux Exploit Protection Modules

Create an Exploit Protection Rule

Exclude an Endpoint from an Exploit Protection Rule

Manage the Endpoints

Manage Traps Action Rules

Traps Action Rules

Add a New Action Rule

Manage Data Collected by Traps

Uninstall or Upgrade Traps on the Endpoint

Manage Agent Settings Rules

Traps Agent Settings Rules

Add a New Agent Settings Rule

Define Event Logging Preferences

Hide or Restrict Access to the Traps Console

Define Communication Settings Between the Endpoint and the ESM Server

Define Heartbeat Settings Between the Agent and the ESM Ser...

Define Communication Settings Between the Agent and the ESM...

Collect New Process Information

Manage Service Protection

Change the Uninstall Password

Create a Custom User Alert Message

Remove an Endpoint from the Health Page

Install an End-of-Life Traps Agent Version

Forensics

Forensics Overview

Forensics Flow

Phase 1: Prevention Event Triggered

Phase 2: Automated Analysis

Phase 3: Automated Detection

Phase 4: Collection of Forensic Data

Forensic Data Types

Best Practices for Managing Forensic Data

Manage Forensics Rules and Settings

Forensics Rules

Change the Default Forensic Folder

Change the Forensic Folder Destination Using the ESM Consol...

Change the Forensic Folder Destination Using the DB Configu...

Create a Forensics Rule