Change the Forensic Folder Destination Using the DB Configuration Tool
Table of Contents
4.2 (EoS)
Expand all | Collapse all
-
- Set Up the Endpoint Infrastructure
- Activate Traps Licenses
-
- Endpoint Infrastructure Installation Considerations
- TLS/SSL Encryption for Traps Components
- Configure the MS-SQL Server Database
- Install the Endpoint Security Manager Server Software
- Install the Endpoint Security Manager Console Software
- Manage Proxy Communication with the Endpoint Security Manager
- Load Balance Traffic to ESM Servers
-
- Malware Protection Policy Best Practices
- Malware Protection Flow
- Manage Trusted Signers
-
- Remove an Endpoint from the Health Page
- Install an End-of-Life Traps Agent Version
-
-
- Traps Troubleshooting Resources
- Traps and Endpoint Security Manager Processes
- ESM Tech Support File
-
- Access Cytool
- View the Status of the Agent Using Cytool
- View Processes Currently Protected by Traps Using Cytool
- Manage Logging of Traps Components Using Cytool
- Restore a Quarantined File Using Cytool
- View Statistics for a Protected Process Using Cytool
- View Details About the Traps Local Analysis Module Using Cy...
- View Hash Details About a File Using Cytool
Change the Forensic Folder Destination Using the DB Configuration Tool
To allow you to further troubleshoot or analyze
security events, such as a prevention or crash, Traps uploads the
forensic data to a web-based forensic folder. During installation of
the ESM Console, the installer enables the Background Intelligent
Transfer Service (BITS) which utilizes idle network bandwidth to
upload the data to forensic folder.
To analyze a security
event, create an action rule to retrieve the forensic data from
the endpoint (see Manage
Data Collected by Traps). When Traps receives the request
to send the data, it copies the files to the forensic folder (also
referred to in the Endpoint Security Manager as the quarantine folder),
which is a local or network path that you specify during the initial
installation.
You can change the path of the forensic folder
at any time using the Endpoint Security Manager (see Change
the Forensic Folder Destination Using the ESM Console) or
using the Database (DB) Configuration Tool.
The DB Configuration
Tool is a command-line interface that provides an alternative to
managing basic server settings using the ESM Console. You can access
the DB Configuration Tool using a Microsoft MS-DOS command prompt
run as an administrator. The DB Configuration Tool is located in
the Server folder on the ESM Server.
All commands run
using the DB Configuration Tool are case sensitive.
- Open a command prompt as an administrator:
- Select StartAll ProgramsAccessories. Right-click Command prompt, and then select Run as administrator.
- Select Start. In the Start Search box, type cmd. Then, to open the command prompt as an administrator, press CTRL+SHIFT+ENTER.
- Navigate to the folder that contains the DB Configuration
Tool:
C:\Users\Administrator> cd C:\Program Files\Palo Alto Networks\Endpoint Security Manager\Server - (Optional) View the existing server settings:
C:\Program Files\Palo Alto Networks\Endpoint Security Manager\Server> dbconfig server show PreventionsDestFolder = \\ESMServer\Quarantine InventoryInterval = 284 HeartBeatGracePeriod = 4200 NinjaModePassword = Password2 BitsUrl = https://CYVERASERVER.Domain.local:443/BitsUploads MaxActions = 5000 - Enter the web-based URL of the forensics folder.
C:\Program Files\Palo Alto Networks\Endpoint Security Manager\Server> dbconfig server BitsUrl http://ESMserver.Domain.local:443/BitsUploadsTo encrypt forensic data, we strongly recommend that you use SSL to communicate with the forensic folder. To use SSL, include the fully qualified domain name (FQDN) and specify port 443, for example HTTPS://ESMserver.Domain.local:443/BitsUploads. If you are not using SSL, specify port 80, for example http://ESMSERVER:80/BitsUploads. - (Optional) To verify the path of the forensic
folder, run the dbconfig server show command:
C:\Program Files\Palo Alto Networks\Endpoint Security Manager\Server> dbconfig server show PreventionsDestFolder = \\ESMServer-New\Quarantine InventoryInterval = 284 HeartBeatGracePeriod = 4200 NinjaModePassword = Password2 BitsUrl = HTTPS://ESMserver.Domain.local:443/BitsUploads MaxActions = 5000