Change the Forensic Folder Destination Using the DB Configuration Tool

To allow you to further troubleshoot or analyze security events, such as a prevention or crash, Traps uploads the forensic data to a web-based forensic folder. During installation of the ESM Console, the installer enables the Background Intelligent Transfer Service (BITS) which utilizes idle network bandwidth to upload the data to forensic folder.
To analyze a security event, create an action rule to retrieve the forensic data from the endpoint (see Manage Data Collected by Traps). When Traps receives the request to send the data, it copies the files to the forensic folder (also referred to in the Endpoint Security Manager as the quarantine folder), which is a local or network path that you specify during the initial installation.
You can change the path of the forensic folder at any time using the Endpoint Security Manager (see Change the Forensic Folder Destination Using the ESM Console) or using the Database (DB) Configuration Tool.
The DB Configuration Tool is a command-line interface that provides an alternative to managing basic server settings using the ESM Console. You can access the DB Configuration Tool using a Microsoft MS-DOS command prompt run as an administrator. The DB Configuration Tool is located in the Server folder on the ESM Server.
All commands run using the DB Configuration Tool are case sensitive.
  1. Open a command prompt as an administrator:
    • Select StartAll ProgramsAccessories. Right-click Command prompt, and then select Run as administrator.
    • Select Start. In the Start Search box, type cmd. Then, to open the command prompt as an administrator, press CTRL+SHIFT+ENTER.
  2. Navigate to the folder that contains the DB Configuration Tool:
    C:\Users\Administrator> cd
    C:\Program Files\Palo Alto Networks\Endpoint Security Manager\Server
  3. (Optional) View the existing server settings:
    C:\Program Files\Palo Alto Networks\Endpoint Security Manager\Server> dbconfig server show
    PreventionsDestFolder = \\ESMServer\Quarantine
    InventoryInterval = 284
    HeartBeatGracePeriod = 4200
    NinjaModePassword = Password2
    BitsUrl = https://CYVERASERVER.Domain.local:443/BitsUploads
    MaxActions = 5000
  4. Enter the web-based URL of the forensics folder.
    C:\Program Files\Palo Alto Networks\Endpoint Security Manager\Server> dbconfig server BitsUrl http://ESMserver.Domain.local:443/BitsUploads
    To encrypt forensic data, we strongly recommend that you use SSL to communicate with the forensic folder. To use SSL, include the fully qualified domain name (FQDN) and specify port 443, for example HTTPS://ESMserver.Domain.local:443/BitsUploads. If you are not using SSL, specify port 80, for example http://ESMSERVER:80/BitsUploads.
  5. (Optional) To verify the path of the forensic folder, run the dbconfig server show command:
    C:\Program Files\Palo Alto Networks\Endpoint Security Manager\Server> dbconfig server show
    PreventionsDestFolder = \\ESMServer-New\Quarantine
    InventoryInterval = 284
    HeartBeatGracePeriod = 4200
    NinjaModePassword = Password2
    BitsUrl = HTTPS://ESMserver.Domain.local:443/BitsUploads
    MaxActions = 5000

Related Documentation