Add a New Agent Settings Profile

Agent Settings Profiles enable you to customize Traps settings for different platforms and groups of users.
  1. Add a new profile.
    1. From Traps management service, select
      Security
      Profiles
      .
    2. Select the operating system type to which the profile applies.
    3. Create
      Agent Settings
      .
      Traps management service displays the settings that you can configure for the platform you selected.
      profiles-agent-settings.png
  2. Define the basic settings.
    1. Enter a unique
      Name
      to identify the profile. The name can contain only letters, numbers, or spaces, and must be no more than 30 characters. The name you choose will be visible from the list of profiles when you configure a policy rule.
    2. To provide additional context for the purpose or business reason that explains why you are creating the profile, enter a profile
      Description
      . For example, you might include an incident identification number or a link to a help desk ticket.
  3. (
    Windows, Mac, and Linux only
    ) Configure the
    Disk Space
    to allot for Traps logs.
    Specify a value in MB from 100 to 10,000 (default is 5,000).
  4. (
    Windows and Mac only
    ) Configure
    User Interface
    options for the Traps console.
    By default, Traps management service uses the settings specified in the default agent settings profile and displays the default configuration in parenthesis. When you select a setting other than the default, you override the default configuration for the profile.
    • Hide tray icon
      —Enable this option to hide the Traps icon from the notification area (system tray).
    • Disable access to the Traps console
      —Enable this option to prevent users from opening the Traps console.
    • Hide Traps user notifications
      —Enable this option to operate Traps in silent mode where the Traps agent does not display any notifications in the notification area.
  5. (
    Android only
    ) Configure network usage preferences.
    When the option to
    Upload Using Cellular Data
    is enabled, Traps uses cellular data to send unknown apps to the Traps management service for inspection. Standard data charges may apply. When this option is disabled, Traps queues any unknown files and sends them when the endpoint connects to a Wi-Fi network. If configured, the data usage setting on the Android endpoint takes precedence over this configuration.
  6. (
    Windows only
    ) Configure
    Agent Security
    options that prevent unauthorized access or tampering with Traps components.
    Similar to the
    User Interface
    options, use the default agent settings or customize them for the profile. To customize agent security capabilities:
    1. Enable or disable
      Traps Tampering Protection
      .
    2. Configure granular protection options for Traps services, processes, files, and registry values, as needed. With Traps 5.0.6 and later releases, when protection is enabled, access will be read-only. In earlier Traps releases, enabling protection disables all access to services, processes, files, and registry values.
  7. (
    Windows and Mac only
    ) Set a password the user must enter to uninstall the Traps agent.
    The uninstall password is encrypted using encryption algorithm (PBKDF2) when transferred between Traps management service and Traps agents.
    The default uninstall password is
    Password1
    . To set a new password, the password must satisfy the following requirements:
    • Contain eight or more characters.
    • Contain English letters, numbers, or any of the following symbols:
      !()-._`~@#"'
      .
    To change the password:
    1. Edit the
      Uninstall Password
      .
    2. Enter and confirm the new uninstall password.
  8. (
    Windows only
    ) Configure
    Windows Security Center Configuration
    .
    The Windows Security Center is a reporting tool which monitors the system health and security state of Windows endpoints on Windows 7 and later releases. By default, Traps registers to the Windows Security Center as an official Antivirus (AV) software product and enables Windows to install updates for Meltdown/Spectra vulnerability patches. If you do not want to allow Windows to automatically install patches, change the setting to
    Enabled (No Patches)
    or, to disable Traps registration to the Windows Security Center completely, select
    Disabled
    . When registration is disabled, the Action Center indicates Virus protection is
    Off
    .
  9. (
    Windows only
    ) Configure
    Forensics
    data collection options.
    When a process-related security event occurs on the endpoint, Traps collects the contents of memory and other data about the event in what is known as a memory dump. You can customize the size of the forensic data collection—
    Small
    ,
    Medium
    , or
    Full
    (the largest and most complete set of information)—and whether to send the memory dumps to the Traps management service automatically. During event investigation, if automatic uploading of prevention data was disabled, you can manually retrieve the data.
  10. (
    Windows, Mac, and Linux only
    ) Enable Traps to
    Monitor and collect endpoint events
    for use by apps on the Cortex platform.
    Event monitoring and data collection requires:
    • Traps agent 6.0 or a later release for Windows endpoints, and Traps agent 6.1 or later releases for Mac and Linux endpoints.
    • An active Cortex XDR license and allocated log storage in your Cortex Data Lake instance.
    When enabled, Traps collects detailed information about all active file, process, network, and registry activity on an endpoint. This information provides Cortex apps with the endpoint context so that you can gain insight on the overall event scope when you investigate a threat. This includes all activities that took place during an attack, the endpoints that were involved, and the damage caused. When disabled, Traps will not share endpoint activity logs.
    When you enable EDR data collection, you must also allocate log storage for EDR data in your Cortex Data Lake instance.
  11. (
    Windows only
    ) If you need to isolate an endpoint but want to allow access for a specific application (for example communication between the VDI process and a VDI server), add the process to the
    Network Isolation Whitelist
    .
    If your Traps agents communicate with Traps management service through a proxy, you must whitelist the following Traps processes along with the IP address of the proxy server:
    • C:\Program Files\Palo Alto Networks\Traps\tlaservice.exe
    • C:\Program Files\Palo Alto Networks\Traps\cyveraservice.exe
    This enables the Traps agent to maintain communication with Traps management service after you isolate the endpoint.
    When you whitelist a specific application from network isolation, the Traps agent continues to block some internal system processes. This is because some applications, for example ping.exe, can use other processes to facilitate network communication. As a result, if Traps continues to block a whitelisted application, you may need to perform additional network monitoring to determine the process that facilitates the communication, and then whitelist that process.
    1. Add (
      +
      ) an entry to the whitelist.
    2. Specify the
      Process Path
      you want to allow and the
      IPv4
      or
      IPv6
      address of the endpoint. Use the
      *
      wildcard on either side to match any process or IP address. For example, specify
      *
      as the process path and an IP address to allow any process to run on the isolated endpoint with that IP address. Conversely, specify
      *
      as the IP address and a specific process path to allow the process to run on any isolated endpoint that receives this profile.
    3. Click the check mark when finished.
  12. Save
    the changes to your profile.
  13. Assign the profile to a policy (see Configure a Policy Rule).

Related Documentation