Add a New Agent Settings Profile
Agent Settings Profiles enable you to customize Traps settings for different platforms and groups of users.
- Add a new profile.
- From Traps management service, select.SecurityProfiles
- Select the operating system type to which the profile applies.
- .CreateAgent SettingsTraps management service displays the settings that you can configure for the platform you selected.
- Define the basic settings.
- Enter a uniqueNameto identify the profile. The name can contain only letters, numbers, or spaces, and must be no more than 30 characters. The name you choose will be visible from the list of profiles when you configure a policy rule.
- To provide additional context for the purpose or business reason that explains why you are creating the profile, enter a profileDescription. For example, you might include an incident identification number or a link to a help desk ticket.
- (Windows, Mac, and Linux only) Configure theDisk Spaceto allot for Traps logs.Specify a value in MB from 100 to 10,000 (default is 5,000).
- (Windows and Mac only) ConfigureUser Interfaceoptions for the Traps console.By default, Traps management service uses the settings specified in the default agent settings profile and displays the default configuration in parenthesis. When you select a setting other than the default, you override the default configuration for the profile.
- Hide tray icon—Enable this option to hide the Traps icon from the notification area (system tray).
- Disable access to the Traps console—Enable this option to prevent users from opening the Traps console.
- Hide Traps user notifications—Enable this option to operate Traps in silent mode where the Traps agent does not display any notifications in the notification area.
- (Android only) Configure network usage preferences.When the option toUpload Using Cellular Datais enabled, Traps uses cellular data to send unknown apps to the Traps management service for inspection. Standard data charges may apply. When this option is disabled, Traps queues any unknown files and sends them when the endpoint connects to a Wi-Fi network. If configured, the data usage setting on the Android endpoint takes precedence over this configuration.
- (Windows only) ConfigureAgent Securityoptions that prevent unauthorized access or tampering with Traps components.Similar to theUser Interfaceoptions, use the default agent settings or customize them for the profile. To customize agent security capabilities:
- Enable or disableTraps Tampering Protection.
- Configure granular protection options for Traps services, processes, files, and registry values, as needed. With Traps 5.0.6 and later releases, when protection is enabled, access will be read-only. In earlier Traps releases, enabling protection disables all access to services, processes, files, and registry values.
- (Windows and Mac only) Set a password the user must enter to uninstall the Traps agent.The uninstall password is encrypted using encryption algorithm (PBKDF2) when transferred between Traps management service and Traps agents.The default uninstall password isPassword1. To set a new password, the password must satisfy the following requirements:
To change the password:
- Contain eight or more characters.
- Contain English letters, numbers, or any of the following symbols:!()-._`~@#"'.
- Edit theUninstall Password.
- Enter and confirm the new uninstall password.
- (Windows only) ConfigureWindows Security Center Configuration.The Windows Security Center is a reporting tool which monitors the system health and security state of Windows endpoints on Windows 7 and later releases. By default, Traps registers to the Windows Security Center as an official Antivirus (AV) software product and enables Windows to install updates for Meltdown/Spectra vulnerability patches. If you do not want to allow Windows to automatically install patches, change the setting toEnabled (No Patches)or, to disable Traps registration to the Windows Security Center completely, selectDisabled. When registration is disabled, the Action Center indicates Virus protection isOff.
- (Windows only) ConfigureForensicsdata collection options.When a process-related security event occurs on the endpoint, Traps collects the contents of memory and other data about the event in what is known as a memory dump. You can customize the size of the forensic data collection—Small,Medium, orFull(the largest and most complete set of information)—and whether to send the memory dumps to the Traps management service automatically. During event investigation, if automatic uploading of prevention data was disabled, you can manually retrieve the data.
- (Windows, Mac, and Linux only) Enable Traps toMonitor and collect endpoint eventsfor use by apps on the Cortex platform.Event monitoring and data collection requires:
When enabled, Traps collects detailed information about all active file, process, network, and registry activity on an endpoint. This information provides Cortex apps with the endpoint context so that you can gain insight on the overall event scope when you investigate a threat. This includes all activities that took place during an attack, the endpoints that were involved, and the damage caused. When disabled, Traps will not share endpoint activity logs.When you enable EDR data collection, you must also allocate log storage for EDR data in your Cortex Data Lake instance.
- Traps agent 6.0 or a later release for Windows endpoints, and Traps agent 6.1 or later releases for Mac and Linux endpoints.
- An active Cortex XDR license and allocated log storage in your Cortex Data Lake instance.
- (Windows only) If you need to isolate an endpoint but want to allow access for a specific application (for example communication between the VDI process and a VDI server), add the process to theNetwork Isolation Whitelist.If your Traps agents communicate with Traps management service through a proxy, you must whitelist the following Traps processes along with the IP address of the proxy server:
This enables the Traps agent to maintain communication with Traps management service after you isolate the endpoint.When you whitelist a specific application from network isolation, the Traps agent continues to block some internal system processes. This is because some applications, for example ping.exe, can use other processes to facilitate network communication. As a result, if Traps continues to block a whitelisted application, you may need to perform additional network monitoring to determine the process that facilitates the communication, and then whitelist that process.
- C:\Program Files\Palo Alto Networks\Traps\tlaservice.exe
- C:\Program Files\Palo Alto Networks\Traps\cyveraservice.exe
- Add (+) an entry to the whitelist.
- Specify theProcess Pathyou want to allow and theIPv4orIPv6address of the endpoint. Use the*wildcard on either side to match any process or IP address. For example, specify*as the process path and an IP address to allow any process to run on the isolated endpoint with that IP address. Conversely, specify*as the IP address and a specific process path to allow the process to run on any isolated endpoint that receives this profile.
- Click the check mark when finished.
- Savethe changes to your profile.
- Assign the profile to a policy (see Configure a Policy Rule).