Manage the Endpoints. Palo Alto Networks. Advanced Endpoint Protection Administrator s Guide Version 3.1. Copyright Palo Alto Networks

(1)

(2)

Palo Alto Networks

4401 Great America Parkway

Santa Clara, CA 95054

www.paloaltonetworks.com/company/contact-us

About this Guide

This guide describes the initial installation and basic set up of a new Palo Alto Networks Endpoint Security Manager

and Traps. Topics covered include prerequisites, best practices, and procedures for installing and managing Traps on the

endpoints in your organization.

For additional information, refer to the following resources:



For information on the additional capabilities and for instructions on configuring the features on the firewall, refer

to

https://www.paloaltonetworks.com/documentation

.



For access to the knowledge base, complete documentation set, discussion forums, and videos, refer to

https://live.paloaltonetworks.com

.



For contacting support, for information on support programs, to manage your account or devices, or to open a

support case, refer to

https://www.paloaltonetworks.com/support/tabs/overview.html

.



For the most current PAN-OS 7.0 release notes, see

https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os-release-notes.html

.

To provide feedback on the documentation, please write to us at:

documentation@paloaltonetworks.com

.

Palo Alto Networks, Inc. www.paloaltonetworks.com

(3)

The following topics describe how to manage the endpoints using the Endpoint Security Manager. It includes

the following topics:

(4)

Manage Traps Action Rules

Use action rules to perform one-time actions on the Traps agent that runs on each endpoint.

 Add a New Action Rule

 Manage Data Collected by Traps  Shut Down or Suspend EPM Protection  Uninstall or Upgrade Traps on the Endpoint

 Update or Revoke the Traps License on the Endpoint

Add a New Action Rule

For each action rule, you can specify the organizational object(s), condition(s), and action(s) to take on each

endpoint.

Add a New Action Rule

Step 1 Launch the Action Wizard. Select Manage > Add Action.

Step 2 Define the target objects to which to apply the restriction rule.

1. Select one of the following options:

• Selected objects from the list. In the Include or Exclude

sections, enter one or more Users, Groups, Computers, or Existing endpoints. The Endpoint Security Manager queries

Active Directory to verify the objects.

• All objects

2. Click Next.

Step 3 (Optional) Add conditions to the rule. 1. Do one of the following:

• Add a preexisting condition from the list on the left-hand

side of the page. Select the condition in the Conditions list and click Add. The condition is added to the Selected

conditions list on the right-hand side of the page. Repeat to add more conditions, if desired.

• Add a new condition. Click to launch the new condition wizard and then follow the instructions in Define Activation Conditions for a Rule.

If you choose to define a new condition, you will exit the Action Wizard and the Conditions page will be displayed. Any changes you made in the Action Wizard will be discarded.

(5)

Manage Data Collected by Traps

Use the Action Wizard to perform the following actions for data files that Traps creates on the endpoint:

Step 4 Select the type of task you want to

perform.

Select one of the following from the Tasks drop-down, and then

configure the settings according to the type of restriction:

• Agent Data— For more information, see Manage Data Collected

by Traps.

• Agent Service— For more information, see Shut Down or

Suspend EPM Protection.

• Agent Installation— For more information, see Uninstall or

Upgrade Traps on the Endpoint.

• Agent License— For more information, see Update or Revoke

the Traps License on the Endpoint.

Step 5 Define the restriction rule. 1. Review the details in the action summary, then Enter the rule name and Enter the rule description.

2. Click one of the following actions.

• Discard—Cancel without saving any changes to the rule.

Navigating away from the page also discards any changes.

• Save & Apply—Save and apply the rule.

• Save—Save the rule. To activate the rule at a later time, select

the rule from the Manage > Overview page and then click Activate.

Saved rules appear on the Manage > Overview page. From there

you can Delete or Suspend the rule, as required.

Action Description

Clear History _{Each endpoint stores a history of the security preventions. Select this option to clear}

historical data files from displaying in the Traps console.

Erase Memory Dumps _{Memory dumps are records of the contents of system memory when a prevention}

event occurs. Select this option to erase the system memory records on the target objects.

Erase Quarantined Files _{When the security event occurs on an endpoint, Traps captures memory dumps and}

recent files associated with the event and stores them in the quarantine folder on the endpoint. Select this option to delete the files associated with the security event from the target objects.

(6)

Retrieve Data that the Agent Collects

Traps collects security event history, memory dumps, and other information associated with a security event. Select this option to retrieve all the information saved from all events that occurred on the endpoint. After this rule runs, the Traps agent sends all the data related to the prevention, including a memory dump of the protected process, to the designated quarantine folder.

Retrieve Logs that the Agent Collects

Traps collects detailed application trace logs and stores information about processes and applications that run on the endpoint. Use the log file to debug an issue with an application or investigate a specific problem that writes to the log. Selecting this option creates an action rule to retrieve all the application trace information for an endpoint. After this rule runs, the Traps agent sends all the logs to the designated quarantine folder.

Manage Data that Traps Collects

• Selected objects from the list. In the Include or Exclude

Active Directory to verify the users, groups, or computers or identifies existing endpoints from previous communication messages.

• All objects

2. Click Next.

(7)

Shut Down or Suspend EPM Protection

If a security policy interferes with a legitimate application, you can temporarily suspend or shut down

Exploitation Prevention Module (EPM) injection on an endpoint. For endpoints running Traps version 3.1 or

later, Traps will not inject the EPMs into processes while the rule is active but will still send notifications about

security events.

After completing the necessary task, we recommend that you analyze the event and define a security rule that

is specific to this application and then enable EPM protection. In the case of EPM suspension, the rule

automatically enables EPM protection after the specified duration lapses. In the case of EPM shutdown, you

must manually restart the endpoint to start the Traps service on the endpoint and re-enable EPM protection.

Step 4 Define the tasks to carry out on the Traps data stored on the endpoints.

1. Select Agent Data from the Tasks drop-down.

2. Select one or more of the options to manage agent data.

3. Click Next.

Step 5 Define the action rule. 1. Review the details in the action summary, then Enter the rule name and Enter the rule description.

Saved rules appear on the Manage > Overview page. From there,

Shut Down or Suspend EPM Protection

(8)

sections, enter one or more Users, Groups, Computers, or Existing endpoints. The endpoint security manager queries

active directory To Find the Objects. All objects

2. Click Next.

Step 4 Suspend or shut down EPM protection. 1. Select Agent Service from the Tasks drop-down and then

select one of the following actions:

• To temporarily suspend injection of security modules, select

Suspend Protection For and specify the duration in minutes

from the drop-down, either 10, 30, 60, or 180 minutes.

• To disable injection of security modules for the life of the

action rule, select Shutdown Protection.

2. Click Next.

(9)

Uninstall or Upgrade Traps on the Endpoint

Use the Action Wizard to perform the following actions for Traps on the endpoint:



Uninstall Traps from the target objects.



Upgrade Traps using software that you upload to the ESM Server.

Uninstall or Upgrade Traps on the Endpoint

• All objects

2. Click Next.

Step 4 Define the tasks to carry out on Traps on the endpoints.

1. Select Agent Installation from the Tasks drop-down and then

• Uninstall

• Upgrade from path—Browse to the installation ZIP file, and

then click Upload.

(10)

Update or Revoke the Traps License on the Endpoint

Use the Action Wizard to update or revoke a license from the Traps service running on an endpoint. Revoking

a license enables you to reallocate a license to another endpoint. After you revoke a license, Traps will not protect

the endpoint. Use the update option to replace a license on the endpoint and resume Traps service.

Update or Revoke the Traps License on the Endpoint

• All objects

(11)

2. Click Next.

Step 4 Define the tasks to carry out on the Traps license on the endpoints.

1. Select Agent License from the Tasks drop-down and then

• Update

• Revoke

2. Click Next.

(12)

Manage Agent Settings Rules

Use agent settings rules to change preferences relating to Traps from a central location.

 Add a New Agent Settings Rule  Define Memory Dump Preferences  Define Event Logging Preferences

 Hide or Restrict Access to the Traps Console

 Define Communication Settings Between the Endpoint and the ESM Server  Collect New Process Information

 Manage Service Protection  Change the Uninstall Password

Add a New Agent Settings Rule

For each agent settings rule, you can specify the organizational object(s), condition(s), and Traps preferences to

apply.

Add a New Agent Settings Rule

Step 1 Launch the Agent Settings Wizard. Select Manage > Add Agent Settings.

• All objects

(13)

If you choose to define a new condition, you will exit the Agent Settings Wizard and the Conditions page will be displayed. Any changes you made in the Agent Settings Wizard will be discarded.

2. Click Next.

Step 4 Select the type of preference you want to change.

Select one of the following, and then configure the settings according to the type of preference:

• Memory Dump—For more information, see Define Memory

Dump Preferences.

• Event Logging—For more information, see Define Event

Logging Preferences.

• User Visibility & Access—For more information, see Hide or

Restrict Access to the Traps Console.

• Heartbeat Settings—For more information, see Define

Communication Settings Between the Endpoint and the ESM Server.

• Process Management—For more information, see Collect New

Process Information.

• Service Protection—For more information, see Manage Service

Protection.

• Agent Security—For more information, see Change the

Uninstall Password.

Step 5 Define the agent settings rule. 1. Review the details in the agent settings summary, then Enter the rule name and Enter the rule description.

(14)

Define Memory Dump Preferences

When an application crashes or terminates abnormally, the endpoint records information about the event

including the contents of memory locations and other related details in what is known as a memory dump. By

default, the information is saved to a system log file on the endpoint and is useful in diagnosing and debugging

a crash event. Create an agent settings rule to determine how Traps manages process-related memory dumps.

The rule settings allow you to specify if you want to send memory dumps automatically to the forensic folder

or change the size of the memory dump, either small, medium, or full (the largest and most complete set of

information).

Define Memory Dump Preferences

• All objects

2. Click Next.

(15)

Define Event Logging Preferences

The Windows Event Log stores application, security, and system events that can help you diagnose the source

of system problems. Use the Agent Settings Wizard to specify whether or not to send security events that Traps

encounters to the Windows Event Log and to set a size quota for the temporary local storage folder that Traps

uses to store the event information.

Step 4 Define where Traps stores memory dumps in the event of a prevention event.

1. Select Memory Dump from the Agent Settings drop-down and

then select one of the following preferences:

• Automatically send the memory dumps to the server by

selecting Send the memory dumps automatically.

• Specify the size of the memory dump file by selecting the

Memory dump size option and then selecting Small, Medium, or Full from the drop-down.

2. Select one or more applications. Traps will apply the setting to the selected applications.

3. Click Next.

Define Event Logging Preferences

• All objects

(16)

Hide or Restrict Access to the Traps Console

By default, a user can access the Traps console to view information about the current status of the endpoint,

security events, and changes to the security policy. When a security event is triggered, the user also receives a

notification about the event including the application name, publisher, and a description of the exploit

prevention or restriction rule that triggered the notification.

2. Click Next.

Step 4 Define the event logging settings for the endpoints.

1. Select Event Logging from the Agent Settings drop-down.

2. Perform one or more of the following actions:

• Select the Set disk quota (MB) option to specify the size of

the temporary local storage folder that Traps will use to store event logs. Specify the quota amount in MB. The default is 1000 MB (10 GB). The maximum is 10,000,000 MB (10 TB).

• Select the Write agent events in the Windows event log

option to send the Traps events to the Windows Event Log.

3. Click Next.

(17)

You can create an agent settings rule to change the accessibility of the console and specify whether or not to

hide notifications from the user.

Hide or Restrict Access to the Traps Console

• All objects

2. Click Next.

(18)

Define Communication Settings Between the Endpoint and the ESM Server

On a regular basis, the endpoint communicates with the Endpoint Security Manager by sending heartbeat

messages and reports to the ESM Server. During the heartbeat communication, the Traps agent requests the

current security policy and sends a response to the Endpoint Security Manager to report the status of the

endpoint. The frequency at which the Traps agent sends heartbeat messages to the ESM Server is called the

heartbeat cycle. The optimal frequency is determined according to the number of endpoints in the organization

and the typical network load. The default heartbeat period is 5 minutes.

The Traps agent also reports changes in service including starts, stops, and crash events and processes

discovered on the endpoint. The frequency at which the Traps agent sends report notifications is called the

reports interval.

Step 4 Define the user visibility and access settings for the endpoints.

1. Select User Availability & Access from the Agent Settings

drop-down.

2. Select one or more of the following options:

• Hide tray icon—Installing Traps on an endpoint adds an

icon to the notification area (system tray) by default. Use this option to hide the tray icon on the endpoint.

• Disable the user’s access to the Traps user interface—By

default, the user can access the Traps console by launching it from the system tray. Use this option to disable the ability to launch the console.

• Hide Traps user notifications—When the Traps agent

encounters a prevention event, the users sees a notification message describing the event. Use this option to hide notifications.

3. Click Next.

Define Communication Settings Between the Endpoint and the ESM Server

Step 1 Launch the Agent Settings Wizard. Select > .

(19)

• All objects

2. Click Next.

Step 4 Define the heartbeat cycle for the endpoints.

1. Select Heartbeat Settings from the Agent Settings

drop-down.

2. Select one or more of the following options:

• Set distinct heartbeat cycle—Specify the frequency in

either Hours, Minutes, or Days.

• Set send reports interval—Specify the frequency in either Hours, Minutes, or Days.

3. Click Next.

(20)

Collect New Process Information

By collecting new process information from the endpoint, you can analyze whether or not to create security

rules. By default, the Traps agent does not collect information on new processes. You can configure Traps to

report every process that runs on an endpoint to the Endpoint Security Manager by enabling the

Process Management

setting. The Process Management page displays all manually added or automatically discovered

processes.

you can Delete, Deactivate, or Edit the rule, as required.

Collect New Process Information

• All objects

2. Click Next.

(21)

2. Click Next.

Step 4 Enable the collection of new processes on the endpoints.

1. Select Process Management from the Agent Settings

drop-down.

2. Select the Collect new process information check box.

The new processes will appear on the Process Management page as unprotected processes. Define rules to protect the new processes, as required.

3. Click Next.

(22)

Manage Service Protection

Service protection allows you to protect the Traps service running on your endpoints. When service protection

is enabled, users cannot change registry values or files associated with the Traps, or stop or modify the Traps

service in any way.

Manage Service Protection

• All objects

2. Click Next.

Step 4 Enable service protection. 1. Select Service Protection from the Agent Settings drop-down.

2. Select Enable service protection or Disable service protection.

(23)

Change the Uninstall Password

By default, you must enter the uninstall password specified during installation to uninstall Traps from an

endpoint. Change the default password by creating an agent settings rule.

you can Delete, Deactivate, or Edit the rule, as required.

Change the Uninstall Password

• All objects

(24)

2. Click Next.

Step 4 Change the password. 1. Select Agent Security from the drop-down. Select the Set uninstall password check box.

2. Enter the password that the user or administrator will have to enter to uninstall Traps. The password must be at least 8 characters long.

3. Click Next.