How to Use the DBconfig Tool in Traps
Resolution
Overview
Once the ESM Core has been installed on the Windows server, use the database configuration program (DBconfig.exe) to configure server settings; such as ninja mode password , users, licenses and authentication modes. The DBConfig program is accessible from a Microsoft MS-DOS command prompt, run as an administrator, and can be accessed using the methods described in this document.
Add a License to the Database
- Save the license TXT file to a directory that can be accessed from the ESM Console.
- Open a command prompt as an administrator and load the new license.
Type: dbconfig importlicense C:\< Path to License File> <License File Name>.txt
Manage Users, Groups, and Authentication Modes
Change or Add a User
During setup specify the account name for the user that will administer the server. The account can be changed or added at any time.
To change or add a user:
- Open a command prompt as an administrator and browse to the Palo Alto Networks program folder.
Type: cd C:\Program Files\Palo Alto Networks\Endpoint Security Manager\Server - (Optional) View the existing user settings
Type: dbconfig usermanagement show - Type: dbconfig usermanagement allowedusers followed by the desired username. Use a semicolon to separate multiple values.
For example: dbconfig usermanagement allowedusers <username1>; <username2>
Note: The user names specified overwrite any current definitions and are key sensitive.
Add a Group
Groups are used to provide access to the ESM Consol using a preexisting authentication group. By default, no groups are specified.
- Open a command prompt as an administrator and browse to the Palo Alto Networks program folder.
Type: cd C:\Program Files\Palo Alto Networks\Endpoint Security Manager\Server - (Optional) View the existing user settings
Type: dbconfig usermanagement show - To add a group, use the allowedgroups option followed by the desired group. Use a semicolon to separate multiple values. For example:
dbconfig usermanagement allowedgroups <group1>;<group2>
Note: The values specified overwrite any current definitions.
Change Authentication Mode
During setup specify one of the following authentication modes that the server should use to authenticate users:
- Machine —The ESM Core works with the local device's users and groups.
- Domain —The ESM Core works with the users and groups belonging to the device’s domain.
To change the authentication mode follow the steps below:
- Open a command prompt as an administrator and browse to the Palo Alto Networks program folder.
Type: cd C:\Program Files\Palo Alto Networks\Endpoint Security Manager\Server - (Optional) View the existing user settings.
Type: dbconfig usermanagement show - Change the authentication mode using the authmode option followed by either 'machine or 'domain'.
For example: dbconfig usermanagement authmode machine
Note: The values specified overwrite the current definition.
Manage Server Settings
Change the Ninja-Mode Password:
Advanced Exploitation Prevention Modules (EPM's) are hidden and are only accessible in ninja mode. To view the advanced EPM's enter the ninja mode password. To change the password, use the DBconfig tool:
- Open a command prompt as an administrator and browse to the Palo Alto Networks program folder.
Type: cd C:\Program Files\Palo Alto Networks\Endpoint Security Manager\Server - (Optional) View the existing user settings
Type: dbconfig server show
- Specify the new ninja mode password:
C:\Program Files\Palo Alto Networks\Endpoint Security Manager\Server > dbconfig server ninjamodepassword <password>
Change the Forensic Folder URL
During ESM Console installation, the destination folder used by the ESM Console System for storing forensic information that is collected for each security events or crash event is configured. This folder path is set in IIS. Agents use the BitsUrl to query IIS for the forensic folder location. To change the BitsUrl
- Open a command prompt as an administrator and browse to the Palo Alto Networks program folder.
Type: cd C:\Program Files\Palo Alto Networks\Endpoint Security Manager\Server - (Optional) View the existing user settings.
Type: dbconfig server show - To specify the BITS upload URL, use the BitsUrl option to set a URL that the agent will use to look up the forensic folder path.
Type: dbconfig server BitsUrl <URL>
For example: dbconfig server BitsUrl http://TRAPSESM:80/BitsUploads
Note: The values specified overwrite the current definition. If SSL is used, the URL must be appended with https://.
Change the Inventory Interval
The inventoryinterval setting specifies the frequency (in hours) at which the endpoint sends the list of applications that are running on the endpoint (if defined) to the ESM Core. The description includes information such as OS, domain and IP address and is transmitted in the heartbeat.
- Open a command prompt as an administrator and browse to the Palo Alto Networks program folder.
Type: cd C:\Program Files\Palo Alto Networks\Endpoint Security Manager\Server - Optional) View the existing user settings.
Type: dbconfig server show - Use the inventoryinterval option followed by the new value to change the setting.
Type: dbconfig server inventoryinterval <value>
In the following example, the inventory interval setting is updated so that the endpoint sends device information every 7 days (168 hours):
dbconfig server inventoryinterval 168
Note: The value specified overwrites the current definition
Manage Reporting and Logging Preferences
During setup, specify external reporting. By default, event logging and syslog reporting are disabled. Adding or changing the reporting and logging settings are possible at any time.
The values for each setting are true (enable) or false (disable).
Enable Syslog Reporting
The EnableSyslog option specifies whether or not events will be reported to a third party syslog. By default, external reporting is disabled.
- Open a command prompt as an administrator and browse to the Palo Alto Networks program folder.
Type: cd C:\Program Files\Palo Alto Networks\Endpoint Security Manager\Server< - (Optional) View the existing reporting settings.
Type: dbconfig reporting show - Enable external reporting.
Type: dbconfig reporting enableexternalreporting true< - Enable syslog reporting.
Type: dbconfig server enablesyslog true - Specify the IP address of the syslog server.
Type: dbconfig server syslogserver <ipaddress> - Specify the communication port for the syslog server, a value between 1 and 65535.
Type: dbconfig server syslogport <portnumber>
- (Optional) Specify a timespan (in minutes) where a keep alive message is sent to the log or report.
Type: dbconfig reporting keepalivetimeout <value> - (Optional) Specify the frequency of reports from the endpoint (in minutes).
Type: dbconfig reporting sendreportsinterval <value>
Note: Specify a value of 0 if not wishing to receive reports from the endpoint.
- (Optional) Specify the maximum and minimum number of report notifications to store in the database using the MaximumReportsCount and MinReportsCount options.
Type: dbconfig reporting maximumreportscount <value> ; dbconfig reporting minreportscount <value>
For example, specifying a maximum report count of 5000 notifications means that older notifications are discarded if the total is higher than 5000. Specifying a minimum report count of 1000 notifications means 1000 notifications are retained after a cleanup of old reports. - (Optional) Specify the timeframe (in seconds) that will be given to an endpoint after its last heartbeat using the heartbeatgraceperiod option followed by the timeframe value.
Type: dbconfig server heartbeatgraceperiod <value>
In the following example, the heart beat grace period setting is updated so that the endpoint reports a disconnected status after 5 minutes (300 seconds) of no heartbeat activity.
dbconfig server heartbeatgraceperiod 300
Note: The values specified overwrite the current definitions.
Enable Event Logging
The EnableEventLog option specifies events that will be recorded in the Windows event log. By default, event logging is disabled.
- Open a command prompt as an administrator and browse to the Palo Alto Networks program folder.
cd C:\Program Files\Palo Alto Networks\Endpoint Security Manager\Server - (Optional) View the existing reporting settings.
Type: dbconfig reporting show - Enable external reporting.
Type: dbconfig reporting enableexternalreporting true - Enable event logging.
Type: dbconfig reporting enableeventlog true
- (Optional) Specify a timespan (in minutes) where a keep alive message is sent to the log or report.
Type:dbconfig reporting keepalivetimeout <value> - (Optional) Specify the frequency of reports from the endpoint (in minutes).
Type: dbconfig reporting sendreportsinterval <value>
Note: Specify a value of 0 if not wishing to receive reports from the endpoint. - (Optional) Specify the maximum and minimum number of report notifications to store in the database using the MaximumReportsCount and MinReportsCount options.
Type:dbconfig reporting maximumreportscount <value> ; dbconfig reporting minreportscount <value>
For example, specifying a maximum report count of 5000 notifications means that older notifications are discarded if the total is higher than 5000. Specifying a minimum report count of 1000 notifications means 1000 notifications are retained after a cleanup of old reports.
Note: The values specified overwrite the current definitions.