ESM (Server Side) Quarantine Size

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

ESM (Server Side) Quarantine Size

L1 Bithead

Been running TRAPS for about 3-4 months now.  Recently got a notification that the ESM server (Windows OS) was getting low on disk space, started doing some investigation on it and noticed that the Quarantine folder located at C:\Program Files\Palo Alto\Quarantine was over 20GB.  I have found in the documentation where you can configure a max size on the endpoints, and once the quarantine hits that size it wills tart over riding the oldest, but I cant seem to find where I can make that setting on the ESM server itself.  Anybody have any ideas?

1 accepted solution

Accepted Solutions

L1 Bithead

Hello Jimmy,

 

I don't think you can set a restriction on the forensic folder size. What I would typically do is configure the quaraintine folder to a seperate disk. You can move the quarantine folder in the IIS Manager > Sites > Default Web Site > BitsUploads > Basic Settings > Modify the Physical path, Test the settings and press OK. Please note this might not be the best pratice configuration from Palo Alto Networks.

 

You should also deleted unused preventions from the quarantine folder every 3 days according to Palo Alto Networks.

View solution in original post

4 REPLIES 4

L1 Bithead

Hello Jimmy,

 

I don't think you can set a restriction on the forensic folder size. What I would typically do is configure the quaraintine folder to a seperate disk. You can move the quarantine folder in the IIS Manager > Sites > Default Web Site > BitsUploads > Basic Settings > Modify the Physical path, Test the settings and press OK. Please note this might not be the best pratice configuration from Palo Alto Networks.

 

You should also deleted unused preventions from the quarantine folder every 3 days according to Palo Alto Networks.

L1 Bithead

Hi Jimmy,

 

As SvenMik suggests, there isn't currently a configuration option to control the size of the Forensics folder on the ESM itself.

 

As far as I'm aware, the location of this folder can be configured to wherever you prefer.

 

We do recommend periodically removing old uploads from this directory on the ESM - a simple script can be configured to do so automatically.  Support can provide you with an example designed to be run as a Windows Scheduled Task.

L2 Linker

We ran into this as well. Support will provide you with a basic batch command to delete anything in that directory. You may want the flexability to purge the Wildfire zips sooner than the Forensics zips (dump and log files). We cobbled together this PS script. You can modify the AddDays value to whatever works for your org. Remember...you can use the -WhatIf to verify results before you actually delete things. Add that after the -Remove-Item statement and you will see the what if.

 

### Clean up script for Traps Quarantine Directory

$Path = "C:\YourPathTo\Quarantine"
$CurrentDate = Get-Date
$DatetoDeleteWildfire = $CurrentDate.AddDays(-14)
$DatetoDeleteForensics = $CurrentDate.AddDays(-30)

# Clean up Wildfire
Get-ChildItem $Path -include Wildfire_*.zip -recurse | Where-Object { $_.LastWriteTime -lt $DatetoDelete } | Remove-Item
# Clean up Forensics
Get-ChildItem $Path -include Logs_*.zip, Dumps_*.zip -recurse | Where-Object { $_.LastWriteTime -lt $DatetoDelete } | Remove-Item

 

Hi,

We have set quarantine to use a separate drive. Is it true that oldest files will be overwritten if the drive fills up?

 

Also, if I physically remove the files (either manually or via script), will this have any impact on what is shown and available historically in ESM Console?

 

e.g. if I remove a wildfire* file from the quarantine folder will the Traps console still be able to show full detail on the associated prevention event?

 

Thanks,

Shannon

  • 1 accepted solution
  • 6950 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!