Notification

  Latest launch: DarkMatter Cyber Security Report. Click here to read more

13 Nov 18

PaloAlto Traps ESM Core Reconfiguration

Traps

Traps™ replaces antiquated antivirus solutions by preventing advanced persistent threats (APTs) and zero-day attacks. Traps also provides protection for your endpoints by blocking attack vectors before any malware is initiated or software vulnerabilities or bugs are exploited.

Cyberattacks are attacks performed on networks or endpoints to inflict damage, steal information, or achieve other goals that involve taking control over computer systems that do not belong to the attackers. Adversaries perpetrate cyberattacks either by causing a user to unintentionally run a malicious executable file or by exploiting a weakness in a legitimate executable file to run malicious code behind the scenes without the knowledge of the user.

 

Traps Installation

During PaloAlto Traps Core installation, you need to specify the ESM Server port to use for Traps Agents accessing ESM Core, or keep the default setting (TCP port 2125).

 

 

Besides that, you need to select the Certification configuration:

  • No Certificate (no SSL): Do not encrypt communication between the server and the agents
  • External Certificate (SSL): Encrypt communication between the server and the agents over SSL.

 

Problem

In cases you might want to reconfigure ESM Server port from default (TCP port 2125) to another port, or you want to change the Certification configuration from No SSL to SSL, then you need to reinstall ESM Core.

 

Solution

The two procedures below will help modify ESM Server setting without the need to reinstall ESM Core.

 

Reconfigure EMS Core Port from default (2125) to another port

  1.  Stop Endpoint Security Manager Service
  2. Edit ESM Server configuration file (C:\Program Files\Palo Alto Networks\Endpoint Security Manager\Server\cyveraServer.exe.config) using text editor
  3. Locate the following entries and modify the port 2125 to a desired port number. 
    In this example, we've changed the port from 2125 to 2020

    <add key="ServerApiBaseAddress" value="https://*:2020/api/"/>
    <add baseAddress="https://0.0.0.0:2020/CyveraServer/"/>
    <add baseAddress="https://0.0.0.0:2020/CyveraLicensing/"/>
    <add baseAddress="https://0.0.0.0:2020/CyveraStatus/"/>
  4.  Save the changes to the configuration file
  5. Start Endpoint Security Manager Service

 

To confirm the change:

 

  1. Open command prompt
  2. Run netstat -ao, you should see port 2020, in our example, is in Listening state and 2125 is no longer used.

 

To remove the certificate binding on port 2125:

     netsh http delete sslcert ipport=0.0.0.0:2125

 

To bind the certificate to the new port, in our example, 2020:

     netsh http add sslcert ipport=0.0.0.0:2020 certhash=<CERTIFICATE_HASH_HERE> appid={935e55e3-8b9d-4b95-954c-423626f887f9} clientcertnegotiation=enable

Change ESM Core from Non-SSL to SSL

  1. Open CMD as Administrator.
  2. Copy past the command and change only certificate hash

netsh http add sslcert ipport=0.0.0.0:2125 certhash=CERTIFICATE_HASH_HERE appid={935e55e3-8b9d-4b95-954c-423626f887f9} clientcertnegotiation=enable

  • The certificate hash should be pasted without any spaces.
  • Use the command "netsh http show sslcert" to verify that the certificate is bound to the port.
  • If a different port was chosen for agent-ESM communication during the ESM and agent installation, make sure to use that port in all the entries in this article
  1. Backup cyveraserver.exe.config file by copying it to another folder.
  2. Edit cyveraserver.exe.config (located by default in C:\Program Files\Palo Alto Networks\Endpoint Security Manager\Server):
  1. Restart "Endpoint Security Manager service"

 

Author:

Muhammed Saeed

Senior Engineer - Security