>
    Methods to Check for Corporate Credential Submissions
    Focus
    Download PDF
    Focus
    1. Home
    2. Advanced URL Filtering
    3. URL Filtering Features
    4. Credential Phishing Prevention
    5. Methods to Check for Corporate Credential Submissions
    Download PDF

    Advanced URL Filtering

    Methods to Check for Corporate Credential Submissions

    Table of Contents

    Methods to Check for Corporate Credential Submissions

    This table describes three corporate credential detection methods and the corresponding User-ID configuration requirements necessary to enable each method.
    Where can I use this?
    What do I need?
    • Prisma Access
    • PAN-OS
    • Advanced URL Filtering license (or a legacy URL filtering license)
    Notes:
    • Legacy URL filtering licenses are discontinued, but active legacy licenses are still supported.
    • Prisma Access licenses usually include Advanced URL Filtering capabilities.
    Before you enable credential phishing prevention, decide which method you want to use to check if valid corporate credentials have been submitted to a web page.
    Method to Check Submitted Credentials
    User-ID Configuration Requirements
    How does this method detect corporate usernames and/or passwords that users submit to websites?
    Group Mapping
    Group Mapping configuration on the firewall
    The firewall checks to determine if the username a user submits to a restricted site matches any valid corporate username.
    To do this, the firewall matches the submitted username to the list of usernames in its user-to-group mapping table to detect when users submit corporate usernames to sites in a restricted category.
    This method only checks for corporate username submissions based on LDAP group membership, which makes it simple to configure, but more prone to false positives.
    IP-User Mapping
    IP address-to- username mappings identified through user mapping, GlobalProtect, or Authentication Policy and Authentication Portal
    The firewall checks to determine if the username a user submits to a restricted site maps to the IP address of the login username.
    To do this, the firewall matches the IP address of the login username and the username submitted to a web site to its IP address-to-user mapping table to detect when users submit their corporate usernames to sites in a restricted category.
    Because this method matches the IP address of the login username associated with the session against the IP address-to-username mapping table, it is an effective method for detecting corporate username submissions, but it does not detect corporate password submission. If you want to detect corporate username and password submission, you must use the Domain Credential Filter method.
    Domain Credential Filter
    Windows User-ID agent configured with the User-ID credential service add-on
    - AND -
    IP address-to- username mappings identified through user mapping, GlobalProtect, or Authentication Policy and Authentication Portal
    The firewall checks to determine if the username and password a user submits match the same user’s corporate username and password.
    To do this, the firewall must be able to match credential submissions to valid corporate usernames and passwords and verify that the username submitted maps to the IP address of the login username as follows:
    • To detect corporate usernames and passwords
      —The firewall retrieves a secure bit mask, called a bloom filter, from a Windows User-ID agent equipped with the User-ID credential service add-on. This add-on service scans your directory for usernames and password hashes and deconstructs them into a secure bit mask (the bloom filter) and delivers it to the Windows User-ID agent. The firewall retrieves the bloom filter from the Windows User-ID agent at regular intervals. Whenever it detects a user submitting credentials to a restricted category, it reconstructs the bloom filter and looks for a matching username and password hash. The firewall can only connect to one Windows User-ID agent running the User-ID credential service add-on.
    • To verify that the credentials belong to the login username
      —The firewall looks for a mapping between the IP address of the login username and the detected username in its IP address-to-username mapping table.
    To learn more about the domain credential method, see Configure Credential Detection with the Windows-based User-ID Agent.

    Recommended For You

    © 2023 Palo Alto Networks, Inc. All rights reserved.