Block access to all known dangerous URL categories:
malware, phishing, dynamic-dns, unknown, command-and-control, extremism,
copyright-infringement, proxy-avoidance-and-anonymizers, newly-registered-domain, grayware,
corporate credential submissions to websites that are in allowed
To provide the best performance, the firewall does
not check credential submissions for trusted sites, even if you
enable the checks for the URL categories for these sites. The trusted
sites represent sites where Palo Alto Networks has not observed
any malicious or phishing attacks. Updates for this trusted sites
list are delivered through Application and Threat content updates.
For a list of App-IDs that are exempt from credential detection,
see Trusted App-IDs That Skip Credential
Submission Detection on live.paloaltonetworks.com.
Confirm that the format for the primary username is
the same as the username format that the User-ID source provides.
Use IP User Mapping—
for valid corporate username submissions and verifies that the login
username maps to the source IP address of the session. To do this,
the firewall matches the submitted username and source IP address
of the session against its IP-address-to-username mapping table.
To use this method, configure any of the user mapping methods listed
in Map IP Addresses to Users.
—Checks for valid username
submissions based on the user-to-group mapping table populated when
you configure the firewall to map users to groups.
group mapping, you can apply credential detection to any part of the
directory or for specific groups that have access to your most sensitive applications,
such as IT.
This method is prone
to false positives in environments that do not have uniquely structured
usernames. Because of this, you should only use this method to protect
your high-value user accounts.
Valid Username Detected Log Severity
firewall uses to log detection of corporate credential submissions.
By default, the firewall logs these events as medium severity.
Block (or alert) on credential submissions to allowed
For each Category to which
allowed, select how you want to treat
—Allow users to submit credentials
to the website, but generate a URL Filtering log each time a user submits
credentials to sites in this URL category.
—(default) Allow users to submit credentials
to the website.
—Block users from submitting credentials
to the website. When a user tries to submit credentials, the firewall
displays the anti-phishing block
page, preventing the submission.
—Present the anti-phishing continue
page to users when they attempt to submit credentials. Users
must select Continue on the response page to continue with the submission.
to save the URL Filtering profile.
Apply the URL Filtering profile with the credential detection settings
to your Security policy rules.
modify a Security policy rule.
tab, set the
Select the new or updated
to attach it to the Security policy rule.
to save the Security
Monitor credential submissions the firewall detects.
Hosts Visiting Malicious URLs
see the number of users who have visited malware and phishing sites.
column indicates events where the firewall
detected a HTTP post request that included a valid credential:
display this column, hover over any column header and click the
arrow to select the columns you’d like to display.
details also indicate credential submissions:
Validate and troubleshoot credential submission detection.
Use the following CLI command to view credential detection statistics:
show user credential-filter statistics
output for this command varies depending on the method configured
for the firewall to detect credential submissions. For example,
if the Domain
Credential Filter method is configured in any URL Filtering
profile, a list of User-ID agents that have forwarded a bloom filter
to the firewall is displayed, along with the number of credentials
contained in the bloom filter.
) Use the following CLI command to view group mapping information,
including the number of URL Filtering profiles with Group Mapping
credential detection enabled and the usernames of group members
that have attempted to submit credentials to a restricted site.
) Use the following CLI command to see all Windows-based
User-ID agents that are sending mappings to the firewall:
show user user-id-agent state all
command output now displays bloom filter counts that include the number
of bloom filter updates the firewall has received from each agent,
if any bloom filter updates failed to process, and how many seconds
have passed since the last bloom filter update.