Set Up Credential Phishing Prevention
Focus
Focus
Advanced URL Filtering

Set Up Credential Phishing Prevention

Table of Contents

Set Up Credential Phishing Prevention

Detect attempts to submit corporate credentials to web pages and allow, alert, block, or require users to acknowledge the dangers of phishing before they can continue
Where can I use this?
What do I need?
  • Prisma Access (Cloud Management)
  • Prisma Access (Panorama Managed)
  • NGFW (Cloud Managed)
  • NGFW (PAN-OS or Panorama Managed)
Notes:
  • Legacy URL filtering licenses are discontinued, but active legacy licenses are still supported.
  • Prisma Access
    usually include
    Advanced URL Filtering
    capabilities.
After you've decided which user credential detection method to configure, follow these steps to prevent successful credential phishing attacks.
Before enabling credential phishing prevention, verify that the Primary Username that you configure on the firewall uses the sAMAccountName attribute. Credential phishing prevention does not support alternate attributes.

Cloud Managed

Follow these steps to configure credential phishing prevention for Cloud Managed Prisma Access.
If you’re using Panorama to manage
Prisma Access
:
Toggle over to the
PAN-OS & Panorama
tab and follow the guidance there.
If you’re using
Strata Cloud Manager
, continue here.
  1. Configure the user credential detection method you want to use.
  2. Create a Decryption policy rule that decrypts the traffic you want to monitor for user credential submissions.
  3. Create or modify a URL Access Management Profile.
    1. Select
      Manage
      Configuration
      NGFW and Prisma Access
      Security Services
      URL Access Management
      .
    2. Under URL Access Management Profiles, click
      Add Profile
      or select an existing profile.
  4. Configure the User Credential Detection settings.
    1. Under User Credential Detection, select a
      User Credential Detection
      method.
      • Use IP User Mapping
        —Checks for valid corporate username submissions and verifies that the login username maps to the source IP address of the session. To do this, Prisma Access matches the submitted username and source IP address of the session against its IP-address-to-username mapping table.
      • Use Domain Credential Filter
        —Checks for valid corporate username and password submissions and verifies that the username maps to the IP address of the logged-in user.
      • Use Group Mapping
        —Checks for valid username submissions based on the user-to-group mapping table populated when you map users to groups. You can apply credential detection to any part of the directory or for specific groups that have access to your most sensitive applications, such as IT.
        This method is prone to false positives in environments that do not have uniquely structured usernames. Because of this, you should only use this method to protect your high-value user accounts.
    2. For
      Valid Username Detected Log Severity
      , select the severity level that the firewall records in log when it detects corporate credential submissions:
      • high
      • (
        default
        )
        medium
      • low
  5. Configure the action taken when the firewall detects corporate credential submissions.
    1. Under Access Control, select an action for
      User Credential Submission
      for each URL category with its
      Site Access
      set to allow or alert.
      You can select from the following actions:
      • (
        Recommended
        )
        alert
        —Lets users submit credentials to websites in the given URL category but generates a URL Filtering log each time this happens.
      • (
        Default
        )
        allow
        –Lets users submit credentials to the website.
      • (
        Recommended
        )
        block
        —Prevents users from submitting credentials to websites in the given URL category. When a user tries to submit credentials, the firewall displays the anti-phishing block page.
      • continue
        —Presents the anti-phishing continue page to users when they attempt to submit credentials. Users must select Continue on the response page to proceed to the website.
    2. Save
      the profile.
  6. Apply the URL Access Management profile to your Security policy rules.
    1. Select
      Manage
      Configuration
      NGFW and Prisma Access
      Security Services
      Security Policy
      .
    2. Under Security Policy Rules, create or select a Security policy rule.
    3. Select
      Actions
      Profile Group
      , and then select a URL Access Management profile group.
    4. Save
      the rule.
  7. Click
    Push Config
    .

PAN-OS & Panorama

  1. Each of the methods to check for corporate credential submissions requires a different User-ID configuration:
  2. Configure a best practice URL Filtering profile to ensure protection against URLs that have been observed hosting malware or exploitive content.
    1. Select
      Objects
      Security Profiles
      URL Filtering
      and
      Add
      or modify a URL Filtering profile.
    2. Block access to all known dangerous URL categories: malware, phishing, dynamic-dns, unknown, command-and-control, extremism, copyright-infringement, proxy-avoidance-and-anonymizers, newly-registered-domain, grayware, and parked.
  3. Create a Decryption policy rule that decrypts the traffic you want to monitor for user credential submissions.
  4. Detect corporate credential submissions to websites that are in allowed URL categories.
    To provide the best performance, the firewall does not check credential submissions for trusted sites, even if you enable the checks for the URL categories for these sites. The trusted sites represent sites where Palo Alto Networks has not observed any malicious or phishing attacks. Updates for this trusted sites list are delivered through Application and Threat content updates. For a list of App-IDs that are exempt from credential detection, see Trusted App-IDs That Skip Credential Submission Detection on live.paloaltonetworks.com.
    1. Select a URL Filtering profile (
      Objects
      Security Profiles
      URL Filtering
      ) to modify.
    2. Select
      User Credential Detection
      and choose one of the user credential detection methods.
      Confirm that the format for the primary username is the same as the username format that the User-ID source provides.
      • Use IP User Mapping—
        Checks for valid corporate username submissions and verifies that the login username maps to the source IP address of the session. To do this, the firewall matches the submitted username and source IP address of the session against its IP-address-to-username mapping table. To use this method, configure any of the user mapping methods listed in Map IP Addresses to Users.
      • Use Domain Credential Filter
        —Checks for valid corporate usernames and password submissions and verifies that the username maps to the IP address of the logged-in user. For instructions on how to set up this method, see Configure Credential Detection with the Windows-based User-ID Agent.
      • Use Group Mapping
        —Checks for valid username submissions based on the user-to-group mapping table populated when you configure the firewall to map users to groups.
        With group mapping, you can apply credential detection to any part of the directory or for specific groups that have access to your most sensitive applications, such as IT.
      This method is prone to false positives in environments that do not have uniquely structured usernames. Because of this, you should only use this method to protect your high-value user accounts.
    3. Set the
      Valid Username Detected Log Severity
      the firewall uses to log detection of corporate credential submissions. By default, the firewall logs these events as medium severity.
  5. Block (or alert) on credential submissions to allowed sites.
    1. Select
      Categories
      .
    2. For each Category to which
      Site Access
      is allowed, select how you want to treat
      User Credential Submissions
      :
      • alert
        —Allow users to submit credentials to the website, but generate a URL Filtering log each time a user submits credentials to sites in this URL category.
      • allow
        —(default) Allow users to submit credentials to the website.
      • block
        —Block users from submitting credentials to the website. When a user tries to submit credentials, the firewall displays the anti-phishing block page, preventing the submission.
      • continue
        —Present the anti-phishing continue page to users when they attempt to submit credentials. Users must select Continue on the response page to continue with the submission.
    3. Select
      OK
      to save the URL Filtering profile.
  6. Apply the URL Filtering profile with the credential detection settings to your Security policy rules.
    1. Select
      Policies
      Security
      and
      Add
      or modify a Security policy rule.
    2. On the
      Actions
      tab, set the
      Profile Type
      to
      Profiles
      .
    3. Select the new or updated
      URL Filtering
      profile to attach it to the Security policy rule.
    4. Select
      OK
      to save the Security policy rule.
  7. Commit
    the configuration.
  8. Monitor credential submissions the firewall detects.
    Select
    ACC
    Hosts Visiting Malicious URLs
    to see the number of users who have visited malware and phishing sites.
    Select
    Monitor
    Logs
    URL Filtering
    .
    The new
    Credential Detected
    column indicates events where the firewall detected a HTTP post request that included a valid credential:
    To display this column, hover over any column header and click the arrow to select the columns you’d like to display.
    Log entry details also indicate credential submissions:
  9. Validate and troubleshoot credential submission detection.
    • Use the following CLI command to view credential detection statistics:
    >
    show user credential-filter statistics
    The output for this command varies depending on the method configured for the firewall to detect credential submissions. For example, if the Domain Credential Filter method is configured in any URL Filtering profile, a list of User-ID agents that have forwarded a bloom filter to the firewall is displayed, along with the number of credentials contained in the bloom filter.
    • (Group Mapping
      method only
      ) Use the following CLI command to view group mapping information, including the number of URL Filtering profiles with Group Mapping credential detection enabled and the usernames of group members that have attempted to submit credentials to a restricted site.
      >
      show user group-mapping statistics
    • (Domain Credential Filter
      method only
      ) Use the following CLI command to see all Windows-based User-ID agents that are sending mappings to the firewall:
      >
      show user user-id-agent state all
      The command output now displays bloom filter counts that include the number of bloom filter updates the firewall has received from each agent, if any bloom filter updates failed to process, and how many seconds have passed since the last bloom filter update.
    • (Domain Credential Filter
      method only
      ) The Windows-based User-ID agent displays log messages that reference BF (bloom filter) pushes to the firewall. In the User-ID agent interface, select
      Monitoring
      Logs
      .

Recommended For You