Next-Generation Firewall
User Credential Detection
Table of Contents
User Credential Detection
Select to
enable the firewall to detect when users submit corporate credentials.
Configure user credential detection so
that users can submit credentials only to sites in specified URL
categories, which reduces the attack surface by preventing credential
submission to sites in untrusted categories. If you block all the
URL categories in a URL Filtering profile for user credential submission,
you don’t need to check credentials.
The firewall uses one of three methods to detect valid credentials submitted to web pages. Each
method requires User-ID™, which enables the firewall to
compare username and password submissions to web pages against valid, corporate
credentials. Select one of these methods to then continue to prevent credential phishing
![]()
based on URL category.
You must configure the firewall to decrypt traffic that you
want to monitor for user credentials.
User Credential Detection Settings | Description |
|---|---|
IP User | This credential detection method checks
for valid username submissions. You can use this method to detect
credential submissions that include a valid corporate username (regardless
of the accompanying password). The firewall determines a username
match by verifying that the username matches the user logged in
the source IP address of the session. To use this method, the firewall
matches the submitted username against its IP-address-to-username
mapping table. To use this method you can use any of the user mapping
methods described in Map IP Addresses to Users. |
Group Mapping | The firewall determines if the username
a user submits to a restricted site matches any valid corporate
username. To do this, the firewall matches the submitted username
to the list of usernames in its user-to-group mapping table to detect
when users submit a corporate usernames to a site in a restricted
category. This method only checks for corporate username submissions based
on LDAP group membership, which makes it simple to configure, but
more prone to false positives. You must enable group mapping
|
Domain Credential | This credential detection method enables
the firewall to check for a valid corporate username and the associated
password. The firewall determines if the username and password a
user submits matches the same user’s corporate username and password. To do this, the firewall must able to match credential submissions to valid corporate usernames
and passwords and verify that the username submitted maps to the IP
address of the logged in user. This mode is supported only with the
Windows-based User-ID agent, and requires that the User-ID agent is
installed on a read-only domain controller (RODC) and equipped with
the User-ID Credential Service
Add-on. To use this method, you must also enable User-ID
to map IP addresses to users
using any of the supported user mapping methods, including
Authentication Policy, Authentication Portal, and
GlobalProtect.™ See Prevent Credential
Phishing
|
Valid Username Detected Log Severity | Set the severity for logs that indicate
the firewall detected a valid username submission to a website. This
log severity is associated with events where a valid username is
submitted to websites with credential submission permissions to
alert, block or continue. Logs that record when a user submits a
valid username to a website for which credential submissions are
allowed have a severity of informational. Select Categories to
review or adjust the URL categories to which credential submissions
are allowed and blocked. Set the log
severity to medium or stronger. |