User Credential Detection
Table of Contents
Expand all | Collapse all
-
- Firewall Overview
- Features and Benefits
- Last Login Time and Failed Login Attempts
- Message of the Day
- Task Manager
- Language
- Alarms
- Commit Changes
- Save Candidate Configurations
- Revert Changes
- Lock Configurations
- Global Find
- Threat Details
- AutoFocus Intelligence Summary
- Configuration Table Export
- Change Boot Mode
-
- Objects > Addresses
- Objects > Address Groups
- Objects > Regions
- Objects > Dynamic User Groups
- Objects > Application Groups
- Objects > Application Filters
- Objects > Services
- Objects > Service Groups
- Objects > Devices
- Objects > External Dynamic Lists
- Objects > Custom Objects > Spyware/Vulnerability
- Objects > Custom Objects > URL Category
- Objects > Security Profiles > Antivirus
- Objects > Security Profiles > Anti-Spyware Profile
- Objects > Security Profiles > Vulnerability Protection
- Objects > Security Profiles > File Blocking
- Objects > Security Profiles > WildFire Analysis
- Objects > Security Profiles > Data Filtering
- Objects > Security Profiles > DoS Protection
- Objects > Security Profiles > Mobile Network Protection
- Objects > Security Profiles > SCTP Protection
- Objects > Security Profile Groups
- Objects > Log Forwarding
- Objects > Authentication
- Objects > Packet Broker Profile
- Objects > Schedules
-
-
- Firewall Interfaces Overview
- Common Building Blocks for Firewall Interfaces
- Common Building Blocks for PA-7000 Series Firewall Interfaces
- Tap Interface
- HA Interface
- Virtual Wire Interface
- Virtual Wire Subinterface
- PA-7000 Series Layer 2 Interface
- PA-7000 Series Layer 2 Subinterface
- PA-7000 Series Layer 3 Interface
- Layer 3 Interface
- Layer 3 Subinterface
- Log Card Interface
- Log Card Subinterface
- Decrypt Mirror Interface
- Aggregate Ethernet (AE) Interface Group
- Aggregate Ethernet (AE) Interface
- Network > Interfaces > VLAN
- Network > Interfaces > Loopback
- Network > Interfaces > Tunnel
- Network > Interfaces > SD-WAN
- Network > VLANs
- Network > Virtual Wires
-
- Network > Network Profiles > GlobalProtect IPSec Crypto
- Network > Network Profiles > IPSec Crypto
- Network > Network Profiles > IKE Crypto
- Network > Network Profiles > Monitor
- Network > Network Profiles > Interface Mgmt
- Network > Network Profiles > QoS
- Network > Network Profiles > LLDP Profile
- Network > Network Profiles > SD-WAN Interface Profile
-
-
- Device > Setup
- Device > Setup > Management
- Device > Setup > Interfaces
- Device > Setup > Telemetry
- Device > Setup > Content-ID
- Device > Setup > WildFire
- Device Setup Ace
- Device > Setup > DLP
- Device > Log Forwarding Card
- Device > Config Audit
- Device > Administrators
- Device > Admin Roles
- Device > Access Domain
- Device > Authentication Sequence
- Device > Device Quarantine
-
- Security Policy Match
- QoS Policy Match
- Authentication Policy Match
- Decryption/SSL Policy Match
- NAT Policy Match
- Policy Based Forwarding Policy Match
- DoS Policy Match
- Routing
- Test Wildfire
- Threat Vault
- Ping
- Trace Route
- Log Collector Connectivity
- External Dynamic List
- Update Server
- Test Cloud Logging Service Status
- Test Cloud GP Service Status
- Device > Virtual Systems
- Device > Shared Gateways
- Device > Certificate Management
- Device > Certificate Management > Certificate Profile
- Device > Certificate Management > OCSP Responder
- Device > Certificate Management > SSL/TLS Service Profile
- Device > Certificate Management > SCEP
- Device > Certificate Management > SSL Decryption Exclusion
- Device > Certificate Management > SSH Service Profile
- Device > Response Pages
- Device > Server Profiles
- Device > Server Profiles > SNMP Trap
- Device > Server Profiles > Syslog
- Device > Server Profiles > Email
- Device > Server Profiles > HTTP
- Device > Server Profiles > NetFlow
- Device > Server Profiles > RADIUS
- Device > Server Profiles > TACACS+
- Device > Server Profiles > LDAP
- Device > Server Profiles > Kerberos
- Device > Server Profiles > SAML Identity Provider
- Device > Server Profiles > DNS
- Device > Server Profiles > Multi Factor Authentication
- Device > Local User Database > Users
- Device > Local User Database > User Groups
- Device > Scheduled Log Export
- Device > Software
- Device > Dynamic Updates
- Device > Licenses
- Device > Support
- Device > Policy Recommendation > IoT
- Device > Policy > Recommendation SaaS
-
- Network > GlobalProtect > MDM
- Network > GlobalProtect > Clientless Apps
- Network > GlobalProtect > Clientless App Groups
- Objects > GlobalProtect > HIP Profiles
-
- Use the Panorama Web Interface
- Context Switch
- Panorama Commit Operations
- Defining Policies on Panorama
- Log Storage Partitions for a Panorama Virtual Appliance in Legacy Mode
- Panorama > Setup > Interfaces
- Panorama > High Availability
- Panorama > Administrators
- Panorama > Admin Roles
- Panorama > Access Domains
- Panorama > Device Groups
- Panorama > Plugins
- Panorama > Log Ingestion Profile
- Panorama > Log Settings
- Panorama > Server Profiles > SCP
- Panorama > Scheduled Config Export
- Panorama > Device Registration Auth Key
User Credential Detection
Select ObjectsSecurity ProfilesURL FilteringUser Credential Detection to
enable the firewall to detect when users submit corporate credentials.
Configure user credential detection so
that users can submit credentials only to sites in specified URL categories,
which reduces the attack surface by preventing credential submission
to sites in untrusted categories. If you block all the URL categories
in a URL Filtering profile for user credential submission, you don’t
need to check credentials.
The firewall uses one of three methods to detect valid credentials
submitted to web pages. Each method requires User-ID™, which enables
the firewall to compare username and password submissions to web
pages against valid, corporate credentials. Select one of these
methods to then continue to prevent credential phishing
based on URL category.
You must configure the firewall to decrypt traffic that you
want to monitor for user credentials.
User Credential Detection Settings | Description |
---|---|
IP User | This credential detection method checks
for valid username submissions. You can use this method to detect
credential submissions that include a valid corporate username (regardless
of the accompanying password). The firewall determines a username
match by verifying that the username matches the user logged in
the source IP address of the session. To use this method, the firewall
matches the submitted username against its IP-address-to-username
mapping table. To use this method you can use any of the user mapping
methods described in Map IP Addresses to Users. |
Group Mapping | The firewall determines if the username
a user submits to a restricted site matches any valid corporate
username. To do this, the firewall matches the submitted username
to the list of usernames in its user-to-group mapping table to detect
when users submit a corporate usernames to a site in a restricted
category. This method only checks for corporate username submissions based
on LDAP group membership, which makes it simple to configure, but
more prone to false positives. You must enable group mapping |
Domain Credential | This credential detection method enables
the firewall to check for a valid corporate username and the associated
password. The firewall determines if the username and password a
user submits matches the same user’s corporate username and password. To
do this, the firewall must able to match credential submissions to
valid corporate usernames and passwords and verify that the username
submitted maps to the IP address of the logged in user. This mode
is supported only with the Windows-based User-ID agent, and requires
that the User-ID agent is installed on a read-only domain controller
(RODC) and equipped with the User-ID Credential Service Add-on.
To use this method, you must also enable User-ID to map IP addresses to users using
any of the supported user mapping methods, including Authentication
Policy, Authentication Portal, and GlobalProtect.™ See Prevent Credential Phishing |
Valid Username Detected Log Severity | Set the severity for logs that indicate
the firewall detected a valid username submission to a website. This
log severity is associated with events where a valid username is
submitted to websites with credential submission permissions to
alert, block or continue. Logs that record when a user submits a
valid username to a website for which credential submissions are
allowed have a severity of informational. Select Categories to
review or adjust the URL categories to which credential submissions
are allowed and blocked. Set the log
severity to medium or stronger. |