: User Credential Detection
Focus
Focus

User Credential Detection

Table of Contents

User Credential Detection

Select ObjectsSecurity ProfilesURL FilteringUser Credential Detection to enable the firewall to detect when users submit corporate credentials.
Configure user credential detection so that users can submit credentials only to sites in specified URL categories, which reduces the attack surface by preventing credential submission to sites in untrusted categories. If you block all the URL categories in a URL Filtering profile for user credential submission, you don’t need to check credentials.
The firewall uses one of three methods to detect valid credentials submitted to web pages. Each method requires User-ID™, which enables the firewall to compare username and password submissions to web pages against valid, corporate credentials. Select one of these methods to then continue to prevent credential phishing
based on URL category.
You must configure the firewall to decrypt traffic that you want to monitor for user credentials.
User Credential Detection Settings
Description
IP User
This credential detection method checks for valid username submissions. You can use this method to detect credential submissions that include a valid corporate username (regardless of the accompanying password). The firewall determines a username match by verifying that the username matches the user logged in the source IP address of the session. To use this method, the firewall matches the submitted username against its IP-address-to-username mapping table. To use this method you can use any of the user mapping methods described in Map IP Addresses to Users.
Group Mapping
The firewall determines if the username a user submits to a restricted site matches any valid corporate username. To do this, the firewall matches the submitted username to the list of usernames in its user-to-group mapping table to detect when users submit a corporate usernames to a site in a restricted category.
This method only checks for corporate username submissions based on LDAP group membership, which makes it simple to configure, but more prone to false positives. You must enable group mapping
to use this method.
Domain Credential
This credential detection method enables the firewall to check for a valid corporate username and the associated password. The firewall determines if the username and password a user submits matches the same user’s corporate username and password.
To do this, the firewall must able to match credential submissions to valid corporate usernames and passwords and verify that the username submitted maps to the IP address of the logged in user. This mode is supported only with the Windows-based User-ID agent, and requires that the User-ID agent is installed on a read-only domain controller (RODC) and equipped with the User-ID Credential Service Add-on. To use this method, you must also enable User-ID to map IP addresses to users using any of the supported user mapping methods, including Authentication Policy, Authentication Portal, and GlobalProtect.™
See Prevent Credential Phishing
for details on each of the methods the firewall can use to check for valid corporate credential submissions, and for steps to enable phishing prevention.
Valid Username Detected Log Severity
Set the severity for logs that indicate the firewall detected a valid username submission to a website.
This log severity is associated with events where a valid username is submitted to websites with credential submission permissions to alert, block or continue. Logs that record when a user submits a valid username to a website for which credential submissions are allowed have a severity of informational. Select Categories to review or adjust the URL categories to which credential submissions are allowed and blocked.
Set the log severity to medium or stronger.