User Credential Detection
Table of Contents
User Credential Detection
Select to enable the firewall to detect when users submit corporate
credentials.
Configure user credential detection so that users can submit
credentials only to sites in specified URL categories, which reduces the attack
surface by preventing credential submission to sites in untrusted categories. If you
block all the URL categories in a URL Filtering profile for user credential
submission, you don’t need to check credentials.
The firewall uses one of three methods to detect valid credentials submitted to web
pages. Each method requires User-ID™, which enables the firewall to
compare username and password submissions to web pages against valid, corporate
credentials. Select one of these methods to then continue to prevent credential phishing
![]()
based on URL category.
You must configure the firewall to decrypt traffic that you want to monitor for
user credentials.
User Credential Detection
Settings | Description |
|---|---|
IP User | This credential detection method checks for valid
username submissions. You can use this method to detect credential
submissions that include a valid corporate username (regardless of
the accompanying password). The firewall determines a username match
by verifying that the username matches the user logged in the source
IP address of the session. To use this method, the firewall matches
the submitted username against its IP-address-to-username mapping
table. To use this method you can use any of the user mapping
methods described in Map IP Addresses to
Users. |
Group Mapping | The firewall determines if the username a user submits
to a restricted site matches any valid corporate username. To do
this, the firewall matches the submitted username to the list of
usernames in its user-to-group mapping table to detect when users
submit a corporate usernames to a site in a restricted
category. This method only checks for corporate username
submissions based on LDAP group membership, which makes it simple to
configure, but more prone to false positives. You must enable group mapping
|
Domain Credential | This credential detection method enables the firewall
to check for a valid corporate username and the associated password.
The firewall determines if the username and password a user submits
matches the same user’s corporate username and password. To do
this, the firewall must able to match credential submissions to
valid corporate usernames and passwords and verify that the username
submitted maps to the IP address of the logged in user. This mode is
supported only with the Windows-based User-ID agent, and requires
that the User-ID agent is installed on a read-only domain controller
(RODC) and equipped with the User-ID Credential Service
Add-on. To use this method, you must also enable User-ID
to map IP addresses to users
using any of the supported user mapping methods, including
Authentication Policy, Authentication Portal, and
GlobalProtect.™ See Prevent Credential
Phishing
|
Valid Username Detected Log Severity | Set the severity for logs that indicate the firewall
detected a valid username submission to a website. This log
severity is associated with events where a valid username is
submitted to websites with credential submission permissions to
alert, block or continue. Logs that record when a user submits a
valid username to a website for which credential submissions are
allowed have a severity of informational. Select
Categories to review or adjust the URL
categories to which credential submissions are allowed and
blocked. Set the log severity to medium
or stronger. |