1. Home
    2. PAN-OS
    3. PAN-OS® Administrator’s Guide
    4. Threat Prevention
    5. Prevent Credential Phishing
    6. Methods to Check for Corporate Credential Submissions

    Methods to Check for Corporate Credential Submissions

    Before you Set Up Credential Phishing Prevention, decide which method you want the firewall to use to check if credentials submitted to a web page are valid, corporate credentials.
    Method to Check Submitted Credentials
    User-ID Configuration Requirements
    How does this method detect corporate usernames and/or passwords as users submit them to websites?
    Group Mapping
    Group Mapping configuration on the firewall
    The firewall determines if the username a user submits to a restricted site matches any valid corporate username.
    To do this, the firewall matches the submitted username to the list of usernames in its user-to-group mapping table to detect when users submit a corporate usernames to a site in a restricted category.
    This method only checks for corporate username submissions based on LDAP group membership, which makes it simple to configure, but more prone to false positives.
    IP User Mapping
    IP-address-to- username mappings identified through User Mapping, GlobalProtect, or Authentication Policy and Captive Portal.
    The firewall determines if the username a user submits to a restricted site maps to the IP address of the logged-in user.
    To do this, the firewall matches the IP address of the logged in user and the username submitted to a web site to its IP-address-to-user mapping table to detect when users submit their corporate usernames to a site in a restricted category.
    Because this method matches the IP address of the logged-in user associated with the session against the IP-address-to-username mapping table, it is an effective method for detecting corporate username submissions, but it does not detect corporate password submission. If you want to detect corporate username and password submission, you must use the Domain Credential Filter method.
    Domain Credential Filter
    Windows-based User-ID agent configured with the User-ID credential service add-on
    - AND -
    IP-address-to- username mappings identified through User Mapping, GlobalProtect, or Authentication Policy and Captive Portal.
    The firewall determines if the username and password a user submits matches the same user’s corporate username and password.
    To do this, the firewall must able to match credential submissions to valid corporate usernames and passwords and verify that the username submitted maps to the IP address of the logged in user as follows:
    • To detect corporate usernames and passwords—The firewall retrieves a secure bit mask, called a bloom filter, from a Windows-based User-ID agent equipped with the User-ID credential service add-on. This add-on service scans your directory for usernames and password hashes and deconstructs them into a secure bit mask—the bloom filter—and delivers it to the Windows agent. The firewall retrieves the bloom filter from the Windows agent at regular intervals and, whenever it detects a user submitting credentials to a restricted category, it reconstructs the bloom filter and looks for a matching username and password hash. The firewall can only connect to one Windows-based User-ID agent running the User-ID credential service add-on.
    • To verify that the credentials belong to the logged-in user—The firewall looks for a mapping between the IP address of the logged-in user and the detected username in its IP-address-to-username mapping table.
    To learn more how the domain credential method works, and the requirements for enabling this type of detection, see Configure Credential Detection with the Windows-based User-ID Agent.

    Related Documentation

    User Credential Detection

    User Credential Detection Select Objects Security Profiles URL Filtering User Credential Detection to enable the firewall to detect when users submit corporate credentials. Configure user ...

    Set Up Credential Phishing Prevention

    Set Up Credential Phishing Prevention After you have decided which of the Methods to Check for Corporate Credential Submissions you want to use, take the ...

    Configure Credential Detection with the Windows-based User-...

    Configure Credential Detection with the Windows-based User-ID Agent Domain Credential Filter detection enables the firewall to detect passwords submitted to web pages. This credential detection ...

    Prevent Credential Phishing

    Prevent Credential Phishing Phishing sites are sites that attackers disguise as legitimate websites with the aim to steal user information, especially the credentials that provide ...

    Configure URL Filtering

    Configure URL Filtering After you Determine URL Filtering Policy Requirements , you should have a basic understanding of what types of websites and website categories ...

    Configure the Windows-Based User-ID Agent for User Mapping

    Configure the Windows-Based User-ID Agent for User Mapping The Palo Alto Networks User-ID agent is a Windows service that connects to servers on your network—for ...

    Enable Policy for Users with Multiple Accounts

    Enable Policy for Users with Multiple Accounts If a user in your organization has multiple responsibilities, that user might have multiple usernames (accounts), each with ...

    URL Filtering Response Pages

    URL Filtering Response Pages The firewall provides three predefined response pages that display by default when a user attempts to browse to a site in ...

    Install the Windows-Based User-ID Agent

    Install the Windows-Based User-ID Agent The following procedure shows how to install the User-ID agent on a member server in the domain and set up ...

    Addressed Issues

    Want to know if there are any addressed issues related to the Windows User-ID™ agent 8.1 release? ...

    © 2019 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo