User Credential Detection
Select ObjectsSecurity ProfilesURL FilteringUser Credential Detection to enable the firewall to detect when users submit corporate credentials.
Configure user credential detection so that users can submit credentials only to sites in specified URL categories, which reduces the attack surface by preventing credential submission to sites in untrusted categories. If you block all the URL categories in a URL Filtering profile for user credential submission, you don’t need to check credentials.
The firewall uses one of three methods to detect valid credentials submitted to web pages. Each method requires User-ID™, which enables the firewall to compare username and password submissions to web pages against valid, corporate credentials. Select one of these methods to then continue to Prevent Credential Phishing based on URL category.
User Credential Detection Settings
This credential detection method checks for valid username submissions. You can use this method to detect credential submissions that include a valid corporate username (regardless of the accompanying password). The firewall determines a username match by verifying that the username matches the user logged in the source IP address of the session. To use this method, the firewall matches the submitted username against its IP-address-to-username mapping table. To use this method you can use any of the user mapping methods described in Map IP Addresses to Users.
The firewall determines if the username a user submits to a restricted site matches any valid corporate username. To do this, the firewall matches the submitted username to the list of usernames in its user-to-group mapping table to detect when users submit a corporate usernames to a site in a restricted category.
This method only checks for corporate username submissions based on LDAP group membership, which makes it simple to configure, but more prone to false positives. You must enable group mapping to use this method.
This credential detection method enables the firewall to check for a valid corporate username and the associated password. The firewall determines if the username and password a user submits matches the same user’s corporate username and password.
To do this, the firewall must able to match credential submissions to valid corporate usernames and passwords and verify that the username submitted maps to the IP address of the logged in user. This mode is supported only with the Windows-based User-ID agent, and requires that the User-ID agent is installed on a read-only domain controller (RODC) and equipped with the User-ID Credential Service Add-on. To use this method, you must also enable User-ID to Map IP Addresses to Users using any of the supported user mapping methods, including Authentication Policy and Captive Portal and GlobalProtect.™
See Prevent Credential Phishing for details on each of the methods the firewall can use to check for valid corporate credential submissions, and for steps to enable phishing prevention.
Valid Username Detected Log Severity
Set the severity for logs that indicate the firewall detected a valid username submission to a website.
This log severity is associated with events where a valid username is submitted to websites with credential submission permissions to alert, block or continue. Logs that record when a user submits a valid username to a website for which credential submissions are allowed have a severity of informational. Select Categories to review or adjust the URL categories to which credential submissions are allowed and blocked.
Set the log severity to medium or stronger.
Set Up Credential Phishing Prevention
Set Up Credential Phishing Prevention After you have decided which of the Methods to Check for Corporate Credential Submissions you want to use, take the ...
Methods to Check for Corporate Credential Submissions
Methods to Check for Corporate Credential Submissions Before you Set Up Credential Phishing Prevention , decide which method you want the firewall to use to ...
Prevent Credential Phishing
Prevent Credential Phishing Phishing sites are sites that attackers disguise as legitimate websites with the aim to steal user information, especially the credentials that provide ...
Configure URL Filtering
Configure URL Filtering After you Determine URL Filtering Policy Requirements , you should have a basic understanding of what types of websites and website categories ...
Configure Credential Detection with the Windows-based User-...
Configure Credential Detection with the Windows-based User-ID Agent Domain Credential Filter detection enables the firewall to detect passwords submitted to web pages. This credential detection ...
URL Filtering Categories
URL Filtering Categories Select Objects Security Profiles URL Filtering Categories to control access to websites based on URL categories. Attach a URL Filtering profile to ...
URL Filtering Response Pages
URL Filtering Response Pages The firewall provides three predefined response pages that display by default when a user attempts to browse to a site in ...
URL Filtering Profile Actions
URL Filtering Profile Actions The URL Filtering profile specifies web access and credential submission permissions for each URL category. By default, site access for all ...
Device > Response Pages
Device > Response Pages Custom response pages are the web pages that display when a user tries to access a URL. You can provide a ...