Credential Phishing Prevention Overview

Understanding credential phishing prevention is key for managing security policies effectively.

Requires an Advanced URL Filtering license (or supported legacy license).
Prisma Access licenses include this capability.

Where Can I Use This?	What Do I Need?
Prisma Access (Managed by Strata Cloud Manager) Prisma Access (Managed by Panorama) NGFW (Managed by Strata Cloud Manager) NGFW (Managed by PAN-OS or Panorama)	Advanced URL Filtering license (or a legacy URL filtering license) Notes: Legacy URL filtering licenses are discontinued, but active legacy licenses are still supported. Prisma Access licenses include Advanced URL Filtering capabilities.

Where Can I Use This?

What Do I Need?

Prisma Access (Managed by Strata Cloud Manager)
Prisma Access (Managed by Panorama)
NGFW (Managed by Strata Cloud Manager)
NGFW (Managed by PAN-OS or Panorama)

Advanced URL Filtering license (or a legacy URL filtering license)

Notes:

Legacy URL filtering licenses are discontinued, but active legacy licenses are still supported.
Prisma Access licenses include Advanced URL Filtering capabilities.

Phishing sites are sites that attackers disguise as legitimate websites with the intent to steal user information, especially the credentials that provide access to your network. When a phishing email enters a network, it takes just a single user to click a link and enter credentials to set a breach into motion.

You can detect and prevent in-progress phishing attacks, thereby preventing credential theft, by controlling sites to which users can submit corporate credentials based on the site’s URL category . This allows you to block users from submitting credentials to untrusted sites while allowing credential submissions to corporate and sanctioned sites.

Credential phishing prevention works by scanning username and password submissions to websites and comparing those submissions against valid corporate credentials. You can choose what websites you want to either allow or block corporate credential submissions to based on the URL category of the website.

When a user attempts to submit credentials to a site in a category you have restricted, either a block response page prevents the user from submitting credentials or a continue page warns users against submitting credentials to sites in certain URL categories, but still allows them to continue with the submission. You can customize response pages to educate users against reusing corporate credentials, even on legitimate, non-phishing sites.

High-level flow of credential phishing prevention check.

Methods to Check for Corporate Credential Submissions

     Knowing the differences between detection methods and their requirements is crucial for configuration and troubleshooting.
    

Where can I use this?	What do I need?
Prisma Access (Managed by Strata Cloud Manager) Prisma Access (Managed by Panorama) NGFW (Managed by Strata Cloud Manager) NGFW (Managed by PAN-OS or Panorama)	Advanced URL Filtering license (or a legacy URL filtering license) Notes: Legacy URL filtering licenses are discontinued, but active legacy licenses are still supported. Prisma Access licenses include Advanced URL Filtering capabilities.

Where can I use this?

What do I need?

Prisma Access (Managed by Strata Cloud Manager)
Prisma Access (Managed by Panorama)
NGFW (Managed by Strata Cloud Manager)
NGFW (Managed by PAN-OS or Panorama)

Advanced URL Filtering license (or a legacy URL filtering license)

Notes:

Legacy URL filtering licenses are discontinued, but active legacy licenses are still supported.
Prisma Access licenses include Advanced URL Filtering capabilities.

Before you enable credential phishing prevention, decide which method you want to use to check if valid corporate credentials have been submitted to a web page.

Method to Check Submitted Credentials	User-ID Configuration Requirements	How does this method detect corporate usernames and/or passwords?
Group Mapping	Group Mapping configuration on the firewall	The firewall checks if the username submitted matches any valid corporate username in its user-to-group mapping table. This method only checks usernames based on LDAP group membership. Simple to configure, but prone to false positives (e.g., common usernames like 'admin'). Does not check passwords.
IP-User Mapping	IP address-to-username mappings via user mapping , GlobalProtect , or Authentication Policy/Portal	The firewall checks if the username submitted maps to the IP address of the known logged-in user. Effective for detecting corporate username submissions tied to the session's source IP, but does not detect corporate password submission .
Domain Credential Filter Prisma Access doesn't support this method.	Windows User-ID agent configured with the User-ID credential service add-on (on RODC). IP address-to-username mappings (as in IP-User Mapping method).	Checks if the submitted username AND password match the user’s corporate credentials. Username/Password Detection: Uses a bloom filter (secure bit mask of username/password hashes) retrieved from a dedicated Windows User-ID agent on an RODC. User Verification: Checks the submitted username against the IP-to-username mapping table (like IP-User Mapping) to ensure the credentials belong to the logged-in user. This is the most comprehensive method but requires specific infrastructure (Windows User-ID Agent on RODC).

Method to Check Submitted Credentials

User-ID Configuration Requirements

How does this method detect corporate usernames and/or passwords?

Group Mapping

Group Mapping configuration on the firewall

The firewall checks if the username submitted matches any valid corporate username in its user-to-group mapping table.

This method only checks usernames based on LDAP group membership. Simple to configure, but prone to false positives (e.g., common usernames like 'admin'). Does not check passwords.

IP-User Mapping

IP address-to-username mappings via user mapping , GlobalProtect , or Authentication Policy/Portal

The firewall checks if the username submitted maps to the IP address of the known logged-in user.

Effective for detecting corporate username submissions tied to the session's source IP, but does not detect corporate password submission .

Domain Credential Filter

Prisma Access doesn't support this method.

Windows User-ID agent configured with the User-ID credential service add-on (on RODC).
IP address-to-username mappings (as in IP-User Mapping method).

Checks if the submitted username AND password match the user’s corporate credentials.

Username/Password Detection: Uses a bloom filter (secure bit mask of username/password hashes) retrieved from a dedicated Windows User-ID agent on an RODC.
User Verification: Checks the submitted username against the IP-to-username mapping table (like IP-User Mapping) to ensure the credentials belong to the logged-in user.

This is the most comprehensive method but requires specific infrastructure (Windows User-ID Agent on RODC).

Configure Credential Detection with the Windows User-ID Agent

(Required for Domain Credential Filter Method)

Where can I use this?	What do I need?
NGFW (Managed by Strata Cloud Manager) NGFW (Managed by PAN-OS or Panorama)	Advanced URL Filtering license (or a legacy URL filtering license) Windows User-ID Agent + User-ID Credential Service add-on Read-Only Domain Controller (RODC) Note: Legacy URL filtering licenses are discontinued, but active legacy licenses are still supported.

Where can I use this?

What do I need?

NGFW (Managed by Strata Cloud Manager)
NGFW (Managed by PAN-OS or Panorama)

Advanced URL Filtering license (or a legacy URL filtering license)
Windows User-ID Agent + User-ID Credential Service add-on
Read-Only Domain Controller (RODC)

Note: Legacy URL filtering licenses are discontinued, but active legacy licenses are still supported.

Domain Credential Filter detection enables the firewall to detect passwords submitted to web pages. This method requires the Windows User-ID agent and the User-ID credential service (an add-on) installed on a read-only domain controller (RODC) .

     The Domain Credential Filter detection method is supported with the Windows User-ID agent
     
      only
     
     . You cannot use the PAN-OS integrated User-ID agent for this method.

An RODC maintains a read-only copy of an Active Directory database. Installing the User-ID agent on an RODC is useful because:

Direct access to the writable domain controller directory is not required.
You can target credential detection for a limited set of users defined in the RODC's Password Replication Policy (PRP).
The main AD database remains secure on the writable domain controller.

     
      Best Practice:
     
     Deploy a separate Windows User-ID agent specifically for credential detection on the RODC. Do
     
      not
     
     use this agent for general IP-address-to-user mapping.

Bloom Filter Process:

The User-ID credential service runs on the RODC.
It scans the directory for usernames and password hashes of users defined in the RODC Password Replication Policy (PRP).
It deconstructs this data into a secure bit mask called a bloom filter .
The User-ID credential service forwards the bloom filter to the Windows User-ID agent (also on the RODC).
The firewall retrieves the latest bloom filter from this User-ID agent periodically.
When the firewall detects a credential submission to a restricted site, it checks the submitted username/password hash against the bloom filter.

The User-ID agent never stores or exposes password hashes directly, nor does it forward them to the firewall. Once hashes are in the bloom filter, they cannot be recovered.

Configuration Steps Summary:

Install and Configure User-ID Agent on RODC:
- Refer to the Compatibility Matrix for supported OS versions.
- Install both the User-ID Agent (`UaInstall-x.x.x-x.msi`) and the User-ID Agent Credential Service (`UaCredInstall64-x.x.x-x.msi`). Download from Palo Alto Networks Support Portal .
- Use a service account with privileges to read AD via LDAP and be a member of the local administrator group on the RODC. Ensure it can log on as the local system account. See Create a Dedicated Service Account .
- Review RODC Administration Best Practices .
Enable Information Sharing in User-ID Agent:
1. Launch the User-ID Agent on the RODC server.
2. Go to Setup , edit the Setup section.
3. Select the Credentials tab (visible only if the Credential Service is installed).
4. Check Import from User-ID Credential Agent .
5. Click OK, Save, and Commit the agent configuration.
Configure RODC Password Replication Policy (PRP):
- Define the group(s) of users for credential detection.
- Add these groups to the Allowed RODC Password Replication Group .
- Ensure these groups are not also in the Denied RODC Password Replication Group .
Proceed to Firewall Configuration: Continue to the next section to configure the firewall settings.

Set Up Credential Phishing Prevention (Firewall Configuration)

Where can I use this?	What do I need?
Prisma Access (Managed by Strata Cloud Manager) Prisma Access (Managed by Panorama) NGFW (Managed by Strata Cloud Manager) NGFW (Managed by PAN-OS or Panorama)	Advanced URL Filtering (or a legacy URL filtering license) Configured User-ID (method depends on chosen detection type) Decryption Policy (for HTTPS inspection) Notes: Legacy URL filtering licenses are discontinued, but active legacy licenses are still supported. Prisma Access licenses include Advanced URL Filtering capabilities.

Where can I use this?

What do I need?

Prisma Access (Managed by Strata Cloud Manager)
Prisma Access (Managed by Panorama)
NGFW (Managed by Strata Cloud Manager)
NGFW (Managed by PAN-OS or Panorama)

Advanced URL Filtering (or a legacy URL filtering license)
Configured User-ID (method depends on chosen detection type)
Decryption Policy (for HTTPS inspection)

Notes:

Legacy URL filtering licenses are discontinued, but active legacy licenses are still supported.
Prisma Access licenses include Advanced URL Filtering capabilities.

After deciding which user credential detection method to use and (if applicable) configuring the Windows User-ID agent , follow these steps on the firewall (PAN-OS/Panorama or Strata Cloud Manager).

Prerequisite: Verify that the Primary Username configured on the firewall (Device > User Identification > Group Mapping Settings > User and Group Attributes) uses the


       sAMAccountName

attribute. Credential phishing prevention does not support alternate attributes for the primary username check.

Firewall Configuration Steps (PAN-OS / Panorama Example):

Enable User-ID: Ensure User-ID is enabled and configured according to the chosen detection method:
- Group Mapping: Requires mapping users to groups .
- IP User Mapping: Requires mapping IP addresses to users (via Agent, Agentless, GlobalProtect, Auth Policy, etc.).
- Domain Credential Filter: Requires Windows User-ID Agent connection (configured on RODC) AND mapping IP addresses to users .
Configure URL Filtering Profile:
1. Go to Objects > Security Profiles > URL Filtering . Add or modify a profile.
2. (Best Practice) Block Dangerous Categories: Under the Categories tab, set Site Access to block for categories like: malware , phishing , dynamic-dns , unknown , command-and-control , extremism , copyright-infringement , proxy-avoidance-and-anonymizers , newly-registered-domain , grayware , and parked .
3. Enable User Credential Detection:
  - Select the Settings tab (or similar location depending on PAN-OS version/management interface). Find the User Credential Detection section.
  - Choose the desired Mode (detection method):
    - IP User Mapping
    - Domain Credential Filter (Requires configuring the User-ID Agent connection under Device > User Identification > User-ID Agents and selecting it here).
    - Group Mapping (Requires selecting the relevant Group Mapping profile).
    Remember the requirements and limitations of each mode!
  - Set the Valid Username Detected Log Severity (default is medium).
4. Configure Actions for Allowed Categories:
  - Go back to the Categories tab.
  - For each category where Site Access is set to allow or alert , choose an action for User Credential Submission :
    - alert : Log the submission but allow it.
    - allow : (Default) Allow submission without specific logging beyond normal traffic logs.
    - block : Prevent submission and display the anti-phishing block page. (Recommended for untrusted/risky categories like Social Networking, Webmail, etc.)
    - continue : Display the anti-phishing continue page; user must click 'Continue' to submit. Logs the event.
    Apply stricter actions ( block or continue ) to categories where users should generally not be entering corporate credentials.
5. Click OK to save the URL Filtering profile.
Note on Trusted Sites: The firewall maintains a list of "trusted" sites (updated via content updates) where credential checks are skipped for performance, even if checks are enabled for the category. Palo Alto Networks has not observed malicious activity on these sites.
Create/Modify Decryption Policy:
Credential detection requires visibility into the HTTP POST data containing the username/password. Therefore, you must decrypt HTTPS traffic for the sites you want to monitor. Create a Decryption policy rule targeting the relevant source/destination zones, users, and services, setting the action to Decrypt .
Apply Profile to Security Policy:
1. Go to Policies > Security . Add or modify a rule that allows the relevant web traffic (e.g., outbound web access).
2. On the Actions tab:
  - Ensure Action is Allow .
  - Set Profile Type to Profiles .
  - In the URL Filtering dropdown, select the profile you configured.
3. Click OK to save the rule.
Commit Configuration: Commit the changes to the firewall/Panorama.

Monitor and Validate Credential Submissions

After configuration, monitor logs and use CLI commands to verify functionality.

Monitoring Logs:

ACC (Application Command Center): Check widgets like Hosts Visiting Malicious URLs for context on phishing/malware site visits.
URL Filtering Logs ( Monitor > Logs > URL Filtering ):
- Look for the Credential Detected column (add it if not visible). A 'Yes' indicates a potential corporate credential submission was detected in the HTTP POST based on the configured method.
- Log entry details will also show "Credential Detected: yes".
- Filter by Action: credential-phishing (for block/continue actions) or check logs where Action is alert or allow but Credential Detected is 'Yes'.

Validation and Troubleshooting (CLI):

     Familiarity with these CLI commands is useful for troubleshooting and verifying User-ID and credential detection status.
    

General Credential Filter Statistics:
> show user credential-filter statistics
Output varies by detection method. For Domain Credential Filter, shows connected User-ID agents providing bloom filters and credential counts.
Group Mapping Statistics (Group Mapping method only):
> show user group-mapping statistics
Shows profiles using Group Mapping detection and usernames detected during submissions.
User-ID Agent State (Especially for Domain Credential Filter):
> show user user-id-agent state all
Check the status of connected Windows User-ID agents. For agents providing bloom filters, look for bloom filter counts (updates received, failures, time since last update).
Windows User-ID Agent Logs (Domain Credential Filter method only):

On the Windows server hosting the User-ID agent, check the agent's logs ( Monitoring > Logs in the agent GUI). Look for messages related to BF (bloom filter) pushes to the firewall.

Credential Phishing Prevention Quiz

Test your understanding of the concepts covered.

1. What is the primary purpose of Credential Phishing Prevention?

To block access to all social media websites. To prevent the theft of corporate credentials submitted to potentially malicious or inappropriate websites. To decrypt all user web traffic. To map IP addresses to usernames for reporting.

2. Which license is typically required to use Credential Phishing Prevention?

Threat Prevention GlobalProtect Advanced URL Filtering (or supported legacy URL Filtering) WildFire

3. Which of the following platforms support Credential Phishing Prevention (assuming appropriate licenses)?

NGFW (PAN-OS/Panorama managed) only Prisma Access only NGFW (PAN-OS/Panorama/Strata Cloud Manager managed) and Prisma Access Strata Cloud Manager managed devices only

4. What are the three methods available for checking corporate credential submissions?

LDAP, RADIUS, Kerberos Group Mapping, IP-User Mapping, Domain Credential Filter User-ID Agent, Authentication Portal, GlobalProtect Block, Alert, Continue

5. Which credential detection method checks submitted usernames against the firewall's user-to-group mapping table only?

IP-User Mapping Domain Credential Filter Group Mapping Bloom Filter

6. What is a noted potential downside of the Group Mapping detection method?

It requires an RODC. It is prone to false positives, especially with common usernames. It checks passwords, increasing overhead. It only works with Prisma Access.

7. Which method verifies that the submitted username matches the user associated with the source IP address of the session?

IP-User Mapping Domain Credential Filter Group Mapping URL Category Filtering

8. Which credential detection method is capable of detecting both corporate username AND password submissions?

IP-User Mapping Domain Credential Filter Group Mapping All three methods check passwords

9. What specific infrastructure component is REQUIRED to use the Domain Credential Filter method?

PAN-OS Integrated User-ID agent Linux-based User-ID agent Windows User-ID agent with Credential Service add-on, installed on an RODC Prisma Access

10. What does RODC stand for in the context of the Domain Credential Filter?

Remote Office Domain Controller Read-Only Domain Controller Redundant Online Domain Controller Restricted Object Domain Controller

11. What is the name of the secure data structure containing obfuscated username and password hash information used by the Domain Credential Filter?

Hash Table Lookup List Bloom Filter Encrypted Database

12. Does Prisma Access support the Domain Credential Filter method for credential detection?

Yes, fully supported. No, Prisma Access does not support this method. Yes, but only with specific configurations. It is planned for future support.

13. What Active Directory attribute MUST be used for the 'Primary Username' configuration on the firewall for credential phishing prevention to work correctly?

userPrincipalName sAMAccountName displayName mail

14. Is traffic decryption generally required for effective credential phishing prevention?

Yes, to inspect credentials submitted over HTTPS. No, the firewall can inspect encrypted traffic. It is optional but recommended. Only for HTTP traffic, not HTTPS.

15. Which pair of URL categories is strongly recommended to have 'Site Access' set to 'block' as a best practice?

news, sports shopping, travel malware, phishing webmail, social-networking

16. What are the possible actions for 'User Credential Submission' within a URL Filtering profile for categories where 'Site Access' is allowed?

allow, block alert, continue alert, allow, block, continue override, block

17. What happens when the 'User Credential Submission' action is set to 'continue' for a URL category?

The submission is blocked, and an alert is logged. The submission is allowed silently without logging. A warning page is presented, and the user can choose to proceed with the submission; the attempt is logged. The user must re-authenticate before submitting.

18. Where on the firewall (PAN-OS/Panorama) do you select the credential detection *method* (e.g., IP User Mapping, Domain Credential Filter)?

Security Policy Rule > Actions Device > User Identification Objects > Security Profiles > URL Filtering > Settings (or User Credential Detection section) Objects > Decryption Profile

19. Where on the firewall (PAN-OS/Panorama) do you configure the *action* (block, alert, continue, allow) for credential submissions to specific URL categories?

Security Policy Rule > Actions Objects > Security Profiles > URL Filtering > Categories (User Credential Submission column) Device > Setup > Content-ID > URL Filtering Device > Response Pages

20. Which CLI command provides general statistics related to credential detection, including bloom filter information if Domain Credential Filter is used?

show user ip-user-mapping all show url-filtering statistics show log url show user credential-filter statistics