https://live.paloaltonetworks.com/t5/next-generation-firewall/prevent-credential-phishing-with-upn-userprincipalname/m-p/506986#M183 <P>Hi World,</P><P>&nbsp;</P><P>I'm have my first contact with this&nbsp;Prevent Credential Phishing feature. With the option "IP User", because UserID Mapping is already in place, i'm able to detect sAMAccountName Username submissions. But a lot of phishing sites are focused on the UPN, but the UPN username filed submission is not detected by the firewall.</P><P><SPAN class="">sAMAccountName</SPAN> is our primary Username in the group mapping settings and alternate Username 1 is the UPN.</P><P>&nbsp;</P><P>If possible how can we detect username fields submissions with UPN or <SPAN class="">sAMAccountName. Perhaps it is possible with Domain Credential Filter setting, but we do not have an RODC at the moment, but if it is the only option to cover both username types, the i'm also happy to know that.<BR /></SPAN></P><P>&nbsp;</P><P><SPAN class="">I hope somebody can help, the PAN documentation does not cover this topic.</SPAN></P><P>&nbsp;</P><P><SPAN class="">Kind regards</SPAN></P><P>&nbsp;</P> Wed, 29 Jun 2022 09:14:41 GMT fhu_omi 2022-06-29T09:14:41Z https://live.paloaltonetworks.com/t5/next-generation-firewall/prevent-credential-phishing-with-upn-userprincipalname/m-p/506986#M183 <P>Hi World,</P><P>&nbsp;</P><P>I'm have my first contact with this&nbsp;Prevent Credential Phishing feature. With the option "IP User", because UserID Mapping is already in place, i'm able to detect sAMAccountName Username submissions. But a lot of phishing sites are focused on the UPN, but the UPN username filed submission is not detected by the firewall.</P><P><SPAN class="">sAMAccountName</SPAN> is our primary Username in the group mapping settings and alternate Username 1 is the UPN.</P><P>&nbsp;</P><P>If possible how can we detect username fields submissions with UPN or <SPAN class="">sAMAccountName. Perhaps it is possible with Domain Credential Filter setting, but we do not have an RODC at the moment, but if it is the only option to cover both username types, the i'm also happy to know that.<BR /></SPAN></P><P>&nbsp;</P><P><SPAN class="">I hope somebody can help, the PAN documentation does not cover this topic.</SPAN></P><P>&nbsp;</P><P><SPAN class="">Kind regards</SPAN></P><P>&nbsp;</P> Wed, 29 Jun 2022 09:14:41 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/prevent-credential-phishing-with-upn-userprincipalname/m-p/506986#M183 fhu_omi 2022-06-29T09:14:41Z https://live.paloaltonetworks.com/t5/next-generation-firewall/prevent-credential-phishing-with-upn-userprincipalname/m-p/509638#M230 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/173884">@fhu_omi</a> ,</P> <P>Have you consider the option to create additional Group-Mapping profile with UPN as primary username.</P> <P>And configure Credential Protection with "User Group Mapping" setting.</P> Fri, 22 Jul 2022 16:49:44 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/prevent-credential-phishing-with-upn-userprincipalname/m-p/509638#M230 aleksandar.astardzhiev 2022-07-22T16:49:44Z https://live.paloaltonetworks.com/t5/next-generation-firewall/prevent-credential-phishing-with-upn-userprincipalname/m-p/511839#M273 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/70130">@aleksandar.astardzhiev</a> ,</P> <P>&nbsp;</P> <P>this does not work see kb <A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFQCA0" target="_blank" rel="noopener">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFQCA0</A> is written: <STRONG style="box-sizing: border-box; font-weight: bold; color: #16325c; font-family: 'Salesforce Sans', Arial, sans-serif; font-size: 12px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; letter-spacing: normal; orphans: 2; text-align: justify; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: #ffffff; text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial;"><SPAN>When multiple group-mappings are configured with same base dn or ldap server, each group-mapping must include non-overlapping groups i.e include group list must not have any common group.</SPAN></STRONG></P> <P>&nbsp;</P> <P>But for test purpose, you need to considering, that not every web serivce is protected by the user credential protection. If the traffic is classified as one of the following services, then user credential prevention does not pop in:</P> <P><A href="https://live.paloaltonetworks.com/t5/customer-resources/trusted-app-ids-that-skip-credential-submission-detection/ta-p/183595" target="_blank" rel="noopener">https://live.paloaltonetworks.com/t5/customer-resources/trusted-app-ids-that-skip-credential-submission-detection/ta-p/183595</A></P> <P>&nbsp;</P> <P data-unlink="true">i test on facebook login site, which is protected by the pan user cred prevention. i have a UPN estuser1@testdomain.com and SAM testuser1.</P> <P data-unlink="true">&nbsp;</P> <P data-unlink="true">And PAN blocks as soon the string testuser1 is seen in a username field:</P> <P data-unlink="true">&nbsp;</P> <P data-unlink="true">testuser1 -&gt; detected</P> <P data-unlink="true">testuser1@ -&gt; detected</P> <P data-unlink="true"><A href="mailto:testuser1@testdomain.com" target="_blank" rel="noopener">testuser1@testdomain.com</A> -&gt; detected</P> <P data-unlink="true"><A href="mailto:testuser1@blabla.com" target="_blank" rel="noopener">testuser1@blabla.com</A> -&gt; detected</P> <P data-unlink="true">testuser12 -&gt; not detected</P> <P data-unlink="true">testuser12@ -&gt; not detected</P> <P data-unlink="true">&nbsp;</P> <P data-unlink="true">i looks like, the domain is not checked for this Group Mapping credential submit method.</P> <P>I need now to setup a RODC to check the behaviour with the Domain Credential Filter method.</P> <P>&nbsp;</P> <P>Kind regards</P> Mon, 15 Aug 2022 13:35:19 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/prevent-credential-phishing-with-upn-userprincipalname/m-p/511839#M273 fhu_omi 2022-08-15T13:35:19Z