https://live.paloaltonetworks.com/t5/general-topics/corporate-credential-submission-phishing-protection-in-panos-8-0/m-p/142333#M48525 <P>Good Morning,</P><P>&nbsp;</P><P>I'm lucky enough to work with a few early adopters and have PANOS8.0 running in several production locations on VM and 3000 series appliances.</P><P>&nbsp;</P><P>So far, business as usual with the "old" feature set....</P><P>&nbsp;</P><P>I've now setup Credential Protection on two of these sites, using the RODC method to spot username/password combos, rather than just username. The username only method seemed a little too wide a net to cast.</P><P>&nbsp;</P><P>Anyway, it's up and running, but I was hoping some others may be running it too so we could compare notes?</P><P>&nbsp;</P><P>My initial findings..</P><P>&nbsp;</P><P>1) Obviously needs SSL inspection setup and working for all the URL categories you want to inspect for credentials</P><P>2) RODC's aren't that complex, but read the notes about groups allowed to sync to the RODC, if they dont sync, it wont work!</P><P>3) RODC's seem limited to 1500 sets of cached credentials? Interested in thoughts on how to scale out with domains with many 1000's of users</P><P>4) For my testing I used a domain account and typed those credentials into a variety of locations, facebook, linkedin, salesforce, google, outlook.com, several random websites.</P><P>5) Every single one was captured by the firewall</P><P>6) The continue page seems to use https://IPADDRESSOFWEBSITE:PORT/SOMEOTHERSTUFF, which causes an untrusted certificate error for the user</P><P>7) Block and Alert work fine</P><P><span class="lia-unicode-emoji" title=":smiling_face_with_sunglasses:">😎</span> in production (alert only) Had some false positives for google ads and some referal tracking links, checked with users who can be trusted and they are defintely NOT reusing corporate credetials.</P><P>9) Also had some false negatives in testing with the rest of the IT team, intentionally entering domain credentials into website and it doesnt catch them.</P><P>&nbsp;</P><P>So in summary, looks VERY promising, but perhaps a few rough edges or some best practice guidance for reducing false positives would be very useful. I dont feel comfortable putting into full production with block pages just yet, but it is providing some useful information.</P><P>&nbsp;</P><P>Over to you community!</P> Fri, 10 Feb 2017 10:57:03 GMT Dpeters1 2017-02-10T10:57:03Z https://live.paloaltonetworks.com/t5/general-topics/corporate-credential-submission-phishing-protection-in-panos-8-0/m-p/142333#M48525 <P>Good Morning,</P><P>&nbsp;</P><P>I'm lucky enough to work with a few early adopters and have PANOS8.0 running in several production locations on VM and 3000 series appliances.</P><P>&nbsp;</P><P>So far, business as usual with the "old" feature set....</P><P>&nbsp;</P><P>I've now setup Credential Protection on two of these sites, using the RODC method to spot username/password combos, rather than just username. The username only method seemed a little too wide a net to cast.</P><P>&nbsp;</P><P>Anyway, it's up and running, but I was hoping some others may be running it too so we could compare notes?</P><P>&nbsp;</P><P>My initial findings..</P><P>&nbsp;</P><P>1) Obviously needs SSL inspection setup and working for all the URL categories you want to inspect for credentials</P><P>2) RODC's aren't that complex, but read the notes about groups allowed to sync to the RODC, if they dont sync, it wont work!</P><P>3) RODC's seem limited to 1500 sets of cached credentials? Interested in thoughts on how to scale out with domains with many 1000's of users</P><P>4) For my testing I used a domain account and typed those credentials into a variety of locations, facebook, linkedin, salesforce, google, outlook.com, several random websites.</P><P>5) Every single one was captured by the firewall</P><P>6) The continue page seems to use https://IPADDRESSOFWEBSITE:PORT/SOMEOTHERSTUFF, which causes an untrusted certificate error for the user</P><P>7) Block and Alert work fine</P><P><span class="lia-unicode-emoji" title=":smiling_face_with_sunglasses:">😎</span> in production (alert only) Had some false positives for google ads and some referal tracking links, checked with users who can be trusted and they are defintely NOT reusing corporate credetials.</P><P>9) Also had some false negatives in testing with the rest of the IT team, intentionally entering domain credentials into website and it doesnt catch them.</P><P>&nbsp;</P><P>So in summary, looks VERY promising, but perhaps a few rough edges or some best practice guidance for reducing false positives would be very useful. I dont feel comfortable putting into full production with block pages just yet, but it is providing some useful information.</P><P>&nbsp;</P><P>Over to you community!</P> Fri, 10 Feb 2017 10:57:03 GMT https://live.paloaltonetworks.com/t5/general-topics/corporate-credential-submission-phishing-protection-in-panos-8-0/m-p/142333#M48525 Dpeters1 2017-02-10T10:57:03Z https://live.paloaltonetworks.com/t5/general-topics/corporate-credential-submission-phishing-protection-in-panos-8-0/m-p/142413#M48539 <P>Good rundown!</P><P>&nbsp;</P><P>We've got a lab 200 that I hope to be standing up in the next week. &nbsp;So I am probably 2 weeks out before I have anything constructive to add.</P> Fri, 10 Feb 2017 17:05:34 GMT https://live.paloaltonetworks.com/t5/general-topics/corporate-credential-submission-phishing-protection-in-panos-8-0/m-p/142413#M48539 Brandon_Wertz 2017-02-10T17:05:34Z