Credential Phishing Protection troubleshooting

Reply
Highlighted
L1 Bithead

Credential Phishing Protection troubleshooting

hey community - 

 

tearing my hair out here...I've set up a RoDC in my environment and added a test group to the allowed password replication group.  I've configured the user and credential agents on the RoDC and they say connected to my firewall, and also successfully connect to the other dcs.  I can see my user to ip mapping for my test account.  On the firewall I've created a User ID agent that shows connected as well. 

however,  show user credential-filter statistics shows zero entries, I'm also seeing this in the user id logs:

 UIA CredentialChecking error: credential enabled but no digest.

 

What am I missing here?  thanks for any advice!!

L4 Transporter

Re: Credential Phishing Protection troubleshooting

Dear @Laura_Penhallow

were you able to find a solution for your problem?

L1 Bithead

Re: Credential Phishing Protection troubleshooting

Hi Chacko42, 

I should have replied here when I solved this particular issue.  For the benefit of others (I don't think this is documented anywhere yet), the version of Credential & User-id agents have to be equal or less than the PAN-OS on the firewalls doing the checking.  

thanks for pinging here and reminding me! :)

L3 Networker

Re: Credential Phishing Protection troubleshooting

Hi, found your post and wondered if you could point me in the right direction.

 

Trying to implement this as well in our environment. 

I have build a RODC and installed both programs 

2019-06-06 10_18_58-Software Updates.png

Running PAN-OS version 8.1.7

 

I am running into some problems though.

The User_ID agent runs as a service. At first via the Local System Account but if you configure it to run with a dedicated account it wants to run the service with this account

 

2019-06-06 10_23_34-mRemoteNG - mremote.xml - ADS04 - RODC.png

Although the account is configured to run-as-a-service in the default domain policy it throws in an error when you start the service.

 

2019-06-06 10_29_05-mRemoteNG - mremote.xml - ADS04 - RODC.png

I have used the following instructions to set this up

https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/threat-prevention/prevent-credential-phish...

 

Are there any additional instructions that I need to follow to implement this correctly on a RODC (Server 2012R2)?

 

Remko

 

 

L1 Bithead

Re: Credential Phishing Protection troubleshooting

Hey Remko,

 

Have you tried walking down your version at all?  I'm not running 8.1 at the edge just yet - and I'm wondering if there are bugs in the 8.1. versions?   I'm running 8.0.10 right now for both agents - but I'm interested to know if its versioning since I'm headed to 8.1 on the border firewalls really soon. 

 

let me know what you think? 

Laura

L3 Networker

Re: Credential Phishing Protection troubleshooting

Hi Laura, thanks for your reply.

I have downgraded the client further to version 8.1.5-6.

It appears to be working correctly as long as it runs with the local system account

In the log I see a whole bunch of entries appearing

2019-06-07 09_12_46-mRemoteNG - mremote.xml - ADS04 - RODC.png

 

When I edit the UserIdentification setup and save it, the service starts to run with the RODC_Service account.

This account has the correct priviledges according to this article

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEuCAK

But but the service fails to start when started with this new account

 

 06/04/19 11:19:03:448[Error 2382]: Start error -1!!
 06/04/19 11:19:03:448[Error  764]: Device listening thread stops timeout!
 06/04/19 11:19:45:694[ Info 2357]: ------------Service is being started------------
 06/04/19 11:19:45:694[ Info 2364]: Os version is 6.2.0.
 06/04/19 11:19:45:694[Error  675]: Cannot open config reg log key with error 5(Access is denied.

As said, as long as it runs with the system account there are green lights though in the Palo Alto User_ID Agent screen so I will try if I can get a block page when entering corporate credentials. 

Still a bit confused how all this works but let's give it a try :-)

 

Remko

L3 Networker

Re: Credential Phishing Protection troubleshooting

Hmmm, 

Can't seem to get this to work. Whatever I try, the Palo Alto does not detect any user credential submission. Tried various websites and categories to put the URL credential submission to block. 

But unfortunately, no luck whatsoever. 

I think I am going to put this aside for a while and try some other time. 

This is causing to much frustration :-)

 

Remko

L4 Transporter

Re: Credential Phishing Protection troubleshooting

@Indorama_Ventures Can you see any blob filters if you have a look on the statistics of the User ID agent on firewall CLI?

L3 Networker

Re: Credential Phishing Protection troubleshooting

@Chacko42 : Thanks for your reply. How would you check this via the commandline? I did a quick Google Search but was not able to find this. Can you advise?

L4 Transporter

Re: Credential Phishing Protection troubleshooting

show user user-id-agent state <your RODC agent>

There you shood see hits at

num of bloomfilter requests sent : 
num of bloomfilter response received : 

In best case, the errors are low or non-existing

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!