Corporate Credential Submission / Phishing protection in PANOS 8.0

cancel
Showing results for 
Search instead for 
Did you mean: 

Corporate Credential Submission / Phishing protection in PANOS 8.0

L2 Linker

Good Morning,

 

I'm lucky enough to work with a few early adopters and have PANOS8.0 running in several production locations on VM and 3000 series appliances.

 

So far, business as usual with the "old" feature set....

 

I've now setup Credential Protection on two of these sites, using the RODC method to spot username/password combos, rather than just username. The username only method seemed a little too wide a net to cast.

 

Anyway, it's up and running, but I was hoping some others may be running it too so we could compare notes?

 

My initial findings..

 

1) Obviously needs SSL inspection setup and working for all the URL categories you want to inspect for credentials

2) RODC's aren't that complex, but read the notes about groups allowed to sync to the RODC, if they dont sync, it wont work!

3) RODC's seem limited to 1500 sets of cached credentials? Interested in thoughts on how to scale out with domains with many 1000's of users

4) For my testing I used a domain account and typed those credentials into a variety of locations, facebook, linkedin, salesforce, google, outlook.com, several random websites.

5) Every single one was captured by the firewall

6) The continue page seems to use https://IPADDRESSOFWEBSITE:PORT/SOMEOTHERSTUFF, which causes an untrusted certificate error for the user

7) Block and Alert work fine

😎 in production (alert only) Had some false positives for google ads and some referal tracking links, checked with users who can be trusted and they are defintely NOT reusing corporate credetials.

9) Also had some false negatives in testing with the rest of the IT team, intentionally entering domain credentials into website and it doesnt catch them.

 

So in summary, looks VERY promising, but perhaps a few rough edges or some best practice guidance for reducing false positives would be very useful. I dont feel comfortable putting into full production with block pages just yet, but it is providing some useful information.

 

Over to you community!

1 REPLY 1

Cyber Elite
Cyber Elite

Good rundown!

 

We've got a lab 200 that I hope to be standing up in the next week.  So I am probably 2 weeks out before I have anything constructive to add.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!