I'm have my first contact with this Prevent Credential Phishing feature. With the option "IP User", because UserID Mapping is already in place, i'm able to detect sAMAccountName Username submissions. But a lot of phishing sites are focused on the UPN, but the UPN username filed submission is not detected by the firewall.
sAMAccountName is our primary Username in the group mapping settings and alternate Username 1 is the UPN.
If possible how can we detect username fields submissions with UPN or sAMAccountName. Perhaps it is possible with Domain Credential Filter setting, but we do not have an RODC at the moment, but if it is the only option to cover both username types, the i'm also happy to know that.
I hope somebody can help, the PAN documentation does not cover this topic.
Hi @Astardzhiev ,
this does not work see kb https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFQCA0 is written: When multiple group-mappings are configured with same base dn or ldap server, each group-mapping must include non-overlapping groups i.e include group list must not have any common group.
But for test purpose, you need to considering, that not every web serivce is protected by the user credential protection. If the traffic is classified as one of the following services, then user credential prevention does not pop in:
i test on facebook login site, which is protected by the pan user cred prevention. i have a UPN email@example.com and SAM testuser1.
And PAN blocks as soon the string testuser1 is seen in a username field:
testuser1 -> detected
testuser1@ -> detected
firstname.lastname@example.org -> detected
email@example.com -> detected
testuser12 -> not detected
testuser12@ -> not detected
i looks like, the domain is not checked for this Group Mapping credential submit method.
I need now to setup a RODC to check the behaviour with the Domain Credential Filter method.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!