Credential Prevention "use Domain Credential Filter" is not working on some websites
11068
Created On 08/11/22 03:22 AM - Last Modified 01/11/23 04:13 AM
Symptom
Domain credentials are not blocked by the firewall for some websites.
Environment
- Palo Alto Firewall
- PAN-OS 8.0 and above
- Credential Prevention set to "use Domain Credential Filter"
Cause
- The credentials in transit are encrypted between the client and the server using an encryption key sent by the server.
- For that reason, the firewall cannot detect the credentials and take remediation action.
- In the example below, the user Alice is accessing to www.website.com.
- The website replied with an encryption key that the client uses to encrypt its credential.
- Alice will send send the encrypted information. It does not match with the expected credentials from the Directory (bloom filter content).
Resolution
This is a normal behaviour, the firewall requires to see the cleartext password in order to detect a potential credential leak.
Additional Information
- Bloom filters are compact data structures that provide a secure method to check if an element is a member of a set of elements
- The User-ID credential service forwards the bloom filter to the Windows User-ID agent;
- The firewall retrieves the latest bloom filter from the User-ID agent at regular intervals and uses it to detect usernames and password hash submissions.
- Depending on your settings, the firewall then blocks, alerts, or allows on valid password submissions to web pages, or displays a response page to users warning them of the dangers of phishing, but allowing them to continue with the submission