Remember, PAN-OS does not do credential phishing prevention for certain sites regardless of what you configure it to do.

Full list is here.

Remember, the logs for crediential phishing prevention will be in the URL Filtering list.

( user.src eq 'domain\username' ) and ( flags has credential-detected )

You may find that you have to ensure the User-ID agent on the RODC does nothing but use the Credential agent (i.e. no User-ID log collecting) and that it runs as “local service account”.

New users need to have logged into to domain at least once for passwords to be sent to the RODC.

If you can't get the password detection working, run the command show user user-id-agent state all | match Credential If the results is Credential Enforcement Status : Enabled and Pending Then you have an error as it should say Credential Enforcement Status : In Sync

On the RODC, check the logs at C:\Program Files\Palo Alto Networks\User-ID Credential Agent\UaCredDebug.log and look for the phrase Unable to Extract Credentials

Run the following on the main domain controller (dc1) to see that the credntials of “username surname” is being synced to the RODC (rodc1).

repadmin /rodcpwdrepl rodc1 dc1 “cn=username surname,ou=users,ou=somefolder,dc=mydomain,dc=local” Run the following command on the RODC to show the list of accounts that have their credentials cached on the RODC. repadmin /prp view rodc1 reveal

You can check the bloom filter status here: show user user-id-agent state all | match bloom

When using Use IP User Mapping or Use Group Mapping, PANOS doesn't care what password is used. It also doesn't care about the format of the username. You can use standalone username or an email address. If you use an email address, PANOS ignores everything after the @ symbol (as well as the @ symbol). E.G. it will detect and block (if configured to) the username corporate_username@gmail.com.

If using Use IP User Mapping, PANOS will only block credentials from a particular user that match that particular user. E.G. If Alice uses' Bob's username when logging into a website, it will bypass credential theft protection.

Remember, the following groups are members of the Denied RODC Password Replication Group. Any user that is a member of these groups will not have their credentials synced to the RODC. This means that their passwords cannot be included in the list of username/password combinations for credential theft prevention.

• Cert Pulishers
• Domain Admins
• Domain Controllers
• Enterprise Admins
• Group Policy Creator Owners
• Read-only Domain Controllers
• Schema Admins

Remember, the firewall automatically skips checking credential submissions for App-IDs associated with sites that have never been observed hosting malware or phishing content to ensure the best performance even if you enable checks in the corresponding category. The list of sites on which the firewall will skip credential checking is automatically updated via Application and Threat content updates.