https://live.paloaltonetworks.com/t5/next-generation-firewall/dynamic-decryption-sources/m-p/586179#M3163 <P>Thanks for the Reply,&nbsp;</P> <P>I was thinking of using user-id's but was not sure if that was supported. so, I would just add the AD group to 'group mapping' under 'user identification' than apply the group to the decryption policy?</P> Wed, 08 May 2024 13:59:59 GMT MNoble 2024-05-08T13:59:59Z https://live.paloaltonetworks.com/t5/next-generation-firewall/dynamic-decryption-sources/m-p/586031#M3130 <P>Hello all,&nbsp;</P> <P>We are slowly rolling out Decryption to folks and was wondering if there is a way to dynamically add users, similar to user-ID.</P> <P>My current way is manually adding computer objects which was fine for the first 15 computers but is starting to get tedious.&nbsp;</P> <P>I know I can import objects using the API but am looking for a more dynamic method.&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Thanks</P> Tue, 07 May 2024 16:17:34 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/dynamic-decryption-sources/m-p/586031#M3130 MNoble 2024-05-07T16:17:34Z https://live.paloaltonetworks.com/t5/next-generation-firewall/dynamic-decryption-sources/m-p/586039#M3131 <P>Hello friend!&nbsp;</P> <P>&nbsp;</P> <P>I think your requirement might be solved using Dynamic User Groups, you can find more information in:</P> <P>&nbsp;</P> <P><A href="https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/policy/use-dynamic-user-groups-in-policy" target="_blank">https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/policy/use-dynamic-user-groups-in-policy</A>&nbsp;</P> <P>&nbsp;</P> <P>Mark my comment as solved if you think it solved your doubt,</P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 07 May 2024 16:37:54 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/dynamic-decryption-sources/m-p/586039#M3131 jfernandez1 2024-05-07T16:37:54Z https://live.paloaltonetworks.com/t5/next-generation-firewall/dynamic-decryption-sources/m-p/586051#M3134 <P>Thanks for Reply, I would still need to manually enter objects. Also, I think Dynamic user Groups use Tags for filtering which is not what I'm looking for.</P> Tue, 07 May 2024 17:36:46 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/dynamic-decryption-sources/m-p/586051#M3134 MNoble 2024-05-07T17:36:46Z https://live.paloaltonetworks.com/t5/next-generation-firewall/dynamic-decryption-sources/m-p/586059#M3135 <P>Not sure there is a more automated way to achieve this outside of API. You could use Terraform to add objects on the fly from an excel spread sheet if you knew how to do that. Also why not just use user-id for the decryption policy and make an AD group for "Decryption_Users" and add the users to that group which would then hit the policy?</P> Tue, 07 May 2024 18:33:09 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/dynamic-decryption-sources/m-p/586059#M3135 S_Williams901 2024-05-07T18:33:09Z https://live.paloaltonetworks.com/t5/next-generation-firewall/dynamic-decryption-sources/m-p/586088#M3143 <P>Hello,</P> <P>Two ways I can think of to achieve this.</P> <P>&nbsp;</P> <P>User-id</P> <P>If you have user-id setup with active directory, the use of this can be the solution you are looking for. Create a group and add that group to your decryption policy. That way when you add users to this group in AD, it will propagate to the PAN and their traffic will hit the decrypt policy.</P> <P>&nbsp;</P> <P>Source IP's</P> <P>Use the source IP's of subnets, single addresses, or a group of addresses and add them to the decryption policy.</P> <P>&nbsp;</P> <P>Hope this helps.</P> Tue, 07 May 2024 20:55:57 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/dynamic-decryption-sources/m-p/586088#M3143 OtakarKlier 2024-05-07T20:55:57Z https://live.paloaltonetworks.com/t5/next-generation-firewall/dynamic-decryption-sources/m-p/586179#M3163 <P>Thanks for the Reply,&nbsp;</P> <P>I was thinking of using user-id's but was not sure if that was supported. so, I would just add the AD group to 'group mapping' under 'user identification' than apply the group to the decryption policy?</P> Wed, 08 May 2024 13:59:59 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/dynamic-decryption-sources/m-p/586179#M3163 MNoble 2024-05-08T13:59:59Z https://live.paloaltonetworks.com/t5/next-generation-firewall/dynamic-decryption-sources/m-p/586180#M3164 <P>Hello,</P> <P>Exactly, its that simple. Just remember that its not instant from when you add someone to the group and it starts decrypting. The PAN needs to update the AD group, used to be 60 minutes by default. But can be changed to meet your needs.</P> <P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRyCAK" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRyCAK</A></P> <P>&nbsp;</P> <P>Regards,</P> Wed, 08 May 2024 14:09:48 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/dynamic-decryption-sources/m-p/586180#M3164 OtakarKlier 2024-05-08T14:09:48Z https://live.paloaltonetworks.com/t5/next-generation-firewall/dynamic-decryption-sources/m-p/586181#M3165 <P>Thanks again! Marked as Solution <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Wed, 08 May 2024 14:12:43 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/dynamic-decryption-sources/m-p/586181#M3165 MNoble 2024-05-08T14:12:43Z https://live.paloaltonetworks.com/t5/next-generation-firewall/dynamic-decryption-sources/m-p/586183#M3166 <P>Hello,</P> <P>Best of luck! If you have additional questions, feel free to post. We are here to help!</P> <P>&nbsp;</P> <P>Cheers!</P> Wed, 08 May 2024 14:13:56 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/dynamic-decryption-sources/m-p/586183#M3166 OtakarKlier 2024-05-08T14:13:56Z