https://live.paloaltonetworks.com/t5/general-topics/user-based-ssl-decryption/m-p/91607#M43651 <P>Sorry that was used in policy so that's also ok.</P> Thu, 23 Jun 2016 11:31:58 GMT ToniE 2016-06-23T11:31:58Z https://live.paloaltonetworks.com/t5/general-topics/user-based-ssl-decryption/m-p/90832#M43600 <P>Hi,</P><P>&nbsp;</P><P>I try to test ssl forward proxy decryption. It works fine if I use IP address as a source but if I use Users(domain) as a source it doesn't work. I can't use IP's for testing because our IP's floating. What I need to check in configuration?</P><P>&nbsp;</P><P>Toni</P> Wed, 22 Jun 2016 08:18:06 GMT https://live.paloaltonetworks.com/t5/general-topics/user-based-ssl-decryption/m-p/90832#M43600 ToniE 2016-06-22T08:18:06Z https://live.paloaltonetworks.com/t5/general-topics/user-based-ssl-decryption/m-p/90850#M43601 <P>Is user identified properly and does show up on <EM>#show user ip-user-mapping all</EM>?</P> Wed, 22 Jun 2016 08:45:49 GMT https://live.paloaltonetworks.com/t5/general-topics/user-based-ssl-decryption/m-p/90850#M43601 nikoo 2016-06-22T08:45:49Z https://live.paloaltonetworks.com/t5/general-topics/user-based-ssl-decryption/m-p/90880#M43604 <P>please take a look through this article to make sure UserID is set up properly:&nbsp; <A href="https://live.paloaltonetworks.com/t5/Featured-Articles/Getting-Started-User-ID/ta-p/69321" target="_blank">Getting Started: User-ID</A></P> Wed, 22 Jun 2016 09:33:27 GMT https://live.paloaltonetworks.com/t5/general-topics/user-based-ssl-decryption/m-p/90880#M43604 reaper 2016-06-22T09:33:27Z https://live.paloaltonetworks.com/t5/general-topics/user-based-ssl-decryption/m-p/90881#M43605 <P>Yep. User-ID works fine but user based decryption not.</P> Wed, 22 Jun 2016 09:44:22 GMT https://live.paloaltonetworks.com/t5/general-topics/user-based-ssl-decryption/m-p/90881#M43605 ToniE 2016-06-22T09:44:22Z https://live.paloaltonetworks.com/t5/general-topics/user-based-ssl-decryption/m-p/90950#M43615 <P>That's odd.&nbsp; We've been using TLS decryption for quite a while based on Active Directory group membership.&nbsp; It works fine here (other than the fact that downloads over decrypted TLS sessions are incredibly slow).</P> Wed, 22 Jun 2016 12:07:58 GMT https://live.paloaltonetworks.com/t5/general-topics/user-based-ssl-decryption/m-p/90950#M43615 scottsander 2016-06-22T12:07:58Z https://live.paloaltonetworks.com/t5/general-topics/user-based-ssl-decryption/m-p/90960#M43619 <P>Thanks for information. At least I know now that it could work.</P> Wed, 22 Jun 2016 12:33:45 GMT https://live.paloaltonetworks.com/t5/general-topics/user-based-ssl-decryption/m-p/90960#M43619 ToniE 2016-06-22T12:33:45Z https://live.paloaltonetworks.com/t5/general-topics/user-based-ssl-decryption/m-p/91065#M43627 <P>Which version of PANOS are you running on?</P> Wed, 22 Jun 2016 14:07:37 GMT https://live.paloaltonetworks.com/t5/general-topics/user-based-ssl-decryption/m-p/91065#M43627 nikoo 2016-06-22T14:07:37Z https://live.paloaltonetworks.com/t5/general-topics/user-based-ssl-decryption/m-p/91114#M43632 <P>I am running 7.0.5-h2, use user ID and do user based decryption as part of a pilot for decryption right now. No issues here.</P> Wed, 22 Jun 2016 14:54:39 GMT https://live.paloaltonetworks.com/t5/general-topics/user-based-ssl-decryption/m-p/91114#M43632 googol 2016-06-22T14:54:39Z https://live.paloaltonetworks.com/t5/general-topics/user-based-ssl-decryption/m-p/91445#M43641 <P>Hello,</P><P>&nbsp;</P><P>Our current version is 7.0.5-h2.</P><P>&nbsp;</P><P>How you configure policy. Source address any and user&nbsp;domain\user ?</P><P>&nbsp;</P><P>br</P><P>Toni</P> Thu, 23 Jun 2016 07:25:22 GMT https://live.paloaltonetworks.com/t5/general-topics/user-based-ssl-decryption/m-p/91445#M43641 ToniE 2016-06-23T07:25:22Z https://live.paloaltonetworks.com/t5/general-topics/user-based-ssl-decryption/m-p/91600#M43648 <P>It seems the user to group mapping is not happening correctly. See this command for one ip</P><P>show user ip-user-mapping ip x.x.x.x</P><P>See if user is showing correctly</P><P>See also associated groups are showing correctly</P><P>If not add group mapping under Device-&gt; user identification-&gt; group mapping</P> Thu, 23 Jun 2016 10:35:29 GMT https://live.paloaltonetworks.com/t5/general-topics/user-based-ssl-decryption/m-p/91600#M43648 Roby_Sreejith 2016-06-23T10:35:29Z https://live.paloaltonetworks.com/t5/general-topics/user-based-ssl-decryption/m-p/91602#M43650 <P>Hi,</P><P>&nbsp;</P><P>show user ip-user-mapping ip x.x.x.x&nbsp; --&gt; I can see my username correctly. But I can't see any groups associated&nbsp; --&gt; Groups that the user belongs to (used in policy). This is empty.</P><P>&nbsp;</P><P>&nbsp;</P><P>I can see my username in group if&nbsp; --&gt; show user group name "CN=XXXXXXXXX,OU=XXXXXXXX,OU=XXXX,DC=XX,DC=XXXXXX,DC=XXXX,DC=XXX"</P><P>&nbsp;</P><P>&nbsp;</P><P>Toni</P> Thu, 23 Jun 2016 10:59:05 GMT https://live.paloaltonetworks.com/t5/general-topics/user-based-ssl-decryption/m-p/91602#M43650 ToniE 2016-06-23T10:59:05Z https://live.paloaltonetworks.com/t5/general-topics/user-based-ssl-decryption/m-p/91607#M43651 <P>Sorry that was used in policy so that's also ok.</P> Thu, 23 Jun 2016 11:31:58 GMT https://live.paloaltonetworks.com/t5/general-topics/user-based-ssl-decryption/m-p/91607#M43651 ToniE 2016-06-23T11:31:58Z https://live.paloaltonetworks.com/t5/general-topics/user-based-ssl-decryption/m-p/91608#M43652 <P>Hello, I just found solution. It was in group mapping settings. User Domain was missing above Group Objects.</P><P>&nbsp;</P><P>Thank you all for help. You put me to right direction!</P><P>&nbsp;</P><P>br</P><P>Toni</P> Thu, 23 Jun 2016 11:36:23 GMT https://live.paloaltonetworks.com/t5/general-topics/user-based-ssl-decryption/m-p/91608#M43652 ToniE 2016-06-23T11:36:23Z