topic Re: SSL Decryption just some users in General Topics

SSL Decryption just some users

PedroPablo — Mon, 17 Sep 2018 14:07:34 GMT

Hello everybody,

I'm struggling thinking how i can do this. I've implemented SSL Decryption in the Palo Alto FW and i just tried with two IP's with a succesful result.

Now i would like to open the range. I want to apply that decryption rule to an OU of my domain but i don't know how to do it. Well, actually, i don't know if it's possible.

So, the thing is just to apply that rule to a group of users that i want to keep doing tests and i can't do it with IP addresses because we have DHCP deployed.

Can someone help me?

Thank you in advance.

Re: SSL Decryption just some users

kiwi — Mon, 17 Sep 2018 14:44:48 GMT

Hi @PedroPablo,

Yes, in your decription policy rule you can define your source users :

Cheers !

-Kiwi.

Re: SSL Decryption just some users

PedroPablo — Mon, 17 Sep 2018 15:06:45 GMT

Thank you Kiwi. I think i didn't explain myself well haha.

I know i can define some source users, i already have some of then. My question is:

If for example i want the users of an OU of my AD and they are 200 users, ¿Do i have to put those 200 users manually? Because i think i can't use groups from my domain.

And in the future i would like to open it for the rest of users of my company and the problem is that if i do it with subnets, i'll have devices without the CA cert and those will have problems probably.

Anyway, thank you for help!!

Re: SSL Decryption just some users

OtakarKlier — Mon, 17 Sep 2018 20:47:13 GMT

Hello,

While the PAN cannot do an OU per se, it can do groups, so you could potentially just create an AD group and use it. Also as you can see in the screen shot above is to use Source IP's and/or Source Zones.

Hope that helps.

Re: SSL Decryption just some users

kiwi — Tue, 18 Sep 2018 07:18:22 GMT

Hi @PedroPablo,

The screenshot might be misleading ... "Source users" doesn't mean you have to add each user individually 🙂

As Otakar mentioned you can create AD groups and use those in your decryption policy.

Cheers !

-Kiwi.

Re: SSL Decryption just some users

PedroPablo — Tue, 18 Sep 2018 07:49:25 GMT

Thank you guys for your help. For example, could i use the group of domain users?

The thing is when i want for example to use an user in that decryption policy, i go to "Source User" and i type the first two letters of the user name and i get a list of a bunch of users with those letters.

But i've never seen the name of a group. So i don't know if just putting the name of the group is gonna work. Sorry if i'm not explaining myself really well. Thank you for your patience!

Re: SSL Decryption just some users

kiwi — Tue, 18 Sep 2018 12:03:31 GMT

Hi @PedroPablo,

This can help you I think 🙂

https://live.paloaltonetworks.com/t5/Learning-Articles/How-to-Check-Users-in-LDAP-Groups/ta-p/59028

Did you correctly configure Group Mappings at Device > User Identification > Group Mapping Settings ?

Cheers !

-Kiwi.

Re: SSL Decryption just some users

PedroPablo — Tue, 18 Sep 2018 13:20:08 GMT

It helped me a lot @kiwi! Thank you so much for your help! @OtakarKlier thank you too!

That was my problem. I had configured correctly the Group Mapping but i had to include the group i wanted in the "Group Include List".

Have a nice day guys!

Re: SSL Decryption just some users

OtakarKlier — Tue, 18 Sep 2018 13:42:32 GMT

Glad you got it working!