SSL Decryption just some users

Reply
L2 Linker

SSL Decryption just some users

Hello everybody,

 

I'm struggling thinking how i can do this. I've implemented SSL Decryption in the Palo Alto FW and i just tried with two IP's  with a succesful result.

 

Now i would like to open the range. I want to apply that decryption rule to an OU of my domain but i don't know how to do it. Well, actually, i don't know if it's possible.

 

So, the thing is just to apply that rule to a group of users that i want to keep doing tests and i can't do it with IP addresses because we have DHCP deployed. 

 

Can someone help me?

 

Thank you in advance.

Community Team Member

Re: SSL Decryption just some users

Hi @PedroPablo,

 

Yes, in your decription policy rule you can define your source users :

 

2018-09-17_16-41-42.png

 

 

Cheers !

-Kiwi.

 

 

 
L2 Linker

Re: SSL Decryption just some users

Thank you Kiwi. I think i didn't explain myself well haha. 

 

I know i can define some source users, i already have some of then. My question is:

 

If for example i want the users of an OU of my AD and they are 200 users, ¿Do i have to put those 200 users manually? Because i think i can't use groups from my domain.

 

And in the future i would like to open it for the rest of users  of my company and the problem is that if i do it with subnets, i'll have devices without the CA cert and those will have problems probably.

 

Anyway, thank you for help!!

L7 Applicator

Re: SSL Decryption just some users

Hello,

While the PAN cannot do an OU per se, it can do groups, so you could potentially just create an AD group and use it. Also as you can see in the screen shot above is to use Source IP's and/or Source Zones.

 

Hope that helps.

Community Team Member

Re: SSL Decryption just some users

Hi @PedroPablo,

 

The screenshot might be misleading ... "Source users" doesn't mean you have to add each user  individually :)

As Otakar mentioned you can create AD groups and use those in your decryption policy.

 

Cheers !

-Kiwi.

 
L2 Linker

Re: SSL Decryption just some users

Thank you guys for your help. For example, could i use the group of domain users?

 

The thing is when i want for example to use an user in that decryption policy, i go to "Source User" and i type the first two letters of the user name and i get a list of a bunch of users with those letters.

 

But i've never seen the name of a group. So i don't know if just putting the name of the group is gonna work. Sorry if i'm not explaining myself really well. Thank you for your patience!

Community Team Member

Re: SSL Decryption just some users

Hi @PedroPablo,

 

This can help you I think :)

 

https://live.paloaltonetworks.com/t5/Learning-Articles/How-to-Check-Users-in-LDAP-Groups/ta-p/59028

 

Did you correctly configure Group Mappings at Device > User Identification > Group Mapping Settings ?

 

Cheers !

-Kiwi.

 
L2 Linker

Re: SSL Decryption just some users

It helped me a lot @kiwi! Thank you so much for your help! @Otakar.Klier thank you too!

 

That was my problem. I had configured correctly the Group Mapping but i had to include the group i wanted in the "Group Include List".

 

Have a nice day guys!

L7 Applicator

Re: SSL Decryption just some users

Glad you got it working!

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!