SSL Decryption just some users

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

SSL Decryption just some users

L2 Linker

Hello everybody,

 

I'm struggling thinking how i can do this. I've implemented SSL Decryption in the Palo Alto FW and i just tried with two IP's  with a succesful result.

 

Now i would like to open the range. I want to apply that decryption rule to an OU of my domain but i don't know how to do it. Well, actually, i don't know if it's possible.

 

So, the thing is just to apply that rule to a group of users that i want to keep doing tests and i can't do it with IP addresses because we have DHCP deployed. 

 

Can someone help me?

 

Thank you in advance.

1 ACCEPTED SOLUTION

Accepted Solutions

Community Team Member

Hi @PedroPablo,

 

This can help you I think 🙂

 

https://live.paloaltonetworks.com/t5/Learning-Articles/How-to-Check-Users-in-LDAP-Groups/ta-p/59028

 

Did you correctly configure Group Mappings at Device > User Identification > Group Mapping Settings ?

 

Cheers !

-Kiwi.

 
LIVEcommunity team member, CISSP
Cheers,
Kiwi
Don't forget to hit that Like button if a post is helpful to you!

View solution in original post

8 REPLIES 8

Community Team Member

Hi @PedroPablo,

 

Yes, in your decription policy rule you can define your source users :

 

2018-09-17_16-41-42.png

 

 

Cheers !

-Kiwi.

 

 

 
LIVEcommunity team member, CISSP
Cheers,
Kiwi
Don't forget to hit that Like button if a post is helpful to you!

Thank you Kiwi. I think i didn't explain myself well haha. 

 

I know i can define some source users, i already have some of then. My question is:

 

If for example i want the users of an OU of my AD and they are 200 users, ¿Do i have to put those 200 users manually? Because i think i can't use groups from my domain.

 

And in the future i would like to open it for the rest of users  of my company and the problem is that if i do it with subnets, i'll have devices without the CA cert and those will have problems probably.

 

Anyway, thank you for help!!

Hello,

While the PAN cannot do an OU per se, it can do groups, so you could potentially just create an AD group and use it. Also as you can see in the screen shot above is to use Source IP's and/or Source Zones.

 

Hope that helps.

Community Team Member

Hi @PedroPablo,

 

The screenshot might be misleading ... "Source users" doesn't mean you have to add each user  individually 🙂

As Otakar mentioned you can create AD groups and use those in your decryption policy.

 

Cheers !

-Kiwi.

 
LIVEcommunity team member, CISSP
Cheers,
Kiwi
Don't forget to hit that Like button if a post is helpful to you!
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!