05-07-2024 09:17 AM
Hello all,
We are slowly rolling out Decryption to folks and was wondering if there is a way to dynamically add users, similar to user-ID.
My current way is manually adding computer objects which was fine for the first 15 computers but is starting to get tedious.
I know I can import objects using the API but am looking for a more dynamic method.
Thanks
05-07-2024 01:55 PM
Hello,
Two ways I can think of to achieve this.
User-id
If you have user-id setup with active directory, the use of this can be the solution you are looking for. Create a group and add that group to your decryption policy. That way when you add users to this group in AD, it will propagate to the PAN and their traffic will hit the decrypt policy.
Source IP's
Use the source IP's of subnets, single addresses, or a group of addresses and add them to the decryption policy.
Hope this helps.
05-07-2024 09:37 AM
Hello friend!
I think your requirement might be solved using Dynamic User Groups, you can find more information in:
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/policy/use-dynamic-user-groups-in-policy
Mark my comment as solved if you think it solved your doubt,
05-07-2024 10:36 AM
Thanks for Reply, I would still need to manually enter objects. Also, I think Dynamic user Groups use Tags for filtering which is not what I'm looking for.
05-07-2024 11:33 AM
Not sure there is a more automated way to achieve this outside of API. You could use Terraform to add objects on the fly from an excel spread sheet if you knew how to do that. Also why not just use user-id for the decryption policy and make an AD group for "Decryption_Users" and add the users to that group which would then hit the policy?
05-07-2024 01:55 PM
Hello,
Two ways I can think of to achieve this.
User-id
If you have user-id setup with active directory, the use of this can be the solution you are looking for. Create a group and add that group to your decryption policy. That way when you add users to this group in AD, it will propagate to the PAN and their traffic will hit the decrypt policy.
Source IP's
Use the source IP's of subnets, single addresses, or a group of addresses and add them to the decryption policy.
Hope this helps.
05-08-2024 06:59 AM
Thanks for the Reply,
I was thinking of using user-id's but was not sure if that was supported. so, I would just add the AD group to 'group mapping' under 'user identification' than apply the group to the decryption policy?
05-08-2024 07:09 AM
Hello,
Exactly, its that simple. Just remember that its not instant from when you add someone to the group and it starts decrypting. The PAN needs to update the AD group, used to be 60 minutes by default. But can be changed to meet your needs.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRyCAK
Regards,
05-08-2024 07:12 AM
Thanks again! Marked as Solution 🙂
05-08-2024 07:13 AM
Hello,
Best of luck! If you have additional questions, feel free to post. We are here to help!
Cheers!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
