Dynamic Decryption sources

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Dynamic Decryption sources

L2 Linker

Hello all, 

We are slowly rolling out Decryption to folks and was wondering if there is a way to dynamically add users, similar to user-ID.

My current way is manually adding computer objects which was fine for the first 15 computers but is starting to get tedious. 

I know I can import objects using the API but am looking for a more dynamic method. 

 

 

Thanks

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

Hello,

Two ways I can think of to achieve this.

 

User-id

If you have user-id setup with active directory, the use of this can be the solution you are looking for. Create a group and add that group to your decryption policy. That way when you add users to this group in AD, it will propagate to the PAN and their traffic will hit the decrypt policy.

 

Source IP's

Use the source IP's of subnets, single addresses, or a group of addresses and add them to the decryption policy.

 

Hope this helps.

View solution in original post

8 REPLIES 8

L2 Linker

Hello friend! 

 

I think your requirement might be solved using Dynamic User Groups, you can find more information in:

 

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/policy/use-dynamic-user-groups-in-policy 

 

Mark my comment as solved if you think it solved your doubt,

 

 

Senior Network Security Engineer
PCNSE | CCNP | JNCIP

Thanks for Reply, I would still need to manually enter objects. Also, I think Dynamic user Groups use Tags for filtering which is not what I'm looking for.

L3 Networker

Not sure there is a more automated way to achieve this outside of API. You could use Terraform to add objects on the fly from an excel spread sheet if you knew how to do that. Also why not just use user-id for the decryption policy and make an AD group for "Decryption_Users" and add the users to that group which would then hit the policy?

Cyber Elite
Cyber Elite

Hello,

Two ways I can think of to achieve this.

 

User-id

If you have user-id setup with active directory, the use of this can be the solution you are looking for. Create a group and add that group to your decryption policy. That way when you add users to this group in AD, it will propagate to the PAN and their traffic will hit the decrypt policy.

 

Source IP's

Use the source IP's of subnets, single addresses, or a group of addresses and add them to the decryption policy.

 

Hope this helps.

Thanks for the Reply, 

I was thinking of using user-id's but was not sure if that was supported. so, I would just add the AD group to 'group mapping' under 'user identification' than apply the group to the decryption policy?

Cyber Elite
Cyber Elite

Hello,

Exactly, its that simple. Just remember that its not instant from when you add someone to the group and it starts decrypting. The PAN needs to update the AD group, used to be 60 minutes by default. But can be changed to meet your needs.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRyCAK

 

Regards,

Thanks again! Marked as Solution 🙂

Cyber Elite
Cyber Elite

Hello,

Best of luck! If you have additional questions, feel free to post. We are here to help!

 

Cheers!

  • 1 accepted solution
  • 2299 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!