Using Manifiest/AD groups in PaloAlto firewall rules to filter WiscVPN traffic

How to use Manifest (AD groups) in palo alto firewall rules to filter on group membership instead of IP addresses from WiscVPN users

Using Manifiest/AD groups in PaloAlto firewall rules to filter WiscVPN traffic

The campus firewalls can filter traffic from WiscVPN users based on either netid username or Manifest group membership.

This document describes how to use Manifest (Campus AD) group membership to allow/deny access to firewall protected services.

How to use usernames can be found in this KB

How this can be useful:

Without mapping WiscVPN users to names and/or groups, firewall rules would have to allow the entire WiscVPN IP address range to access there services, or force the use of static wiscvpn IP addresses.  This can now be avoided by writing rules to usernames or Manifest (Campus AD) group membership.

How This works:

When WiscVPN users login, the firewall knows the username to IP address mapping.  These mappings are distributed to all the campus firewalls.

If a firewall is configured to map the usernames to AD group membership, firewall rules can be written to allow a group to a destination behind the firewall without the need to know the source IP address of the traffic.

WiscVPN IP address mapped to Userid
Userid is mapped to AD group membership by the firewall querying Campus AD .

Firewall configuration

Step 1:  Create a Manifest group

Make sure there are members in the new manifest group (otherwise the group is not published from Manifest to AD

In the Advanced options of creating the manifest group, select "Publish to Campus Active Directory"

Wait until you receive and email verification that the group has been published to AD before moving onto the next step.

Step 2: Contact the Network Engineering Operational Engineers to enable this group in your firewall AND to enable userid for your firewall untrust zone:



enable userid on untrust zone

The OpEng staff will need to know the Manifest groupname to configure your firewall.  It is helpful if you send the entire Manfest URL to the OPeng staff

Only OpEng or other Network Staff can add the manifest group into the firewall config to be used in a rule due to limitations to the firewall gui and the risk of a misconfiguration that can lead to a catastrophic failure of the firewall. 

Step 3:  Configure a firewall rule to refer to the Manifest group as a source to allow:

AD group firewall rule

Notice that the AD group name is a long hex string, this is because when Manifest pushes groups into AD is uses a uniq name so name clashes do not occur.  You will need to be careful to select the correct group.  When working with the Manifest group in a web brower you can see this hex string in the URL of the web brower.  We would suggest that you use the comment section of the firewall rule to document the hex to real groupname.


You may choose to leave the SOURCE tab blank or include the whole WiscVPN IP address range using the panorama global object G-WISCVPN-Static-and-Dynamic


Keywords:
palo alto userid paloalto Wiscvpn 
Doc ID:
111780
Owned by:
Greg P. in Network Services
Created:
2021-06-18
Updated:
2021-11-23
Sites:
DoIT Help Desk, Network Services