The campus firewalls can filter traffic from WiscVPN users is based on either NetID username or Manifest group membership.

For instructions on how to use WiscVPN usernames instead, see WiscVPN - Using WiscVPN usernames in PaloAlto Firewall Rules.

Why use Manifest groups

Without mapping WiscVPN users to names and/or groups, firewall rules would have to allow the entire WiscVPN IP address range or require the use of static IP addresses to filter traffic.

Writing rules to usernames or Manifest group membership make it so firewall rules can allow access to specific groups, without needing static IP address assignments. 

How this works

The firewall knows the username to IP address mapping when a WiscVPN user logs in. These mappings are distributed to all the campus firewalls.

Configuring a firewall to map the usernames to AD group membership allows the group to reach a destination behind the firewall without needing to know the source IP address of the traffic.

The mapping is as follows:

1. WiscVPN IP address is mapped to UserID 
2. UserID is mapped to AD group membership by the firewall querying Campus AD

Configure the firewall

1. Create a Manfiest group
   • Make sure there are members in the new Manifest group. Otherwise, the group is not published from Manifest to AD.
   • In the Advanced options when creating the Manifest group, select Publish to Campus Active Directory.
   • You will receive an email verification that the group has been published to AD. Complete the verification before moving onto the next step.
2. Contact the Network Engineering Operational Engineers (OpEng) to enable this group in your firewall AND to enable UserID for your firewall untrust zone:

    

   1. The OpEng staff will need to know the Manifest groupname to configure your firewall. It is helpful if you send the entire Manfest URL to the OPeng staff.
   2. Only OpEng or other Network Staff can add the Manifest group into the firewall configuration to be used in a rule.
      This is due to:
      • Limitations to the firewall GUI
      • The risk of a misconfiguration that can lead to a catastrophic failure of the firewall. 
3. Configure a firewall rule to refer to the Manifest group as a source to allow:

   

   • Note: The AD group name is a long hex string because, when Manifest pushes groups into AD, it uses a unique name so name clashes do not occur. 
     
     • You will need to be careful to select the correct group. When working with the Manifest group in a web browser, you can see this hex string in the URL. 
     • You should use the comment section of the firewall rule to document the hex groupname.
   • You may choose to leave the SOURCE tab blank or include the whole WiscVPN IP address range using the panorama global object G-WISCVPN-Static-and-Dynamic.