How to use Manifest (AD groups) in palo alto firewall rules to filter on group membership instead of IP addresses from WiscVPN users
Using Manifiest/AD groups in PaloAlto firewall rules to filter WiscVPN traffic
How this can be useful:
How This works:
Make sure there are members in the new manifest group (otherwise the group is not published from Manifest to AD
In the Advanced options of creating the manifest group, select "Publish to Campus Active Directory"
Wait until you receive and email verification that the group has been published to AD before moving onto the next step.
Step 2: Contact the Network Engineering Operational Engineers to enable this group in your firewall AND to enable userid for your firewall untrust zone:
The OpEng staff will need to know the Manifest groupname to configure your firewall. It is helpful if you send the entire Manfest URL to the OPeng staff
Only OpEng or other Network Staff can add the manifest group into the firewall config to be used in a rule due to limitations to the firewall gui and the risk of a misconfiguration that can lead to a catastrophic failure of the firewall.
Step 3: Configure a firewall rule to refer to the Manifest group as a source to allow:
Notice that the AD group name is a long hex string, this is because when Manifest pushes groups into AD is uses a uniq name so name clashes do not occur. You will need to be careful to select the correct group. When working with the Manifest group in a web brower you can see this hex string in the URL of the web brower. We would suggest that you use the comment section of the firewall rule to document the hex to real groupname.
You may choose to leave the SOURCE tab blank or include the whole WiscVPN IP address range using the panorama global object G-WISCVPN-Static-and-Dynamic