How To Restrict A Resource To Campus IP Addresses

A knowledge base article about How To Restrict A Resource To Campus IP Addresses provided by the UC Berkeley IT Service Hub - Knowledge Portal

With the inclusion of shared objects (either External Dynamic Lists or Address Groups), it is now easier for firewall administrators to allow or restrict access to protected systems based on some common campus objects. As an example of this, restricting a resource (web server, printer, etc.) to the the campus network (or Airbears, the VPN, etc.) will no longer require the firewall administrator to identify the network(s) for these shared objects when they create the rules. Additionally, should the addresses change, they will not need to update the address objects because they will be maintained by others. Below is an example of how to create a rule using one of these address objects. For this example, the rule will be for a web server that only allows access from campus IP addresses and not from CalVisitor. 
 
  1. Log into https://panorama.net.berkeley.edu using single sign-on 
  2. From the tabs at the top of the window choose “Policies”
  3. Under “Security” in the left pane choose “Pre Rules”
  4. Click “Add” from the bottom of the window. This should bring up a “Security Policy Rule” window.
  5. In the “General” tab provide an appropriate name such as ‘Campus only web server’ in the Name field
  6. On the “Source” tab click the “Any” box above “Source Zone”  and then click “Add” below the “Source Address” column.
  7. In the drop down list that will appear for “Source Address” select “UCB-networks_no_visitor” (note: UCB-networks_no_visitor includes all campus networks except the CalVisitor network. If you want the users of CalVisitors to also have access, you must also select that list as well.)
  8. On the “Destination” tab select the appropriate Destination Zone and Address. In this example the zone is the L3_trusted zone and the address is using an already created address object for the web server. 
  9. If you are running a specific application on this system, from the “Application” tab select an appropriate application, however for a general purpose web server you can skip that tab.
  10. In the “Service/URL Category” tab set the services to service-http and service-https if you have both an unencrypted and encrypted site on the web server.  
  11. On the “Actions” tab, set the “Action” to Allow and an appropriate profile setting. In this example the Profile Type was set to Group and the Group Profile was set to default. 
  12. “Click “OK” to return to the list of all of your rules
  13. From the “Commit” menu near the top of the screen choose “Commit to Panorama“ and then when the commit option is finished, from the same menu select “Push to Device”