Palo Alto Networks integration with Cisco Application Centric Infrastructure (ACI) allows you to insert a firewall between Endpoint Groups (EPGs) as a Layer 4 to Layer 7 service. The firewall then secures the east-west traffic between the application tiers within those EPGs or north-south traffic between users and the applications.

The figure below shows an example of a physical ACI deployment that includes integrated Palo Alto Networks firewalls. All the entities in the ACI fabric are connected to leaf switches and those leaf switches are connected to larger spine switches. As users access the application, the ACI fabric moves the traffic to the correct destination. To secure the traffic between the application tiers, the network administrator inserts the Palo Alto Networks firewalls as Layer 4 to Layer 7 services between each EPG and creates a service graph to define what services the Layer 4 to Layer 7 firewall provides.

After you deploy the firewall services, traffic now flows logically as shown below. Traffic to and from the end users and each tier in the application, regardless of where or how each entity is physically connected to the network.

When the firewall is integrated with Cisco ACI, traffic is sent to the firewall with a policy-based redirect (PBR). Additionally, the configuration of the firewall and configuration of the APIC are separate. Network policy mode does not rely on any other configuration integration between the firewall and the APIC, so it provides greater flexibility of configuration and deployment of the firewall.

For east-west traffic, define a bridge domain and subnet in the ACI fabric for the firewall. Configure contracts between EPGs that send traffic to the firewall using a PBR. The PBR forwards traffic to the firewall based on a policy containing the firewall’s IP address and MAC address. The firewall interfaces are always in Layer 3 mode and traffic is received and routed back to the ACI fabric. You can configure separate interfaces for consumer and provider connections or a single interface for ingress and egress traffic. The procedure in this document uses a single interface because it simplifies the integration; you don't need to configure as many interfaces, IP addresses, or VLANs. However, when using a single interface, you can't use zone information in defining security policy and you must modify the default intrazone policy on the firewall to deny traffic.

For north-south traffic, you must use a dedicated policy called an L3Out. An L3Out contains the information required for the tenant to connect to external routing devices and access external networks. L3Out connections contain an external network EPG that represents the networks accessible through the L3Out policy. Just as the L3Out can group all external networks into a single EPG, you can use a vzAny object ACI to represent all EPGs in a VRF. Using a vzAny object simplifies the application of the outbound traffic contract because, whenever a new EPG is added to the VRF, the contract is automatically applied. In this scenario, the external network provides the contract and the vzAny object (all internal EPGs) consume it.

The following section provides additional details about the components and concepts that make up the integration between the Next-Generation Firewall and Cisco ACI.

Firewalls are deployed in Cisco ACI through service graphs. A service graph allows you to integrate Layer 4 to Layer 7 devices, such as a firewall, into the flow of traffic without the need for the Layer 4 to Layer 7 device to be the default gateway for the servers in the ACI fabric.

Firewalls are represented in the ACI fabric as a Layer 4 to Layer 7 device that you configure in the APIC as a device cluster. A single firewall or two firewalls deployed as an HA pair are configured as a device cluster. Each device cluster has one or more logical interfaces that describe the interface information of the device cluster and map the path of the member firewall with a VLAN from the physical or virtual machine monitor (VMM) domain.

Service graph templates define the firewall device cluster that you insert into the traffic flow between EPGs. Additionally, the service graph template defines how the firewall is integrated and the logical interfaces that are assigned to the consumer and provider EPGs. After creating your service graph template, you assign it to EPGs and contracts. Because the service graph template isn't tied to a specific EPG or contract, you can reuse it between multiple EPGs. The APIC then deploys the service graph template by connecting it to the bridge domain between EPGs.

Cisco ACI integration supports physical firewalls divided into contexts that are managed by ACI as individual firewalls. On the firewall, these contexts are the virtual systems (vsys) on the firewalls and each firewall is licensed to support a certain number of vsys instances. When deploying a multi-vsys firewall in ACI, you must configure a chassis manager in the tenant and assign it to the firewall service.