>
    Strata Copilot
    Configure Your Firewall to Secure East-West Traffic
    Focus
    Download PDF
    Focus
    1. Home
    2. VM-Series
    3. VM-Series Firewall in Cisco Application Centric Infrastructure (ACI)
    4. Integrate the Firewall with Cisco ACI in Network Policy Mode
    5. Deploy the Firewall to Secure East-West Traffic in Network Policy Mode
    6. Configure Your Firewall to Secure East-West Traffic
    Download PDF
    VM-Series

    Configure Your Firewall to Secure East-West Traffic

    Table of Contents

    Configure Your Firewall to Secure East-West Traffic

    Set up your Palo Alto Networks firewall to secure east-west traffic in your Cisco API environment.
    Where Can I Use This?What Do I Need?
    • Cisco ACI
    • VM-Series plugin
    • Panorama
    • VM-Series licenses
    • Cisco ACI Fabric
    • Panorama plugin for Cisco ACI

    Create a Virtual Router and Security Zone

    1. Log in to the firewall.
    2. Select NetworkVirtual Routers and select Add.
    3. Give the virtual router a descriptive Name and select OK.
    4. Select NetworkZones and select Add.
    5. Give the zone a descriptive Name.
    6. Choose Layer 3 as the Type and select OK.
    7. Commit your changes.

    Configure the Network Interfaces

    Configure the Ethernet interfaces that connect the firewall to the ACI leaf switches. The VLAN ID number used in this configuration should be a member of the VLAN pool assigned to the firewalls in ACI.
    The VM-Series firewall does not support Aggregate Ethernet groups.
    1. Select NetworkInterfacesEthernet and click Add Aggregate Group.
    2. Enter a number for the aggregate group in the second Interface Name field.
    3. Select Layer 3 from the Interface Type drop-down.
    4. Select the LACP tab and click Enable LACP.
    5. Select Fast as the Transmission Rate.
    6. Under high availability Options, select Enable in HA Passive State.
      Don't select Same System MAC Address for Active-Passive HA. This option makes the firewall pair appear as a single device to the switch, so traffic will flow to both firewalls instead of just the active firewall.
    7. Click OK.
    8. Click on the name of an Ethernet interface to configure it and add it to the aggregate group.
      1. Select Aggregate Ethernet from the Interface Type drop-down.
      2. Select the interface you defined in the Aggregate Ethernet group configuration.
      3. Click OK.
      4. Repeat this step for each other member interface of the Aggregate Ethernet group.
    9. Add a subinterface on the Aggregate Ethernet interface for the tenant and VRF.
      1. Select the row of your Aggregate Ethernet group and click Add Subinterface.
      2. In the second Interface Name field, enter a numerical suffix to identify the subinterface.
      3. In the Tag field, enter the VLAN tag of the subinterface.
      4. Select the virtual router you configured previously from the Virtual Router drop-down.
      5. Select the zone you configured previously from the Zone drop-down.
      6. Select the IPv4 tab.
      7. Select the Static Type.
      8. Click Add and enter the subinterface IP address and network mask in CIDR notation.
      9. Click OK.

    Configure a Static Default Route

    1. Select NetworkVirtual Routers and click on the virtual router you created previously in this procedure.
    2. Select Static RoutesIPv4 and select Add.
    3. Enter a descriptive Name.
    4. Enter 0.0.0.0/0 in the Destination field.
    5. From the Interface drop-down, select the Aggregate Ethernet group you created previously in this procedure.
    6. Select the IP address in the Next Hop and enter the IP address of the next hop router.
    7. Select OK.
    8. Select OK again.
    9. Commit your changes.

    Create Address Objects for the EPGs

    Define address objects and map them to Endpoint Groups (EPGs) to be used in the security policy. Address groups are the best way to map the security groups to a group of servers using an endpoint IP address range. Create one address object for each of your EPGs.
    1. Select ObjectsAddresses and select Add.
    2. Enter a descriptive Name for your address object.
    3. In Type, select IP Netmask.
    4. Enter the IP netmask.
    5. Select OK.
      Repeat this process for each EPG.
    6. Commit your changes.

    Create Security Policy Rules

    Create security policy rules to control the traffic moving between your EPGs. By default, the firewall allows all intrazone traffic. The EPGs allow all traffic between them, as the EPGs are in the same zone. Before creating the new rules, change the default intrazone rule from allow to deny.
    1. Select PoliciesSecurity.
    2. Select the intrazone-default and go to Actions.
    3. Select Deny from the Action drop-down and select OK.
    4. Configure additional security policy rules based on your needs using the address objects and zone you created for your EPG.

    © 2026 Palo Alto Networks, Inc. All rights reserved.