Deploy the Firewall to Secure East-West Traffic in Network
The following procedure describes how
to deploy a Palo Alto Networks firewall to secure east-west traffic
in the your Cisco ACI environment using unmanaged mode with policy-based
redirect. This procedure assumes that you have completed the following:
Firewalls are operational and connected to a leaf switch
in your Cisco ACI environment. Additionally, the management interface
of each firewall must be reachable by the APIC.
Firewalls are deployed in active/passive HA mode. This procedure
does not cover HA network setup and assumes you have completed this
To secure east-west traffic, define a bridge domain and subnet
in the ACI fabric for the firewall. Configure contracts between EPGs
that send traffic to the firewall using a PBR. The PBR forwards
traffic to the firewall based on policy containing the firewall’s
IP and MAC address. The firewall interfaces are always in Layer
3 mode and traffic is received and routed back to the ACI fabric.
You can configure separate interfaces for consumer and provider
connections or a single interface for ingress and egress traffic.
The procedure in this document uses a single interface because it
simplifies the integration; you do not need to configure as many
interfaces, IP addresses, or VLANs. However, when using a single
interface, you cannot uses zone information in defining security
policy and you must modify the default intra-zone policy on the
firewall to deny traffic.
This procedure deploys the firewall in one-arm mode. In one-arm
mode, the traffic enters and exits the firewall through a single
interface. This common firewall interface is used for both consumer
and provider interfaces in the service graph template. Using a single
interface simplifies integration with the firewall by reducing the
number IP addresses, VLANs, and interfaces that you must configure.
However, a one-arm deployment model is intrazone, so you cannot
use zone information to define security policy.