Palo Alto Networks integration with Cisco ACI allows you to insert a firewall between EPGs as a Layer 4 to Layer 7 service. The firewall then secures the east-west traffic between the application tiers within those EPGs or north-south traffic between users and the applications.
The figure below shows an example of a physical ACI deployment that includes integrated Palo Alto Network firewalls. All the entities on the are connected to leaf switches and those leaf switches are connected to larger spine switches. As users access the application, the ACI fabric moves the traffic to the correct destination. To secure the traffic between the application tiers, the network administrator inserts the Palo Alto Networks firewalls as L4 to L7 services between each EPG and creates a service graph to define what services the L4 to L7 device provides.
After the firewall services have been deployed, traffic now flows logically as shown below. Traffic to and from the end users and each tier in the application regardless of where or how each entity is physically connected to the network.
This section describes the supported platforms and features of a Cisco ACI deployment. Additionally, it describes the components of the Cisco ACI integration and how those components work together.
Components of Cisco ACI Integration Using a Device Package
The following components are required to integrate the Palo Alto Networks firewall into your Cisco ACI environment using the Palo Alto Networks Device Package.
Panorama—Panorama is required to deploy security policy and objects on the firewall using the APIC. This document assumes that you are using Panorama. You can deploy the firewall without Panorama and APIC will deploy the context (vsys), high availability, and network interface configuration to the firewall but any security policy must be configured directly on the firewall.
Panorama acts as a single point of connection between the APIC and the firewalls. Cisco ACI deploys security policy and objects from Panorama to its managed firewalls. The APIC sets devices groups for firewalls based on the APIC configuration and then commits the device groups configuration to the firewall, including security policy, NAT policy, threat profiles, and address objects.
Cisco ACI integration supports physical and virtual versions of Panorama.
Palo Alto Networks Firewall—Cisco ACI integration supports physical firewall appliances and the VM-Series firewall for VMware ESXi (standalone version).
Cisco ACI integration supports physical firewalls divided into contexts that the APIC manages as individual firewalls. On hardware-based firewalls, these contexts are the virtual systems (vsys) on the firewalls; each firewall is licensed to support a certain number of vsys instances. When deploying a multi-vsys firewall in ACI, you must configure a chassis manager in the tenant and assign it to the firewall service.
Cisco APIC—The APIC is your interface for managing your ACI environment. From here, you will create the firewall service, insert the firewall service between endpoint groups, and direct traffic to the firewall. Device Package—A device package allows and manages communication between the APIC and Panorama and firewalls. It allows network and interface configuration to be done in APIC and pushed to Panorama and the firewalls. Once deployed in ACI, you complete your security configuration through Panorama or the individual firewalls.
The Palo Alto Networks device package version 1.3 requires PAN-OS 7.1 or later and Cisco ACI 2.3.
High Availability in Cisco ACI
Firewalls integrated into an ACI fabric supports an active-passive high availability configuration. Any interface can be used for the HA link, including the HA1 and HA2 interfaces, management interfaces, or data interfaces. Additionally, the dedicated HA1 and HA2 interfaces can be directly connected between the firewalls for out-of-band HA or use static EPG binding to connect in-band through the ACI switches.
Because virtual firewalls do not have dedicated HA ports, the management port is used as HA1 by default and the HA2 must be specified.
HA on physical firewalls can be combined with a Link Aggregation/Virtual Port Channel to create redundant links between the firewalls and switches. This provides protection against a scenario where the active firewall is up but the link to the firewall or the leaf it connects to have failed. The firewall then switches to the redundant link and leaf node. Link aggregation supports static aggregation mode only. LACP is not currently supported.
Multi-Context Deployments
Cisco ACI integration supports physical firewalls divided into contexts that are managed by ACI as individual firewalls. On the firewall, these contexts are the virtual systems (vsys) on the firewalls and each firewall is licensed to support a certain number of vsys instances. When deploying a multi-vsys firewall in ACI, you must configure a chassis manager in the tenant and assign it to the firewall service.
Firewall Policy Based on Endpoint Group, Tenant, or Application
You can create firewall security policy referencing Cisco ACI attributes such as EPG, tenants, and application profile through the use of dynamic address groups. When an endpoint is added to an EPG, the APIC notifies the firewall that a new endpoint has joined the EPG. The firewall then adds that endpoints IP address to the corresponding dynamic address group.
To enable the use of dynamic address groups, you must enable Attachment Notifications on the Function Connectors in the tenant’s Service Graph on the APIC. Additionally, an endpoint must be in an EPG to see any EPG, tenant, or application profile tags on the firewall or Panorama.
OSPF Route Peering with External Layer 3 Connections
Route peering is a Cisco ACI feature that enables an appliance such as a firewall to advertise its reachability through the ACI fabric. The Palo Alto Networks Device Package 1.3 supports OSPF route peering for external Layer 3 connections; external Layer 3 connections are configured in ACI using the Layer 3 Outside (L3Out) object.

Related Documentation