The figure below shows an example of a physical ACI deployment that includes integrated Palo Alto Network firewalls. All the entities on the are connected to leaf switches and those leaf switches are connected to larger spine switches. As users access the application, the ACI fabric moves the traffic to the correct destination. To secure the traffic between the application tiers, the network administrator inserts the Palo Alto Networks firewalls as L4 to L7 services between each EPG and creates a service graph to define what services the L4 to L7 device provides.
Firewalls integrated into an ACI fabric supports an active-passive high availability configuration. Any interface can be used for the HA link, including the HA1 and HA2 interfaces, management interfaces, or data interfaces. Additionally, the dedicated HA1 and HA2 interfaces can be directly connected between the firewalls for out-of-band HA or use static EPG binding to connect in-band through the ACI switches.
HA on physical firewalls can be combined with a Link Aggregation/Virtual Port Channel to create redundant links between the firewalls and switches. This provides protection against a scenario where the active firewall is up but the link to the firewall or the leaf it connects to have failed. The firewall then switches to the redundant link and leaf node. Link aggregation supports static aggregation mode only. LACP is not currently supported.
Cisco ACI integration supports physical firewalls divided into contexts that are managed by ACI as individual firewalls. On the firewall, these contexts are the virtual systems (vsys) on the firewalls and each firewall is licensed to support a certain number of vsys instances. When deploying a multi-vsys firewall in ACI, you must configure a chassis manager in the tenant and assign it to the firewall service.
You can create firewall security policy referencing Cisco ACI attributes such as EPG, tenants, and application profile through the use of
dynamic address groups. When an endpoint is added to an EPG, the APIC notifies the firewall that a new endpoint has joined the EPG. The firewall then adds that endpoints IP address to the corresponding dynamic address group.
Route peering is a Cisco ACI feature that enables an appliance such as a firewall to advertise its reachability through the ACI fabric. The Palo Alto Networks Device Package 1.3 supports OSPF route peering for external Layer 3 connections; external Layer 3 connections are configured in ACI using the Layer 3 Outside (L3Out) object.