Components of Cisco ACI Integration
Using the Device Package
The following components are required to integrate the
Palo Alto Networks firewall into your Cisco ACI environment using
the Palo Alto Networks Device Package.
Panorama—Panorama is required to deploy security policy
and objects on the firewall using the APIC. This document assumes that
you are using Panorama. You can deploy the firewall without Panorama
and APIC will deploy the context (vsys), high availability, and
network interface configuration to the firewall but any security
policy must be configured directly on the firewall.
acts as a single point of connection between the APIC and the firewalls.
Cisco ACI deploys security policy and objects from Panorama to its
managed firewalls. The APIC sets devices groups for firewalls based
on the APIC configuration and then commits the device groups configuration
to the firewall, including security policy, NAT policy, threat profiles,
and address objects.
Cisco ACI integration supports physical
and virtual versions of Panorama.
Palo Alto Networks Firewall—Cisco ACI integration supports physical
firewall appliances and the VM-Series firewall for VMware ESXi (standalone
Cisco ACI integration supports physical firewalls
divided into contexts that the APIC manages as individual firewalls.
On hardware-based firewalls, these contexts are the virtual systems
(vsys) on the firewalls; each firewall is licensed to support a
certain number of vsys instances. When deploying a multi-vsys firewall
in ACI, you must configure a chassis manager in the tenant and assign
it to the firewall service.
Cisco APIC—The APIC is your interface for managing your ACI environment.
From here, you will create the firewall service, insert the firewall
service between endpoint groups, and direct traffic to the firewall.
Device Package (Service Manager Mode only)—A device package
allows and manages communication between the APIC and Panorama and
firewalls. It allows you to configure high availability, networking,
and interfaces for the firewall in the APIC and push it to Panorama
and the firewalls. Once deployed in ACI, you complete your security
configuration through Panorama or the individual firewalls.
The Palo Alto Networks device package version 1.3 requires PAN-OS 8.0
and Cisco ACI 2.3.