End-of-Life (EoL)

Components of Cisco ACI Integration Using the Device Package

The following components are required to integrate the Palo Alto Networks firewall into your Cisco ACI environment using the Palo Alto Networks Device Package.
  • Panorama—Panorama is required to deploy security policy and objects on the firewall using the APIC. This document assumes that you are using Panorama. You can deploy the firewall without Panorama and APIC will deploy the context (vsys), high availability, and network interface configuration to the firewall but any security policy must be configured directly on the firewall.
    Panorama acts as a single point of connection between the APIC and the firewalls. Cisco ACI deploys security policy and objects from Panorama to its managed firewalls. The APIC sets devices groups for firewalls based on the APIC configuration and then commits the device groups configuration to the firewall, including security policy, NAT policy, threat profiles, and address objects.
    Cisco ACI integration supports physical and virtual versions of Panorama.
  • Palo Alto Networks Firewall—Cisco ACI integration supports physical firewall appliances and the VM-Series firewall for VMware ESXi (standalone version).
    Cisco ACI integration supports physical firewalls divided into contexts that the APIC manages as individual firewalls. On hardware-based firewalls, these contexts are the virtual systems (vsys) on the firewalls; each firewall is licensed to support a certain number of vsys instances. When deploying a multi-vsys firewall in ACI, you must configure a chassis manager in the tenant and assign it to the firewall service.
  • Cisco APIC—The APIC is your interface for managing your ACI environment. From here, you will create the firewall service, insert the firewall service between endpoint groups, and direct traffic to the firewall.
  • Device Package (Service Manager Mode only)—A device package allows and manages communication between the APIC and Panorama and firewalls. It allows you to configure high availability, networking, and interfaces for the firewall in the APIC and push it to Panorama and the firewalls. Once deployed in ACI, you complete your security configuration through Panorama or the individual firewalls.
The Palo Alto Networks device package version 1.3 requires PAN-OS 8.0 and Cisco ACI 2.3.

Recommended For You