Create an L4-L7 Service
Now that you have created your tenant with an application profile containing two EPGs, you must configure the firewall as a L4-L7 Service and insert that service between the EPGs. The firewall service then secures the traffic between the EPGs.
- Enter general information about the firewall.
- Right clickL4-L7 Devicesand selectCreate L4-L7 Devices.
- Enter aNamefor your firewall service.
- SelectFirewallfrom the Service Type drop-down.
- Under Device Type, selectPhysicalorVirtualdepending on the firewall you deployed.
- Select the Physical or VMM Domain. This is the same domain you chose when creating the application profile.
- Under View, select Single Node for a single firewall or HA Node for firewalls in an HA pair.
- Select the Device Package.
- Select the Model of the firewall you deployed. The device package comes preset with several Palo Alto Networks firewall models.
- SetContext AwaretoMultiplefor multi-vsys deployments.
- Under Function Type, select GoThrough for L2 and GoTo for L3.
- Choose a connectivity mode for the APIC to device management connection. This setting defines how Cisco APIC connects to the firewall and to Panorama management interfaces. Choose the setting most appropriate for your environment. If the management interfaces if the firewall and Panorama have nit been added to an EPG, then you would typically chooseOut-Of-Band. Out-Of-Band management is recommended.
- Enter the login credentials for the firewall.
- Configure device 1 (the firewall).
- Enter the firewall management IP address and select HTTPS as the management port.
- (VM-Series only) Under VM, select the VM-Series firewall you deployed. All virtual machines connected to the ACI fabric are listed here.
- (Physical firewall only) Select a Chassis. This directs the firewall to create a new vsys and apply the configuration from the APIC there. Without a chassis select, APIC applies its network configuration to vsys1 and potentially overrides any configuration that already exists on vsys1.
- Click the plues (+) icon under Device Interfaces to add your interfaces.For the VM-Series firewall, select ethernet 1/1 as the first data port and Network adapter 2 as the vNIC. vNIC network adapter 1 is reserved for the firewall management port.
- For physical firewalls, in addition to select the ethernet port, you must also specify a path. The path is the physical port on a leaf switch that the firewall is connected to. This mapping was determined when you created you ACI Fabric and deployed your firewall.
- Configure the cluster. A cluster is a group of up to two identically configure L4 to L7 devices. The firewall(s) within the cluster are called concrete devices.
- Enter the Management IP Address. This is the same IP address as device 1.
- Set the Management Port to HTTPS.
- Set the Device Manager to Panorama.
- Set the Cluster Interfaces. The cluster interfaces define which side of the firewall and which side is external.
- Set the Type of the first interface to consumer (typically external) and give it aName.
- Set a Concrete Interface from the drop-down. You defined the interfaces on the list when you configured in the interfaces for device 1.
- Set the Type of the second interface to provider (typically internal) and give it aName.
- Select a Concrete Interface from the drop-down.
- ClickNextto proceed to the Basic parameters tab.
- Configure basic parameters of the firewall. In a single, non-HA firewall deployment, only the Basic Parameters under Device Settings are required.
The parameters under All Parameters are optional.
- Expand theDevice Settingsfolder.
- ClickDNS Server (primary)and enter a Name in the Name column and an IP address in the Value column.
- ClickFirewall Hostnameand enter a hostname in the Value column. APIC automatically populates the Name column withhostname.
- Verify that your L4-L7 Device was deployed successfully.
- Selectand select the cluster you created.Tenants<your-tenant>L4-L7 ServicesL4-L7 Devices
- Under Configuration State, the Device State proceeds through several states includinginit,verificationPending,auditPending, and finallystable.If the Device State does not reach stable state or shows any state not listed above, selectFaultsto determine the problem and follow the presented directions to resolve the problem.
Recommended For You
Recommended videos not found.