1. Home
    2. VM-Series
    3. VM-Series Deployment Guide
    4. Set Up a Firewall in Cisco ACI
    5. Integrate a Palo Alto Networks Firewall with Cisco ACI Using the Device Package
    6. Create a Tenant and Application Profile
    End-of-Life (EoL)

    Create a Tenant and Application Profile

    You must create a tenant to contain the application and firewall service. The tenant contains the virtual routing and forwarding (VRF) object, endpoint groups, and application profile.
    1. Create a tenant, VRF, and two bridge domain.
      1. Login to the APIC UI.
      2. Select
        Tenant
        Add Tenant
        .
      3. Enter a
        Name
         for your tenant.
      4. Enter a
        VRF Name
         for you VRF.
      5. Verify that
        Take me to this tenant when I click finish
         is checked.
      6. Click
        Submit
        . You will be redirected to
        Tenant
        <your-tenant>
        Networking
         where you will add bridge domains.
      7. Click and drag the bridge domain (BD) icon next to the icon of the VRF you named previously. This action opens the Create Bridge Domain window.
      8. Enter a
        Name
         for your bridge domain.
      9. Click
        Submit
        .
      10. Repeat steps g, h, and i for you second bridge domain.
    2. Create an Application Profile with two endpoint groups (EPG). Each EPG must correspond to one of the bridge domains you created previously.
      1. In the APIC UI, select
        Tenants
         and double click on the tenant you created previously.
      2. Right click on
        Application Profiles
         and select
        Create Application Profile
        .
      3. Enter a
        Name
         for you Application Profile.
      4. Click the plus (+) icon under EPGs to and EPG.
      5. Enter a
        Name
         for your EPG.
      6. Select a bridge domain.
      7. Select a domain for the EPG.
        If you choose a virtual domain (VMM), you do not need to provide any further information for the EPG. However, if you choose a physical domain, you need to specify a static path.
        The static path is the physical port on a leaf switch that the firewall is connected to. This mapping was determined when you created you ACI Fabric and deployed the firewall.
    3. Create a Device Manager. The device manager is your Panorama.
      1. Select
        L4-L7 Services
        .
      2. Right click
        Device Managers
         and select
        Create Device Manager
        .
      3. Enter a
        Name
         for the device manager.
      4. From the Device Manager Type drop-down, select the option that corresponds the with the Palo Alto Networks device package you installed.
      5. Click the plus (+) icon under Management and enter the management IP address of Panorama and port 443 because HTTPS is used to connect to Panorama.
      6. Click
        Update
        .
      7. Enter the username and password for Panorama.
      8. Click
        Submit
        .
    4. (Optional) Create a Chassis. A chassis is required to deploy multi-context firewalls (vsys). Without a chassis, the APIC always configures the default vsys (vsys1).
      1. Select
        L4-L7 Services
        .
      2. Right click
        Chassis
         and select
        Create Chassis
        .
      3. Enter a
        Name
         for the chassis.
      4. Enter a username and password and confirm the password.
      5. Enter the chassis host IP address and port.
        APIC never uses the username and password entered for the chassis, so the values entered are irrelevant but requested by the APIC. The chassis must exist and is set as the chassis for the firewall device. This instructs APIC to use a vsys other than the default vsys (vsys1).

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2022 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo