You must create a tenant to contain the application
and firewall service. The tenant contains the virtual routing and
forwarding (VRF) object, endpoint groups, and application profile.
Create a tenant, VRF, and two bridge domain.
Login to the APIC UI.
for your tenant.
for you VRF.
Take me to this tenant when
I click finish
. You will be redirected
where you will add
Click and drag the bridge domain (BD) icon next to
the icon of the VRF you named previously. This action opens the
Create Bridge Domain window.
for your bridge
Repeat steps g, h, and i for you second bridge domain.
Create an Application Profile with two endpoint groups
(EPG). Each EPG must correspond to one of the bridge domains you
In the APIC UI, select
double click on the tenant you created previously.
Right click on
Create Application Profile
for you Application
Click the plus (+) icon under EPGs to and EPG.
for your EPG.
Select a bridge domain.
Select a domain for the EPG.
If you choose a virtual domain (VMM), you do not need to
provide any further information for the EPG. However, if you choose
a physical domain, you need to specify a static path.
static path is the physical port on a leaf switch that the firewall
is connected to. This mapping was determined when you created you
ACI Fabric and deployed the firewall.
Create a Device Manager. The device manager is your Panorama.
Create Device Manager
for the device
From the Device Manager Type drop-down, select the
option that corresponds the with the Palo Alto Networks device package
Click the plus (+) icon under Management and enter
the management IP address of Panorama and port 443 because HTTPS
is used to connect to Panorama.
Enter the username and password for Panorama.
(Optional) Create a Chassis. A chassis is required to
deploy multi-context firewalls (vsys). Without a chassis, the APIC
always configures the default vsys (vsys1).
for the chassis.
Enter a username and password and confirm the password.
Enter the chassis host IP address and port.
APIC never uses the username and password entered for the
chassis, so the values entered are irrelevant but requested by the
APIC. The chassis must exist and is set as the chassis for the firewall
device. This instructs APIC to use a vsys other than the default