Palo Alto Firewall Integration with Cisco ACI Overview
Palo Alto Networks integration with Cisco ACI allows
you to insert a firewall between EPGs as a Layer 4 to Layer 7 service.
The firewall then secures the east-west traffic between the application
tiers within those EPGs or north-south traffic between users and
The figure below shows an example of a physical ACI deployment
that includes integrated Palo Alto Network firewalls. All the entities
in the ACI Fabric are connected to leaf switches and those leaf
switches are connected to larger spine switches. As users access
the application, the ACI fabric moves the traffic to the correct
destination. To secure the traffic between the application tiers,
the network administrator inserts the Palo Alto Networks firewalls
as L4 to L7 services between each EPG and creates a service graph to
define what services the L4 to L7 device provides.
After the firewall services have been deployed, traffic now flows
logically as shown below. Traffic to and from the end users and
each tier in the application regardless of where or how each entity
is physically connected to the network.
The following section provide additional details about components
and concepts that make up the integration between the Next-Generation
Firewall and Cisco ACI.