End-of-Life (EoL)

Firewall Policy Based on Endpoint Group, Tenant, or Application

You can create firewall security policy referencing Cisco ACI attributes such as EPG, tenants, and application profile through the use of dynamic address groups. When an endpoint is added to an EPG, the APIC notifies the firewall that a new endpoint has joined the EPG. The firewall then adds that endpoint’s IP address to the corresponding dynamic address group.
To enable the use of dynamic address groups, you must enable Attachment Notifications on the Function Connectors in the tenant’s Service Graph on the APIC. Additionally, an endpoint must be in an EPG to see any EPG, tenant, or application profile tags on the firewall. To use EPG. tenant, or application profile tags in dynamic address groups on Panorama, you must type the tags into the match criteria field manually; the tags are only suggested on the firewall, not Panorama. After the dynamic address groups are attached to policy and pushed to the firewall(s), the IP addresses are mapped.

Recommended For You