The following procedure describes how to deploy a Palo Alto Networks firewall to secure east-west traffic in the your Cisco ACI environment using unmanaged mode with policy-based redirect. This procedure assumes that you have completed the following:

To secure east-west traffic, define a bridge domain and subnet in the ACI fabric for the firewall. Configure contracts between EPGs that send traffic to the firewall using a PBR. The PBR forwards traffic to the firewall based on policy rules that contain the firewall IP and MAC address. The firewall interfaces are always in Layer 3 mode and traffic is received and routed back to the ACI fabric. You can configure separate interfaces for consumer and provider connections or a single interface for ingress and egress traffic. The procedure in this document uses a single interface because it simplifies the integration; you do not need to configure as many interfaces, IP addresses, or VLANs. However, when using a single interface, you cannot uses zone information in defining security policy and you must modify the default intra-zone policy on the firewall to deny traffic.

This procedure deploys the firewall in one-arm mode. In one-arm mode, the traffic enters and exits the firewall through a single interface. This common firewall interface is used for both consumer and provider interfaces in the service graph template. Using a single interface simplifies integration with the firewall by reducing the number IP addresses, VLANs, and interfaces that you must configure. However, a one-arm deployment model is intrazone, so you cannot use zone information to define security policy.

On the firewall:

On the Cisco APIC: