Palo Alto Networks integration with Cisco ACI allows you to insert a firewall between EPGs as a Layer 4 to Layer 7 service. The firewall then secures the east-west traffic between the application tiers within those EPGs or north-south traffic between users and the applications.

The figure below shows an example of a physical ACI deployment that includes integrated Palo Alto Network firewalls. All the entities in the ACI Fabric are connected to leaf switches and those leaf switches are connected to larger spine switches. As users access the application, the ACI fabric moves the traffic to the correct destination. To secure the traffic between the application tiers, the network administrator inserts the Palo Alto Networks firewalls as L4 to L7 services between each EPG and creates a service graph to define what services the L4 to L7 device provides.

After the firewall services have been deployed, traffic now flows logically as shown below. Traffic to and from the end users and each tier in the application regardless of where or how each entity is physically connected to the network.

When the firewall is integrated with Cisco ACI, traffic is sent to the firewall with a policy-based redirect (PBR). Additionally, configuration of the firewall and configuration of the APIC are completely separate. Network policy mode does not rely on any other configuration integration between the firewall and the APIC, so it provides greater flexibility of configuration and deployment of the firewall.

For East-West traffic, define a bridge domain and subnet in the ACI fabric for the firewall. Configure contracts between EPGs that send traffic to the firewall using a PBR. The PBR forwards traffic to the firewall based on policy containg the firewall’s IP and MAC address. The firewall interfaces are always in Layer 3 mode and traffic is received and routed back to the ACI fabric. You can configure separate interfaces for consumer and provider connections or a single interface for ingress and egress traffic. The procedure in this document uses a single interface because it simplifies the integration; you do not need to configure as many interfaces, IP addresses, or VLANs. However, when using a single interface, you cannot uses zone information in defining security policy and you must modify the default intra-zone policy on the firewall to deny traffic.

For north-south traffic, you must use a dedicated policy called an L3Out. An L3Out contains the information required for the tenant to connect to external routing devices and access external networks. L3Out connections contain an external network EPG that represent the networks accessible through the L3Out policy. Just as the L3Out can group all external networks into a single EPG, you can use a vzAny object ACI to represent all EPGs in a VRF. Using a vzAny object simples the application of the outbound traffic contract because, whenever a new EPG is added to the VRF, the contract is automatically applied. In this scenario, the external network provides the contract and the vzAny object (all internal EPGs) consume it.

The following section provide additional details about components and concepts that make up the integration between the Next-Generation Firewall and Cisco ACI.