Configure Your Firewall to Secure North-South Traffic

Table of Contents

Configure Your Cisco APIC to Secure North-South Traffic

Configure Your Firewall to Secure North-South Traffic

Set up your Palo Alto Networks firewall to secure North-South traffic in your Cisco ACI environment.

Where Can I Use This?	What Do I Need?
Cisco ACI	VM-Series plugin Panorama VM-Series licenses Cisco ACI Fabric Panorama plugin for Cisco ACI

Create a Virtual Router and Security Zone for North-South Traffic

Create a virtual router and security zone on the firewall to match the tenant and VRF on ACI.

Log in to the firewall.
Select NetworkVirtual Routers and click Add.
Give the virtual router a descriptive Name.
Click OK.
Select NetworkZones and click Add.
Give the zone a descriptive Name.
Choose Layer 3 from the Type drop-down.
Click OK.
Commit your changes.

Configure the Network Interfaces

Configure an Aggregate Ethernet interface, member interfaces, and subinterface that your firewall uses to connect to the ACI leaf switches. If you are using a VM-Series firewall, use discreet interfaces instead of aggregate interfaces.

The VM-Series firewall does not support Aggregate Ethernet groups.

Select NetworkInterfacesEthernet and click Add Aggregate Group.
Enter a number for the aggregate group in the second Interface Name field.
Select Layer 3 from the Interface Type drop-down.
Select the LACP tab and click Enable LACP.
Select Fast as the Transmission Rate.
Under High Availability Options, select Enable in HA Passive State.

Do not select Same System MAC Address for Active-Passive HA. This option makes the firewall pair appear as a single device to the switch, so traffic will flow to both firewalls instead of just the active firewall.
Click OK.
Click on the name of an Ethernet interface to configure it and add it to the aggregate group.
1. Select Aggregate Ethernet from the Interface Type drop-down.
2. Select the interface you defined in the Aggregate Ethernet group configuration.
3. Click OK.
4. Repeat this step for each other member interface of the Aggregate Ethernet group.
Add a subinterface on the Aggregate Ethernet interface for the tenant and VRF.
1. Select the row of your Aggregate Ethernet group and click Add Subinterface.
2. In the second Interface Name field, enter a numerical suffix to identify the subinterface.
3. In the Tag field, enter the VLAN tag of the subinterface.
4. Select the virtual router you configured previously from the Virtual Router drop-down.
5. Select the zone you configured previously from the Zone drop-down.
6. Select the IPv4 tab.
7. Select the Static Type.
8. Click Add and enter the subinterface IP address and network mask in CIDR notation.
9. Click OK.

Configure Route Redistribution and OSPF

Configure route redistribution to make routing information from the firewall available to the external-facing routers attached to your leaf switches. Then configure OSPF on the firewall and assign a router-id, area number, and interface to form adjacencies.

Configure route redistribution:
1. Select NetworkVirtual Routers and click on the virtual router you created earlier.
2. Select Redistribution ProfileIPv4Add.
3. Enter a descriptive Name for your redistribution profile.
4. Enter a priority.
5. For Redistribute, select Redist.
6. Check connect and static under General Filters.
7. Select OK.
Configure OSPF:
1. Select NetworkVirtual Routers and click on the virtual router you created earlier.
2. Select Router SettingsECMP and select Enable.
3. Select OSPF and choose Enable.
4. Enter the OSPF Router ID.
5. Under Area, click Add.
6. Enter the Area ID. This value must match the value you assigned when you created the external routed network on the APIC. On the firewall, enter the Area ID value in dotted decimal form. For example, if you entered an Area ID of 10 in the APIC, the equivalent on the firewall is 0.0.0.10.
7. Select InterfaceAdd.
8. Enter the interface that connects to your external network EPG and click OK.
9. Select Export RulesAdd.
10. Select the Redistribution Profile you created above from the Name drop-down and click OK.
11. Select Allow Redistribute Default Route.
12. Select OK.

Configure NAT for External Connections

You only need to configure Network Address Translation (NAT) if the firewall has an external interface used for connecting to networks outside of your data center. If you don't want to configure NAT, you can use this procedure to translate private IP addressing in your data center to public IP addressing outside. Begin setting up NAT by configuring address translation for traffic entering the server inside an EPG in your data center. Then configure a NAT policy that translates the source address of outbound traffic from any EPG to the external interface IP address.

Configure address translation for traffic entering an EPG in your data center:
1. Select PoliciesNAT and click Add.
2. Enter a descriptive Name for your NAT policy rule.
3. Select Original Packet and click Add under Source Zone.
4. Select the source zone from the drop-down.
5. Select the destination zone from the Destination Zone drop-down.
6. Select Any for the Source Address.
7. Click Add under Destination Address and enter the external IP address.
8. On the Translated Packet tab, select the Translation Type under Destination Address Translation.
9. Select an address from the Translated Address drop-down.
10. Click OK.
Configure address translation for outbound traffic:
1. Select PoliciesNAT and click Add.
2. Enter a descriptive Name for your outbound NAT policy.
3. Select Original Packet and click Add under Source Zone.
4. Select the zone that matches your ACI tenant and VRF.
5. Select the external zone from the Destination Zone drop-down.
6. On the Translated Packet tab, select the Translation Type under Source Address Translation.
7. Enter additional required address information.
8. Click OK.
Commit your changes.