Deploy the Firewall to Secure East-West Traffic in Network
Policy Mode
Use network policy mode to deploy a firewall to secure the east-west traffic in Cisco
ACI.
| Where Can I Use This? | What Do I Need? |
|---|
|
|
- VM-Series plugin
- Panorama
- VM-Series licenses
- Cisco ACI Fabric
- Panorama plugin for Cisco ACI
|
In network policy mode, you integrate a pair of firewalls in high
availability (HA) into the east-west or north-south traffic by using a policy-based
redirect to a single logical HA interface. The firewall and ACI fabric are configured
separately and address objects on the firewall are mapped to EPGs in the ACI fabric.
You can use network policy mode to deploy a Palo Alto Networks firewall to
secure east-west or north-south traffic.
The following procedure describes how to deploy a Palo Alto Networks firewall to
secure east-west traffic in your Cisco ACI environment using the unmanaged mode with
policy-based redirect. This procedure assumes that you have completed the following:
Firewalls are operational and connected to a leaf switch
in your Cisco ACI environment. Additionally, the management interface
of each firewall must be reachable by the APIC.
Firewalls are deployed in active/passive HA mode. This procedure
does not cover HA network setup and assumes you have completed this
in advance.
To secure east-west traffic, define a bridge domain and subnet in the ACI fabric for the
firewall. Configure contracts between Endpoint Groups (EPGs) that send traffic to the
firewall using a policy-based redirect (PBR). The PBR forwards traffic to the firewall
based on the policy containing the firewall’s IP address and MAC address. The firewall
interfaces are always in Layer 3 mode and traffic is received and routed back to the ACI
fabric. You can configure separate interfaces for consumer and provider connections or a
single interface for ingress and egress traffic. The procedure in this document uses a
single interface because it simplifies the integration; you don't need to configure as
many interfaces, IP addresses, or VLANs. However, when using a single interface, you
can't use zone information in defining security policy and you must modify the default
intrazone policy on the firewall to deny traffic.
This procedure deploys the firewall in one-arm mode. In one-arm mode, the traffic enters and
exits the firewall through a single interface. This common firewall interface is used
for both consumer and provider interfaces in the service graph template. Using a single
interface simplifies integration with the firewall by reducing the number of IP
addresses, VLANs, and interfaces that you must configure. However, a one-arm deployment
model is intrazone, so you can't use zone information to define Security policy.
On the firewall:
On the Cisco APIC:
