: Deploy the Firewall to Secure East-West Traffic in Network Policy Mode
Focus
Focus

Deploy the Firewall to Secure East-West Traffic in Network Policy Mode

Table of Contents
End-of-Life (EoL)

Deploy the Firewall to Secure East-West Traffic in Network Policy Mode

The following procedure describes how to deploy a Palo Alto Networks firewall to secure east-west traffic in the your Cisco ACI environment using unmanaged mode with policy-based redirect. This procedure assumes that you have completed the following:
  • Firewalls are operational and connected to a leaf switch in your Cisco ACI environment. Additionally, the management interface of each firewall must be reachable by the APIC.
  • Firewalls are deployed in active/passive HA mode. This procedure does not cover HA network setup and assumes you have completed this in advance.
To secure east-west traffic, define a bridge domain and subnet in the ACI fabric for the firewall. Configure contracts between EPGs that send traffic to the firewall using a PBR. The PBR forwards traffic to the firewall based on policy containing the firewall’s IP and MAC address. The firewall interfaces are always in Layer 3 mode and traffic is received and routed back to the ACI fabric. You can configure separate interfaces for consumer and provider connections or a single interface for ingress and egress traffic. The procedure in this document uses a single interface because it simplifies the integration; you do not need to configure as many interfaces, IP addresses, or VLANs. However, when using a single interface, you cannot uses zone information in defining security policy and you must modify the default intra-zone policy on the firewall to deny traffic.
This procedure deploys the firewall in one-arm mode. In one-arm mode, the traffic enters and exits the firewall through a single interface. This common firewall interface is used for both consumer and provider interfaces in the service graph template. Using a single interface simplifies integration with the firewall by reducing the number IP addresses, VLANs, and interfaces that you must configure. However, a one-arm deployment model is intrazone, so you cannot use zone information to define security policy.
On the firewall:
On the Cisco APIC: