Panorama Plugins for Cisco ACI and Cisco TrustSec

🔌 Panorama Plugin for Cisco ACI

The Panorama plugin for Cisco ACI enables dynamic security policy enforcement within Cisco's Application Centric Infrastructure (ACI) by integrating Palo Alto Networks firewalls with Cisco's APIC controller. Key features include:

• Automatic retrieval of endpoint information from Cisco APIC, including tags and IP addresses.
• Creation of Dynamic Address Groups (DAGs) in Panorama based on ACI constructs such as Endpoint Groups (EPGs), application profiles, and tenants.
• Dynamic policy updates on firewalls as endpoints are added or removed in the ACI fabric.

This integration allows for consistent security policies across physical and virtual workloads, adapting automatically to changes in the ACI environment.

For more information, refer to the official documentation: Panorama Plugin for Cisco ACI

🔐 Panorama Plugin for Cisco TrustSec

The Panorama plugin for Cisco TrustSec facilitates integration between Palo Alto Networks firewalls and Cisco's TrustSec architecture, enabling identity-based security policies. Key functionalities include:

• Integration with Cisco Identity Services Engine (ISE) via pxGrid to retrieve Security Group Tags (SGTs).
• Mapping of SGTs to Dynamic Address Groups (DAGs) in Panorama.
• Enforcement of security policies based on user identity and group membership, rather than solely on IP addresses.

This integration enhances security by allowing policies to adapt dynamically to user roles and organizational changes.

For detailed guidance, refer to the official documentation: Panorama Plugin for Cisco TrustSec

⚙️ Implementation Steps

1. Install the appropriate plugin: Download and install the Cisco ACI or Cisco TrustSec plugin on Panorama.
2. Configure integration settings: Set up connections to Cisco APIC for ACI or Cisco ISE for TrustSec, providing necessary credentials and configurations.
3. Define Dynamic Address Groups (DAGs): Create DAGs in Panorama based on ACI constructs (e.g., EPGs) or TrustSec SGTs.
4. Apply security policies: Use the defined DAGs in security policy rules to enforce dynamic, identity-based access controls.

Ensure that Panorama and the plugins are compatible with your PAN-OS version. Refer to the compatibility matrix for details: VM-Series Plugin Compatibility