Hello. I think we might need to agree on a baseline on how ACI operates, because it is a bit different to what we are used to in legacy route/switching behavior. 

Just so I understand, you say you have a BD, acting as the default gateway for some number of EPGs.  Ok, this implies a routed BD. 

Each EPG attached to use this routed BD will each have its own unique encap.  So let's say EPG-A has encap VLAN 900 and EPG-B has encap VLAN 902.  Both are in the subnet of (example) 192.168.1.0/24.  Now, let's say an EP in EPG-A needs to talk to an EP in EPG-B.  Let's ignore contracts for the moment, and assume policy allows this communication.  When the packet sourced from EP-A hits the leaf, the leaf will look at the destination MAC address.  If the MAC address is the MAC of the BD itself, this is an indication that the BD needs to route this packet.  If the d-MAC is anything else, it will know it needs to switch it. So, in our case, EP-A and EP-B are on the same subnet, but in different encaps (VLAN 900 and 902).  No problem, ACI does not use VLANs to forward and it will simply re-write the the 802.1q header on the outbound packet to be VLAN 902 and the packet will reach EP-B. 

So now, let's introduce the transparent firewall.  I think you want all traffic between EPG-A and EPG-B to traverse this firewall, right?  If so, the short answer is you would need to use a service graph to redirect traffic to this FW.  Otherwise the BD will handle forwarding and bypass the firewall altogether.  You cannot bridge two BDs together, so to speak.  You need an SG.  It can be unmanaged.  Look into using PBR as an option too.  You can PBR L2 redirect on later versions of ACI.  I forget when we added that, but probably not before ACI 3.2 or 4.0, but read release notes.