Hello. Because you say in your original question that you want this firewall to handle "Inter-Tenant/External communication", I interpret that as you want it to handle what we term "East-West" traffic, i.e. traffic between EPGs inside ACI, and you also want it to handle what we term "North-South" traffic, or traffic from EPGs to the outside world. With that in mind, my suggestion would be for you to investigate using PBR (Policy Based Redirect). With a design using PBR, you can have one firewall interface handle E-W and another interface on the same FW handle N-S. Or, if you prefer, you can have multiple FWs, each handling one role. I say one-interface, because I am referring to a 'one-armed' design, but you can opt for a traditional two-armed design too (especially if you are using NAT with that firewall). Or you can mix one-armed and two-armed on the same FW (different interfaces of course). There is a lot of flexibility depending on what your desired outcome is.
Anyway, have a look here for solid info on what you can do with PBR.
https://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/white-paper-c11-739971.html