>
    Secure Container Traffic in Private Cloud
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma AIRS
    3. Administration
    4. Deploy Prisma AIRS AI Runtime: Network Intercept for Panorama Managed Firewall
    5. Configure Panorama to Secure VM Workloads and Kubernetes Clusters
    6. Secure Container Traffic in Private Cloud
    Download PDF
    Prisma AIRS

    Secure Container Traffic in Private Cloud

    Table of Contents

    Secure Container Traffic in Private Cloud

    Use Prisma AIRS AI Runtime: Network intercept to secure container traffic in private clouds.
    Where Can I Use This?What Do I Need?
    • Secure container traffic deployed in private cloud using Prisma AIRS AI Runtime: Network intercept
    This section shows how to configure Prisma AIRS AI Runtime: Network intercept to secure Kubernetes workloads—including containers and AI applications—in private cloud environments using Panorama managed firewall. Prisma AIRS AI Runtime: Network intercept supports Rosa OpenShift and Rancher.
    This page also covers Panorama configurations to route traffic through Prisma AIRS AI Runtime: Network intercept.
    If you have clusters in a private cloud, you can follow this workflow by applying the Helm chart and routing the traffic through Prisma AIRS AI Runtime: Network intercept.
    For Panorama managed Prisma AIRS AI Runtime: Network intercept, you can apply the Prisma AIRS Helm chart without going through the deployment workflow on the Strata Cloud Manager.
    The diagram shows how Prisma AIRS AI Runtime: Network intercept integrates with OpenShift using CNI chaining. In this setup, Prisma AIRS AI Runtime: Network intercept runs as a secondary CNI plugin, alongside the cluster’s primary CNI. In this setup, Prisma AIRS AI Runtime: Network intercept redirects east-west container traffic through Panorama-managed firewalls for real-time, AI-driven inspection and policy enforcement.

    Configure Panorama to Secure Kubernetes Clusters

    Interfaces

    1. Log in to the Panorama Web Interface.
    2. Navigate to Network > Interfaces.
    3. Set the Configuration Scope to your AI Runtime Security folder.
    4. Select Add Interface.
      • In the Ethernet tab, Configure a Layer 3 Interface for eth1/1(trust).
      • Enter Interface Name (Create interface for eth1/1(trust) interface).
      • Select the Layer3 Interface type.
      • In Logical Routers, select `lr-private` for eth1/1.
      • In Zone, select trust for eth1/1.
      • In the IPV4 address, select Static or DHCP Client type.
      • Enable IPV4 for eth1/1.
      • Select Advanced Settings Other Info.
      • Select a Management Profile or create a new one.
        In Administrative Management Services, enable HTTPS.
      • Click Add.

    Zones

    1. Configure Zones (Network → Zones).
    2. Select Add Zone.
    3. Enter a Name.
    4. Select the Layer3 Interface type.
    5. In Interfaces, add the $eth1 interface for the trust zone.
    6. Select Save.

    NAT Policy

    Configure the NAT Policy for outbound traffic.
    1. Configure NAT policy for inbound traffic:
      1. Enter a Name indicating inbound traffic (for example, inbound-web).
      2. Original Packet:
        • In Source zones, click add and select trust zone.
      3. Destination:
        • Select trust destination zone.
        • Select any Interface.
        • In Addresses, click the add (+) icon and select the `app-vnet` and the Kubernetes pods CIDR you want to secure.
      4. Choose any Service.
      5. Translated Packet:
        • In Translation, select Source Address Only.
        • In Source Address Translation, select the Dynamic IP and Port translation type.
        • In choice, select Interface Address.
        • In Interface, select eth1(ethernet1/1).
        • In Choice, select an IP address.
      6. Select Save.

    Logical Routers

    Configure private logical routers.
    1. Log in to the Panorama Web Interface.
    2. Navigate to Network → Logical Routers → Router Settings.
    3. Enter a Name indicating a private router (for example, lr-private).
    4. In Interfaces, select eth1(ethernet1/1) for lr-private route.
      Refer to the section on Interfaces to see how to configure the $eth1 interface.
    5. In Advanced Settings, select Edit to configure the IPv4 Static Routes for lr-private.
      1. Select Add Static Route and add the following routes:
      2. Application routing:
        1. Enter a Name (for example, app-vnet).
        2. In Destination, enter the CIDR address of your application.
        3. In the Next Hop:
          • For lr-private, in the IP Address field, enter the gateway IP address of the private interface.
      3. Default routing:
        1. Enter a Name.
        2. In Destination, enter 0.0.0.0/0.
        3. In the Next Hop:
          • For lr-private, in the IP Address field, enter the gateway IP address of the private interface.
        4. Select Add or Update.
    6. In Interface, select eth1(ethernet1/1) for lr-private.
    7. Select Add.
    8. Select Save.

    Security Policy

    1. Log in to the Panorama Web Interface.
    2. Add a security policy rule with an AI security profile attached to it.
    3. Set the security policy action to Allow.
    4. Select Commit → Commit and Push, to push the policy configurations to the Prisma AIRS AI Runtime: Network intercept.

    Install Kubernetes Cluster and Set Up Panorama

    Install Kubernetes cluster and set up Panorama.
    1. Complete the Panorama managed Prisma AIRS AI Runtime onboarding prerequisites.
    2. Install the Kubernetes Plugin and Set up Panorama.
      Add Kubernetes cluster information to Panorama to ensure that the two can communicate with each other.
      Check the monitoring interval. The default interval at which Panorama polls the Kubernetes API server endpoint is 30 seconds.
      1. Navigate to Panorama Plugins Kubernetes Setup General.
      2. Ensure to select the Enable Monitoring checkbox.
      3. Click the gear icon to edit the Monitoring Interval and change to a range of 30-300 seconds.
      4. Navigate to Panorama Plugins Kubernetes Setup Cluster, and Add Cluster.
        Ensure that you don’t add the same Kubernetes cluster to more than one Panorama (single instance or HA pair) appliance because you may see inconsistencies in how the IP-address-to mappings are registered to the device groups.
      5. Enter a Name and the API Server Address.
        This is the Endpoint IP address for the cluster, which you can get from your Kubernetes deployment. Enter a name, up to 20 characters, to uniquely identify the name of the cluster. You can’t modify this name because Panorama uses the cluster name when it creates tags for the pods, nodes, and services it discovers within the cluster. The format of the API server address can be a hostname or an IP address:port number, and you don’t need to specify the port if you're using port 443, which is the default port.
      6. Select the environment Type on which your cluster is deployed.
        The available options are AKS, EKS, GKE, Native Kubernetes, OpenShift, and Other.
      7. Upload the service account Credential that Panorama requires to communicate with the cluster. As described in the create service accounts for cluster authentication workflow, the filename for this service account is plugin-svc-acct.json.
        If you're uploading the service credentials through CLI/API, please gzip the file, and then do a base64 encoding of the compressed file before you upload or paste the file contents into the Panorama CLI or API. These steps are not required if you're uploading the service credential file on the GUI.
      8. Click OK.
        You can leave the Label Filter and Label Selector configuration to be filled in later. This optional task enables you to retrieve any custom or user-defined labels for which you want Panorama to create tags.

    Apply Helm chart to Deploy Prisma AIRS AI Runtime: Network Intercept

    This section covers how to install and configure the Helm chart to secure your Kubernetes applications based on the protection level .
    1. Clone the GitHub repository.
    2. The helm structure looks like:
      |____helm
    |____templates
    |____.helmignore
    |____Chart.yaml
    |____plugin-serviceaccount.yaml
    |____values.yaml
    3. Edit the `values.yaml` file as per your firewall deployment:
      • For a standalone firewall, update the endpoints value with the trust IP address of the standalone firewall.
      • For an active/passive firewall deployment, update the endpoints value with the trust interface IP address of the active-primary server.
        These changes are valid for OpenShift and Rancher.
      Here’s a sample `values.yaml` file:
      
# Default values for ai-runtime-security.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.

# Firewall trust interface IP Address for on-prem
endpoints: 10.101.255.253

# This is the PAN CNI image
cniimage: gcr.io/pan-cn-series/airs/pan-cni:latest

# This is the AI firewall trust CIDR and is an optional parameter.
# Helps in reducing hops in East-West cluster traffic.
fwtrustcidr: ""

# Resource namespace name
namespace: kube-system

# This is the Kubernetes Cluster ID value ranging between 1 and 2048.
clusterid: 1
    4. Install the helm chart with the following command: 
      helm install ai-runtime-security helm --namespace kube-system --values helm/values.yaml
    5. Verify the Helm installation with the following command:
      
#List all Helm releases
helm list -A
      The output looks similar to:
      #Ensure the output shows your installation with details such as:
NAME                    NAMESPACE      REVISION  UPDATED                   STATUS      CHART                         APP VERSION
ai-runtime-security     kube-system    1         2024-08-13 07:00 PDT      deployed   ai-runtime-security-0.1.0    11.2.2
    6. Check the pod status with the following command:
      
kubectl get pods -A
      Verify that the result of the above command lists the pods with names similar to `pan-cni-*****`.
    7. Check the endpoint slices using the following command:
                              
kubectl get endpointslices -n kube-system | grep pan
      Confirm that the output shows an ILB IP address:
      NAME             ADDRESSTYPE PORTS   ENDPOINTS            AGE
pan-ngfw-svc-endpoints IPv4  6080    10.101.255.253 12h
      Ensure that the endpoint slice IP address points to the trust interface IP address of the firewall.
    8. Verify the Kubernetes resources were created properly:
      a. Check the service accounts

kubectl get serviceaccounts -n kube-system | grep pan

b. Check the secrets

kubectl get secrets -n kube-system | grep pan

c. Check the services:

`kubectl get svc -n kube-system | grep pan`
      You should see resources like pan-cni-sa (service accounts), pan-plugin-user-secret (secrets), and pan-ngfw-svc (service).
    9. Annotate at the pod level in your application yaml so that the traffic from the pod is redirected to the Prisma AIRS AI Runtime: Network intercept for inspection.
      1. Annotate the pod using the below command:
        For VPC-level security:
        kubectl annotate namespace <namespace-to-be-annotated> paloaltonetworks.com/firewall=pan-fw
      1. In OpenShift, use the following command to annotate the app pod `yaml` file:
        kubectl annotate namespace <namespace-to-be-annotated> k8s.v1.cni.cncf.io/networks=pan-cni
      2. For namespace-level security with traffic steering inspection:
        kubectl annotate pods --all paloaltonetworks.com/subnetfirewall=ns-secure/bypassfirewall
      Annotate each pod, so the pods are moved to the "protected" state across all cloud environments.
      Restart the existing application pods after applying Helm and annotating the pods for all changes to take effect. This enables the firewall to inspect the pod traffic and secure the containers.
    10. For OpenShift, to make the `multus` plugin work, deploy "NetworkAttachmentDefinition" "pan-cni" in every app pod's namespace:
      kubectl apply -f pan-cni-net-attach-def.yaml -n <target-namespace>

    © 2025 Palo Alto Networks, Inc. All rights reserved.