The Palo Alto Networks CN-Series containerized firewall is the best-in-class next-generation firewall purpose built to secure the Kubernetes environments against modern application attacks and data exfiltration. The CN-Series firewall enables network security teams to gain full application (Layer-7) visibility into Kubernetes environments, dynamically scale network security without compromising DevOps agility, and align with the demands of modern DevOps teams to easily manage CN-Series.

CN-Series firewalls can be easily deployed using DevOps friendly tools including Helm charts and Terraform templates. CN-Series Firewalls can be managed from Panorama—the same management console as all Palo Alto Networks firewalls—giving network security teams a single pane of glass to manage their organizations’ overall network security posture.  It is recommended to deploy CN-Series firewall using Helm Charts for a seamless deployment experience. For more information, see Deploy the CN-Series Firewall Using HELM Chart


What's New

April 9, 2024 You can now configure software cut-through based offload on the CN-Series firewall. With the software cut-through based Intelligent Traffic Offload (ITO) service, the CN-Series firewall eliminates the tradeoff between network performance, security, and cost. The software cut-through based offload supports the GTP-U tunnel protocol. In the CN-Series, only the CN-Series as a Kubernetes CNF mode of deployment supports software cut-through based ITO. For more information, see Software Cut-through Based Offload on CN-Series Firewall .
December 5, 2023 CN-Series now supports OVN-Kubernetes Container Network Interface (CNI) plug-in on RedHat OpenShift version 4.13 and above, in the Kubernetes as a Service and DaemonSet mode of deployment.
November 2, 2023 Strata Logging Service can now collect log data from CN-Series firewall. When you purchase a Strata Logging Service license, all firewalls registered to your support account receive a Strata Logging Service license. 

IOT Security Support for CN-Series Firewall. 

CN-Series Hyperscale Security Fabric (HSF) now introduces dynamic routing through BGP and BGP over BFD protocols. 
June 2, 2023                                                                                                                    
CN-Series firewall with PAN-0S 10.1 version supports CN-Series firewall deployment on Alicloud ACK platform with Terway CNI to secure traffic between containers within the same cluster, as well as etween containers and other workload types such as virtual machines and bare-metal servers.
November 18, 2022 CN-Series Hyperscale Security Fabric (HSF) 1.0 is a cluster of containerized next-gen firewalls that deliver a highly scalable and resilient next-gen firewall solution for Mobile Service Providers deploying 5G networks.The CN-Series HSF solution offers hyper scalable with containerized NGFW, highly available and resilient, and eliminates external load balancer dependency: Provides ease of deployment and DevOps friendly environment that can be fully orchestrated through Panorama plugins. The CN-Series HSF solution is deployable in RedHat Openshift (On-premise) or AWS EKS public cloud managed Kubernetes environment.
December, 2021

You can license your CN-Series Firewall as a Kubernetes Service deployed on AWS EKS through the AWS Marketplace.  The CN-Series can be licensed for one month, one year, two years, or three years and deployed on EKS 1.19 and later or Redhat Openshift 4.7 and later.