CN-Series Prerequisites
Review the system requirements for deploying the CN-Series
within a cluster.
System Requirements for the Kubernetes Cluster
System requirements for the cluster in which you are
deploying the CN-Series firewall.
While the CPU, memory and disk storage will depend on your needs,
here are some guidelines:
Resource | CN-MGMT (StatefulSet
Pod for Fault Tolerance) | CN-NGFW (DaemonSet Pod) |
|---|---|---|
Memory (min) | 2Gi | 2Gi |
Memory (max) | 4Gi | 2.5Gi |
CPU (Min) | 2 | 1 |
CPU (Max) | None | None |
Disk | 52GiB | N.A. |
For 5G-Native Security,
the guidelines are:
Resource | CN-MGMT (StatefulSet
Pod for Fault Tolerance) | CN-NGFW (DaemonSet Pod) |
|---|---|---|
Memory | 16Gi | 48Gi |
CPU | 4 | 12 |
Disk | 52GiB | N.A. |
- Kubernetes cluster running supported Kubernetes version. See CN-Series Deployment—Supported EnvironmentsIf your cluster is on GKE, make sure to enable the Kubernetes Network Policy API to allow the cluster administrator to specify which pods are allowed to communicate with each other. This API is required for the CN-NGFW and CN-MGMT Pods to communicate.
- Container Images—4 docker files. See Components Required to Secure Kubernetes Clusters with CN-Series Firewall.
- YAML files for your environment. See Components Required to Secure Kubernetes Clusters with CN-Series Firewall.
- Panorama OS version 10.0.0 (minimum version)Panorama must be able to establish network connectivity with the Kubernetes cluster API server endpoint. In addition, you must add the ports that Panorama uses to fetch updates and communicate with the managed devices to an allow list, see Ports Used on Panorama.
- Kubernetes plugin on Panorama version 1.0.0 (minimum version)
For information on scaling, see CN-Series Supported Scale Factors and for
the supported environments CN-Series Deployment—Supported Environments and Secure 5G With the CN-Series Firewall.
System Requirements for On-Premises Kubernetes Deployments
Review the following prerequisites for your on-premises
deployments:
- Ensure that the container images are accessible to all nodes in the Kubernetes cluster.
- Set up a persistent volume within the cluster for both the CN-MGMT pods. Because the CN-MGMT pods are deployed as a StatefulSet, which actively manage the CN-NGFW pods, both instances must have access to the persistent volume.
