Register your CN-Series firewall auth code on the Palo
Alto Networks Customer Support Portal (CSP)
CN-Series firewall licensing is managed by
the Kubernetes plugin on Panorama. The CN-Series firewalls are licensed
based on the number of Kubernetes nodes you want to secure with
one token is allocated to each CN-NGFW pod that secures a Kubernetes
node. Node-based licensing provides you the flexibility of running
as many pods as you need on a node that is being secured with the CN-Series
firewall. Since the pods can move to the different nodes within
the cluster the actual throughput the firewall will need per node
can vary over time. Given the dynamic nature of Kubernetes, with
node-based licensing you do not need to predict your throughput
needs upfront. Your security administrator can provide an initial
estimate of the total number of nodes they want to protect, and
as your security needs increase, you can then purchase additional
tokens as required and add it to Panorama. The license bundle can
be CN-X-BASIC, CN-X-BND1, or CN-X-BND2.
The
basic bundle includes the firewall capacity license and support
entitlement.
Bundle 1 includes Threat Prevention and support
entitlement.
Bundle 2 includes Threat Prevention, URL Filtering,
DNS Service, and WildFire subscription and support entitlement.
For
more details on the licenses, see Subscriptions.
The page
refreshes to display the list of auth codes registered to your support account.
You can track the total number of CN-Series tokens you purchased
and the number of tokens that are still available for use against
each auth code. When all the available tokens are used, the auth
code does not display on the CN-Series Auth-Codes page. To view
all the assets that are deployed, select
Assets
Devices
.
Allocate CN-Series Tokens to Panorama
The CN-Series firewalls connect to Panorama
and retrieve the appropriate licenses based on the CN-Series license
bundle you purchased and registered on the CSP. If your Panorama
is not connected directly to the internet, you need to allocate
tokens to the Panorama on which you plan to install the Kubernetes plugin
and manage the CN-Series deployment, download this license file
from the CSP, and manually upload it to Panorama. This process allows
you to make sure that Panorama has the tokens to successfully the
license the CN-Series firewall instance on each node within the
Kubernetes cluster.
You must carefully plan the number
of tokens you want to allocate to Panorama. If you need to change
the number of tokens, you must redeploy the CN-Series firewalls.