CN-Series firewall licensing is managed by the Kubernetes
plugin on Panorama. The CN-Series firewalls are licensed based on
the total number of vCPUs (cores) used by the CN-NGFW pods deployed
in your Kubernetes environment. One token is consumed for each vCPU
used the CN-NGFW.
Use Software NGFW Credit Estimator to
calculate the number of credits required for your deployment. The
Credit Estimator allows you estimate the credits required to license
the firewalls and enable the security services needed to secure
Activate Credits—begin by activating
your credits. Once activated, you can apply credits from your credit
pool to a CN-Series deployment profile.
Create a CN-Series Deployment Profile—in the deployment
profile, you will specify the number of vCPUs that allocate to the
generate authcode. You will then use the authcode associated with
your CN-Series deployment profile to license the CN-Series firewalls
in your Kubernetes cluster. The deployment profile can be used license
the CN-NGFW pods based on the number of vCPUs allocated. A single
authcode from a deployment profile can be used to license the CN-Series
across different Kubernetes environments, different clusters, or on
different Panorama instances.
In a CN-Series-as-a-Kubernetes-Service
deployment, if the number of CN-NGFW pods deployed in your environment
exceeds the number of allocated vCPUs, you have a 30-day grace period
to add more vCPUs to your deployment profile or delete enough CN-NGFW
pods. If you do not allocate additional vCPUs or delete unlicensed
pods within the 30-day grace period, all CN-Series firewalls in
your the cluster will be delicensed.
When a the CN-Series
is deployed a DaemonSet, if the number of CN-NGFW pods deployed
exceed the number of allocated vCPUs, you have a four-hour grace
period to add more vCPUs to your deployment profile or delete enough CN-NGFW
pods. If you do not allocate additional vCPUs or delete unlicensed pods
within the four-hour grace period, the unlicensed pods will stop
processing traffic. The already licensed pods remain licensed.
also have the option to provision a virtual Panorama appliance when creating
your CN-Series deployment profile.
Manage Deployment Profiles—you can edit,
clone, or delete CN-Series deployment profiles based on the requirements
of your CN-Series deployment. Additionally, you can add or remove
subscriptions from the deployment profile after it has been created.
Licenses are applied to the CN-Series at the cluster level.
Individual CN-NGFW might appear as unlicensed, however, all pods
in the cluster are licensed until the entire cluster is delicensed.