CN-Series Prerequisites
Review the system requirements for deploying the CN-Series
within a cluster.
System Requirements for the Kubernetes Cluster
System requirements for the cluster in which you are
deploying the CN-Series firewall.
While the CPU, memory and disk storage will depend on your needs,
here are some guidelines:
Resource | CN-MGMT Small | CN-NGFW Small | CN-MGMT Medium | CN-NGFW Medium | CN-MGMT Large | CN-NGW Large |
|---|---|---|---|---|---|---|
Memory (Min) | 2Gi |
| 2Gi | 6Gi | 4Gi | 48Gi |
CPU (Recommended Min) | 2 | 2 | 2 | 4 | 4 | 12 |
CPU (Max) | None | 31 | None | 31 | None | 31 |
Disk | 50GiB | N.A. | 50GiB | N.A. | 50GiB | N.A. |
For 5G-Native Security,
the guidelines are:
Resource | CN-MGMT (StatefulSet
Pod for Fault Tolerance) | CN-NGFW (DaemonSet Pod) |
|---|---|---|
Memory | 16Gi | 48Gi |
CPU | 4 | 12 |
Disk | 52GiB | N.A. |
- Kubernetes cluster running supported Kubernetes version. See CN-Series Deployment—Supported EnvironmentsIf your cluster is on GKE, make sure to enable the Kubernetes Network Policy API to allow the cluster administrator to specify which pods are allowed to communicate with each other. This API is required for the CN-NGFW and CN-MGMT Pods to communicate.
- Container Images—4 docker files. See Components Required to Secure Kubernetes Clusters with CN-Series Firewall.
- YAML files for your environment. See Components Required to Secure Kubernetes Clusters with CN-Series Firewall.
- Panorama OS version 10.1.0 (minimum version)Panorama must be able to establish network connectivity with the Kubernetes cluster API server endpoint. In addition, you must add the ports that Panorama uses to fetch updates and communicate with the managed devices to an allow list, see Ports Used on Panorama.
- Kubernetes plugin on Panorama version 1.0.0 (minimum version). Kubernetes plugin on Panorama version 2.0.0 (minimum version) is required to deploy the CN-Series as a Kubernetes service.
For information on scaling, see CN-Series Performance and Scaling and for
the supported environments CN-Series Deployment—Supported Environments and Secure 5G With the CN-Series Firewall.
System Requirements for On-Premises Kubernetes Deployments
Review the following prerequisites for your on-premises
deployments:
- Ensure that the container images are accessible to all nodes in the Kubernetes cluster.
- Set up a persistent volume within the cluster for both the CN-MGMT pods. Because the CN-MGMT pods are deployed as a StatefulSet, which actively manage the CN-NGFW pods, both instances must have access to the persistent volume.
To get the SSH access for your Rancher cluster, you must
ensure that the content of the kubeconfig file is copied under the
location
/.kube/config
, and then only you can run
kubectl commands for your cluster. Also, you should ensure
that the Kubernetes command-line tool, kubectl is installed on your
system. For more information, see Install Tools.
For
CN-Series with Rancher support, install Docker on Master node Ubuntu
18.0.4 LTS VM with 8 vCPUs and 32G Memory with minimum 200G disk.
For more information, see Install Docker On Ubuntu 18.04.
For
Ubuntu 18.0.4, Kernel on the machines should be updated to the latest
Kernel using the following command:
sudo apt install
linux-generic-hwe-18.04 -y
