CN-Series Prerequisites

Review the system requirements for deploying the CN-Series within a cluster.

System Requirements for the Kubernetes Cluster

System requirements for the cluster in which you are deploying the CN-Series firewall.
While the CPU, memory and disk storage will depend on your needs, here are some guidelines:
Resource
CN-MGMT Small
CN-NGFW Small
CN-MGMT Medium
CN-NGFW Medium
CN-MGMT Large
CN-NGW Large
Memory (Min)
2Gi
  • 2Gi (DaemonSet)
  • 2.5Gi (K8s Service)
2Gi
6Gi
4Gi
48Gi
CPU (Recommended Min)
2
2
2
4
4
12
CPU (Max)
None
31
None
31
None
31
Disk
50GiB
N.A.
50GiB
N.A.
50GiB
N.A.
For 5G-Native Security, the guidelines are:
Resource
CN-MGMT (StatefulSet Pod for Fault Tolerance)
CN-NGFW (DaemonSet Pod)
Memory
16Gi
48Gi
CPU
4
12
Disk
52GiB
N.A.
  • Kubernetes cluster running supported Kubernetes version. See CN-Series Deployment—Supported Environments
    If your cluster is on GKE, make sure to enable the Kubernetes Network Policy API to allow the cluster administrator to specify which pods are allowed to communicate with each other. This API is required for the CN-NGFW and CN-MGMT Pods to communicate.
  • Panorama OS version 10.1.0 (minimum version)
    Panorama must be able to establish network connectivity with the Kubernetes cluster API server endpoint. In addition, you must add the ports that Panorama uses to fetch updates and communicate with the managed devices to an allow list, see Ports Used on Panorama.
  • Kubernetes plugin on Panorama version 1.0.0 (minimum version). Kubernetes plugin on Panorama version 2.0.0 (minimum version) is required to deploy the CN-Series as a Kubernetes service.

System Requirements for On-Premises Kubernetes Deployments

Review the following prerequisites for your on-premises deployments:
  • Ensure that the container images are accessible to all nodes in the Kubernetes cluster.
  • Set up a persistent volume within the cluster for both the CN-MGMT pods. Because the CN-MGMT pods are deployed as a StatefulSet, which actively manage the CN-NGFW pods, both instances must have access to the persistent volume.
To get the SSH access for your Rancher cluster, you must ensure that the content of the kubeconfig file is copied under the location
/.kube/config
, and then only you can run kubectl commands for your cluster.
Also, you should ensure that the Kubernetes command-line tool, kubectl is installed on your system. For more information, see Install Tools.
For CN-Series with Rancher support, install Docker on Master node Ubuntu 18.0.4 LTS VM with 8 vCPUs and 32G Memory with minimum 200G disk. For more information, see Install Docker On Ubuntu 18.04.
For Ubuntu 18.0.4, Kernel on the machines should be updated to the latest Kernel using the following command:
sudo apt install linux-generic-hwe-18.04 -y

Recommended For You