Deploy the CN-Series from the AWS Marketplace
Focus
Focus
CN-Series

Deploy the CN-Series from the AWS Marketplace

Table of Contents

Deploy the CN-Series from the AWS Marketplace

Where Can I Use This?
What Do I Need?
  • CN-Series Firewall
    deployment
  • CN-Series 10.1.x or above Container Images
  • Panorama
    running PAN-OS 10.1.x or above version
  • Helm 3.6 or above version client
    for CN-Series deployment with Helm
You can license your CN-Series Firewall as a Kubernetes Service deployed on AWS EKS through the AWS Marketplace. The CN-Series can be licensed for one month, one year, two years, or three years and deployed on EKS 1.19 and later or Redhat Openshift 4.7 and later.
This product is in Preview.
Using this license requires that you update the IAM policy attached to your Kubernetes worker node.
If you are using a PAYG license purchased through the AWS Marketplace for your CN-Series deployment, do not add an authorization code to the Panorama plugin for Kubernetes.
  1. Complete the following prerequisites.
    1. Create your EKS or Redhat OpenShift cluster.
    2. Deploy Panorama and install the Kubernetes Plugin.
      Skip these steps if you already have a licensed Panorama instance deployed on AWS.
      1. Install Panorama on an Amazon EC2 instance.
      2. Once Panorama is installed, please email the CN-Series team at
        cn-series-aws-marketplace@paloaltonetworks.com
        to request a license for your Panorama. Please include your Full Name, Company Email, Company Name, Purchase Order Number, AWS Account Name, and AWS Account ID.
  2. Apply your serial number and license to Panorama.
    1. Log in to the Panorama web interface.
    2. Select
      Panorama
      Setup
      Management
      and click the edit icon.
    3. Enter the Panorama
      Serial Number
      (included in the order fulfillment email) and click
      OK
      .
    4. Select
      Panorama
      Licenses.
    5. Click
      Activate feature using authorization code
      .
    6. Enter the firewall management license authorization code and click
      OK
      to activate the license.
    7. Verify the firewall management license is activated.
      The Device Management License section now appears displaying the date the license was issued, when the license expires, and a description of the firewall management license.
  3. Update your IAM policies and attach the policy to your Kubernetes worker node.
    1. Log in to the AWS Management Console and open the IAM console.
    1. Select
      Policies
      .
    2. From the list of policies, select
      AWSLicenseManagerConsumptionPolicy
      and
      AWSMarketplaceMeteringRegisterUsage
      .
    3. Select
      Actions
      and then choose
      Attach
      .
    4. Select your worker node identity to attach the policy to. After selecting the identity, click
      Attach policy
      .
  4. Download the
    plugin-serviceaccount.yaml
    and apply the yaml before deploying the Helm charts.
    kubectl apply -f plugin-serviceaccount.yaml
  5. Access the AWS Marketplace and locate the
    CN-Series for AWS Marketplace
    listing.
  6. Click
    Continue to Subscribe
    .
  7. Enter the number of licenses you want to purchase. Each license entitlement is equivalent to one vCPU used by your CN-Series deployment.
    Refer to CN-Series System Requirements and CN-Series Performance and Scaling for guidance on the number of vCPUs required to meet the needs of your deployment.
  8. Click
    Continue to Configuration
    . This adds the licenses to your AWS account.
    1. Select
      Helm Chart
      as the
      Fulfillment option
      .
    2. Select the latest version for
      Software version
      .
  9. Click
    Continue to Launch
    .
    1. Select your
      Launch target
      Amazon-managed Kubernetes
      or
      Self-managed Kubernetes
      . Self-managed mode is deployed on Redhat OpenShift.
    2. Follow the
      Launch Instruction
      displayed in the AWS Marketplace listing. The instructions differ depending on your launch target.
      • Amazon-managed Kubernetes
        1. Copy the commands from
          Step 1
          of the
          Launch instructions
          .
        2. Update the copied commands to add you cluster name.
          --cluster <ENTER_YOUR_CLUSTER_NAME_HERE>
        3. Execute the copied command on your EKS cluster.
        4. Copy the Helm chart commands from
          Step 2
          of the
          Launch instructions
          .
        5. Update the Helm install information to include your Panorama IP, Panorama auth key, device group name, template stack name, and collect group name. Set
          cluster.deployTo
          to
          eks
          .
          helm install cn-series-helm \ --namespace kube-system ./awsmp-chart/* \ --set serviceAccount.create=false \ --set serviceAccount.name=my-service-account \ --set cluster.deployTo=eks \ --set panorama.ip=Panorama-IP \ --set panorama.ip2=Panorama-IP2 \ --set panorama.authKey=000xxxxxxxx \ --set panorama.deviceGroup=Panorama-DG \ --set panorama.template=Panorama-TS \ --set panorama.cgName=Panorama-CG \ --set imagePullSecrets=awsmp-image-pull-secret
        6. Execute the helm install command on your EKS cluster after updating the values listed above.
      • Self-managed Kubernetes
        1. Complete Step 1 in the Launch instructions to create a license token and IAM role.
        2. Copy the commands from
          Step 2
          of the
          Launch instructions
          .
        3. Update the copied commands to add the token value.
          AWSMP_TOKEN=<CREATE_TOKEN_ABOVE>
        4. Execute the copied command on your OpenShift cluster.
        5. Copy the Helm chart commands from
          Step 3
          of the
          Launch instructions
          .
        6. Update the Helm install information to include your Panorama IP, Panorama auth key, device group name, template stack name, and collect group name. Set
          cluster.deployTo
          to
          openshift
          .
          helm install cn-series-helm \ --namespace kube-system ./awsmp-chart/* \ --set serviceAccount.create=false \ --set serviceAccount.name=my-service-account \ --set cluster.deployTo=eks|openshift \ --set panorama.ip=Panorama-IP \ --set panorama.ip2=Panorama-IP2 \ --set panorama.authKey=000xxxxxxxx \ --set panorama.deviceGroup=Panorama-DG \ --set panorama.template=Panorama-TS \ --set panorama.cgName=Panorama-CG \ --set imagePullSecrets=awsmp-image-pull-secret
        7. Execute the helm install command on your OpenShift cluster after updating the values listed above.
  10. Verify that the license has been successfully added to your account.
    1. Navigate to the AWS License Manager.
    2. Select
      Granted Licenses
      and locate the CN-Series for AWS Marketplace listing.
    3. Under
      Entitlements
      , you can see the total number of licenses and the number of licenses consumed.
  11. Verify that the CN-Series firewalls appear in Panorama.
    1. Log in to Panorama.
    2. To view the CN-MGMT pods, select
      Panorama
      Managed Devices
      Summary
      .
    3. To verify that the CN-NGFW pods are licensed, select
      Panorama
      Plugins
      Kubernetes
      License Usage
      and verify that each pod has been allocated a license token.

Recommended For You