Deploy CN-Series Firewalls With and Without the Helm Repository

Deploy CN-Series firewalls with Helm charts and templates.
The Helm repository contains charts and templates for deploying the Palo Alto Networks CN-series containerized firewall using the Helm Packet Manager for Kubernetes.
You can download CN-Series Helm Charts from GitHub.

Prepare to Use the Helm Charts and Templates

Install the required software. These instructions list the minimum versions, but you can install a later version in the same family unless an upper limit is specified.
  1. Deploy CN-Series firewall 10.1.x or 10.2.x container images.
  2. Install a Kubernetes version between 1.16 - 1.24 and create a Kubernetes cluster.
  3. Deploy Panorama in a location that is accessible from the Kubernetes cluster and the CN-Series firewall you use to secure the cluster.
    1. Ensure that the Panorama version supports the PAN-OS version of your deployment.
    2. Install the Panorama plugin for Kubernetes supported by your version of Panorama.

Deploy the CN-Series Firewall Using the Repository

Use this procedure to clone the repository and deploy from your local environment.
  1. Clone the repository from GitHub.
    $ git clone https://github.com/PaloAltoNetworks/cn-series-helm.git
  2. Change into a local directory for the cloned repository. For example:
    $ cd cn-series-helm
  3. Change to the subdirectory for your deployment.
    • Use the directory
      helm_cnv1
      to deploy the CN-Series as a daemon set
    • Use the directory
      helm_cnv2
      to deploy CN-Series as a service.
    • Use the directory
      helm_cnv3
      to deploy CN-Series as a cnf.
  4. Edit the
    values.yaml file
    to enter your configuration information. The following values are from the
    helm_cnv1
    subdirectory.
    # The K8s environment # Valid deployTo tags are: [gke|eks|aks||native] # Valid multus tags are : [enable|disable] Keep the multus as enable for openshift and native deployments. cluster: deployTo: eks multus: disable
    # Panorama tags panorama: ip: "<Panorama-IP>" ip2: authKey: "<Panorama-auth-key>" deviceGroup: "<Panorama-device-group>" template: "<panorama-template-stack>" cgName: "<panorama-collector-group>"
    # MP container tags mp: initImage: gcr.io/pan-cn-series/pan_cn_mgmt_init initVersion: latest image: gcr.io/pan-cn-series/panos_cn_mgmt version: 10.2.3 cpuLimit: 4 # DP container tags dp: image: gcr.io/pan-cn-series/panos_cn_ngfw version: 10.2.3 cpuLimit: 2 # CNI container tags cni: image: gcr.io/pan-cn-series/pan_cni version: latest
  5. View the rendered YAML files.
    helm install --debug --generate-name helm_cnv1/ --dry-run
  6. Perform a lint check on the helm charts.
    helm lint helm_cnv1/
  7. Deploy the HELM charts.
    helm install <deployment-name> helm_cnv1

Deploy the CN-Series Firewall Without the Repository

To deploy without cloning the repository, add the repository to your Helm client.
  1. Add the CN-Series repository to your local Helm client.
    Enter this command on a single line:
    $ helm repo add my-project https://paloaltonetworks.github.io/cn-series-helm
    "cn-series" has been added to your repositories
  2. Confirm the repository has been added to your Helm client.
    $ helm search repo cn-series
  3. Select the Kubernetes cluster.
    $ kubectl config set-cluster NAME
  4. Deploy using the Helm chart repository. Edit the following command to include your configuration information.
    $ helm install cn-series/cn-series --name="deployment name"
    --set cluster.deployTo="gke|eks|aks|openshift"
    --set panorama.ip="panorama hostname or ip"
    --set panorama.ip2="panorama2 hostname or ip"
    --set-string panorama.authKey="vm auth key"
    --set panorama.deviceGroup="device group"
    --set panorama.template="template stack"
    --set panorama.cgName="collector group"
    --set cni.image="container repo"
    --set cni.version="container version"
    --set mp.initImage="container repo"
    --set mp.initVersion="container version"
    --set mp.image="container repo"
    --set mp.version="container version"
    --set mp.cpuLimit="cpu max"
    --set dp.image="container repo"
    --set dp.version="container version"
    --set dp.cpuLimit="cpu max"

Recommended For You